Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsImNkIjoiLmppYmphYi5jb20iLCJjZSI6ODY0MDAsInRrIjoiamliamFibSIsIm10bElEIjoiNjVjNWRiOTFmNGMwYmEzYjExMGM0Z

Overview

General Information

Sample URL:http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsI
Analysis ID:1391071
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Creates files inside the system directory
Sigma detected: Suspicious Office Token Search Via CLI
Stores files to the Windows start menu directory

Classification

  • System is w10x64
  • chrome.exe (PID: 6556 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 2132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 --field-trial-handle=2532,i,1680531711560861017,17543554451149963471,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 2316 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsImNkIjoiLmppYmphYi5jb20iLCJjZSI6ODY0MDAsInRrIjoiamliamFibSIsIm10bElEIjoiNjVjNWRiOTFmNGMwYmEzYjExMGM0ZWU4IiwibGlua1VybCI6Imh0dHBzOlwvXC93d3cuamliamFiLmNvbVwvdmlld1wvbWFrZVwvYWRkaWN0ZWRfdG9fbG92ZV9yb2JlcnRfcGFsbWVyX2Fubml2ZXJzYXJ5XC80M2M2NzZkYi0yY2IxLTQ3Y2EtOTA1NS1iMjg0N2VkNTgyNWY_cmVjaXBpZW50X3Rva2VuPTE2ZjNlOTk0LTBkZDgtNDc5Yi1iOTE3LTRhOTJlN2FiMWQxYyZ1dG1fY2FtcGFpZ249dHhfcmVjaXBpZW50X25vdGlmaWNhdGlvbiZ1dG1fdGVybT0mdXRtX3NvdXJjZT1jb3JkaWFsJnV0bV9tZWRpdW09ZW1haWwifQ&jwtS=eOhWS_qON4C7Pn_vFN9iXDtpYuHwzoYSTCcLc-Ce86o__;!!EhqYCQ!cHK5TxT8glt9qsWTQaBnSDPNius5-SdyQMZ78XjuGJ7hEnpIkoW7Wm8RBPEiYsdL79SvidfZc1DWgCTnKDTKz0SxG5Y$%20urldefense.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsImNkIjoiLmppYmphYi5jb20iLCJjZSI6ODY0MDAsInRrIjoiamliamFibSIsIm10bElEIjoiNjVjNWRiOTFmNGMwYmEzYjExMGM0ZWU4IiwibGlua1VybCI6Imh0dHBzOlwvXC93d3cuamliamFiLmNvbVwvdmlld1wvbWFrZVwvYWRkaWN0ZWRfdG9fbG92ZV9yb2JlcnRfcGFsbWVyX2Fubml2ZXJzYXJ5XC80M2M2NzZkYi0yY2IxLTQ3Y2EtOTA1NS1iMjg0N2VkNTgyNWY_cmVjaXBpZW50X3Rva2VuPTE2ZjNlOTk0LTBkZDgtNDc5Yi1iOTE3LTRhOTJlN2FiMWQxYyZ1dG1fY2FtcGFpZ249dHhfcmVjaXBpZW50X25vdGlmaWNhdGlvbiZ1dG1fdGVybT0mdXRtX3NvdXJjZT1jb3JkaWFsJnV0bV9tZWRpdW09ZW1haWwifQ&jwtS=eOhWS_qON4C7Pn_vFN9iXDtpYuHwzoYSTCcLc-Ce86o__;!!EhqYCQ!cHK5TxT8glt9qsWTQaBnSDPNius5-SdyQMZ78XjuGJ7hEnpIkoW7Wm8RBPEiYsdL79SvidfZc1DWgCTnKDTKz0SxG5Y$%20urldefense.com, CommandLine: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsImNkIjoiLmppYmphYi5jb20iLCJjZSI6ODY0MDAsInRrIjoiamliamFibSIsIm10bElEIjoiNjVjNWRiOTFmNGMwYmEzYjExMGM0ZWU4IiwibGlua1VybCI6Imh0dHBzOlwvXC93d3cuamliamFiLmNvbVwvdmlld1wvbWFrZVwvYWRkaWN0ZWRfdG9fbG92ZV9yb2JlcnRfcGFsbWVyX2Fubml2ZXJzYXJ5XC80M2M2NzZkYi0yY2IxLTQ3Y2EtOTA1NS1iMjg0N2VkNTgyNWY_cmVjaXBpZW50X3Rva2VuPTE2ZjNlOTk0LTBkZDgtNDc5Yi1iOTE3LTRhOTJlN2FiMWQxYyZ1dG1fY2FtcGFpZ249dHhfcmVjaXBpZW50X25vdGlmaWNhdGlvbiZ1dG1fdGVybT0mdXRtX3NvdXJjZT1jb3JkaWFsJnV0bV9tZWRpdW09ZW1haWwifQ&jwtS=eOhWS_qON4C7Pn_vFN9iXDtpYuHwzoYSTCcLc-Ce86o__;!!EhqYCQ!cHK5TxT8glt9qsWTQaBnSDPNius5-SdyQMZ78XjuGJ7hEnpIkoW7Wm8RBPEiYsdL79SvidfZc1DWgCTnKDTKz0SxG5Y$%20urldefense.com, CommandLine|base64offset|contains: , Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6108, ProcessCommandLine: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsImNkIjoiLmppYmphYi5jb20iLCJjZSI6ODY0MDAsInRrIjoiamliamFibSIsIm10bElEIjoiNjVjNWRiOTFmNGMwYmEzYjExMGM0ZWU4IiwibGlua1VybCI6Imh0dHBzOlwvXC93d3cuamliamFiLmNvbVwvdmlld1wvbWFrZVwvYWRkaWN0ZWRfdG9fbG92ZV9yb2JlcnRfcGFsbWVyX2Fubml2ZXJzYXJ5XC80M2M2NzZkYi0yY2IxLTQ3Y2EtOTA1NS1iMjg0N2VkNTgyNWY_cmVjaXBpZW50X3Rva2VuPTE2ZjNlOTk0LTBkZDgtNDc5Yi1iOTE3LTRhOTJlN2FiMWQxYyZ1dG1fY2FtcGFpZ249dHhfcmVjaXBpZW50X25vdGlmaWNhdGlvbiZ1dG1fdGVybT0mdXRtX3NvdXJjZT1jb3JkaWFsJnV0bV9tZWRpdW09ZW1haWwifQ&jwtS=eOhWS_qON4C7Pn_vFN9iXDtpYuHwzoYSTCcLc-Ce86o__;!!EhqYCQ!cHK5TxT8glt9qsWTQaBnSDPNius5-SdyQMZ78XjuGJ7hEnpIkoW7Wm8RBPEiYsdL79SvidfZc1DWgCTnKD
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 23.33.136.127:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.33.136.127:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.33.136.127
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global trafficHTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000005EF1BFCF85 HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: unknownDNS traffic detected: queries for: clients2.google.com
Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 23.33.136.127:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.33.136.127:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_BITS_6556_52178828Jump to behavior
Source: classification engineClassification label: clean1.win@20/6@10/5
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 --field-trial-handle=2532,i,1680531711560861017,17543554451149963471,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "http://https:/e.cdlt.jibjab.com/c2/225:4f16e2ba44501a8a8bf3ed302d09b87f:d240209:65c6bb2428085be667d1bac9:1707522852103/8e54784a?jwtH=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9&jwtP=eyJpYXQiOjE3MDc1MjI5NzQsImNkIjoiLmppYmphYi5jb20iLCJjZSI6ODY0MDAsInRrIjoiamliamFibSIsIm10bElEIjoiNjVjNWRiOTFmNGMwYmEzYjExMGM0ZWU4IiwibGlua1VybCI6Imh0dHBzOlwvXC93d3cuamliamFiLmNvbVwvdmlld1wvbWFrZVwvYWRkaWN0ZWRfdG9fbG92ZV9yb2JlcnRfcGFsbWVyX2Fubml2ZXJzYXJ5XC80M2M2NzZkYi0yY2IxLTQ3Y2EtOTA1NS1iMjg0N2VkNTgyNWY_cmVjaXBpZW50X3Rva2VuPTE2ZjNlOTk0LTBkZDgtNDc5Yi1iOTE3LTRhOTJlN2FiMWQxYyZ1dG1fY2FtcGFpZ249dHhfcmVjaXBpZW50X25vdGlmaWNhdGlvbiZ1dG1fdGVybT0mdXRtX3NvdXJjZT1jb3JkaWFsJnV0bV9tZWRpdW09ZW1haWwifQ&jwtS=eOhWS_qON4C7Pn_vFN9iXDtpYuHwzoYSTCcLc-Ce86o__;!!EhqYCQ!cHK5TxT8glt9qsWTQaBnSDPNius5-SdyQMZ78XjuGJ7hEnpIkoW7Wm8RBPEiYsdL79SvidfZc1DWgCTnKDTKz0SxG5Y$%20urldefense.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 --field-trial-handle=2532,i,1680531711560861017,17543554451149963471,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Google Drive.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder
1
Process Injection
11
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder
1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet