Edit tour

Windows Analysis Report
http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net

Overview

General Information

Sample URL:	http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net
Analysis ID:	1428937
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,6815876806089879004,10038107220045899808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713555538737&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 23.60.84.144:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.60.84.144:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@16/10@2/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,6815876806089879004,10038107220045899808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,6815876806089879004,10038107220045899808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
www.google.com	172.253.124.106	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
172.253.124.106	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428937
Start date and time:	2024-04-19 21:38:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@16/10@2/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 173.194.219.94, 74.125.138.139, 74.125.138.100, 74.125.138.113, 74.125.138.101, 74.125.138.102, 74.125.138.138, 64.233.177.84, 34.104.35.123, 20.38.122.129, 13.85.23.86, 23.40.205.49, 199.232.214.172, 192.229.211.108, 20.166.126.56, 52.165.164.15, 20.114.59.183, 172.217.215.94, 20.12.23.50, 23.45.13.176, 23.45.13.184
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 18:39:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.985646747919829
Encrypted:	false
SSDEEP:	48:8kdATkYcHUidAKZdA19ehwiZUklqehTy+3:83vjIy
MD5:	69E2BA67CB7D5793C489A10AA873E6AF
SHA1:	7BBE69DB76A25633A161537B6908FB36A90A5225
SHA-256:	DDAD7C38D8801CB422165A451A9187CCFE74F7E6D0D36A6B9318E32957E6990A
SHA-512:	A7D0A209173EB818BD25B873D7234D2BEE6052CEDA6699577B4E74E3EC4E0FA5BF2CAF7F7D870F5B2169E77D5F356B395EDF0FCA95B851EF47BE47DD3C88DE00
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....7.B....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............0.O.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 18:39:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.001018246589355
Encrypted:	false
SSDEEP:	48:82dATkYcHUidAKZdA1weh/iZUkAQkqeh4y+2:8BvR9Q1y
MD5:	5C7BF4E0DE292C9CCB5FA1F1EA43824C
SHA1:	FF2BCCC147D9DD7DA01ADD026D7AE443410126B5
SHA-256:	092C0FF9E9E53BF23591278EBDBBB61AEF25765AE44835D9B5C24BEFC19F914D
SHA-512:	2F793708B64BE0D477A4B2C5BC7D3734CF93597FF691F068E2E26FAB1443FCBB3E431003019FF1FCEF3B9B96FC69EE7A02F6C1F03BA09B7291813B95CA4FEAE1
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....;I.B....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............0.O.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.010161534397526
Encrypted:	false
SSDEEP:	48:8xRdATkYsHUidAKZdA14tseh7sFiZUkmgqeh7s6y+BX:8x0vRnUy
MD5:	EA78DFD28C68C284BC13D675FAB94C2D
SHA1:	9DEB4B30687E12AB5BBD2D821EA7363F40FD42E8
SHA-256:	8291FC26B0A7DA1FB3339BBC1E9A6EF08E7636845BC5C6C9D100C568FCB0EEF0
SHA-512:	F1317BA6913FE90E226D79F1A6AAE6C31346DAB502A5196A140EF5809CCBFCEE2C32FE034CB0DEA4E9BB8463123FC26ACE19C3780AB199CCF87EDF0EE684508A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............0.O.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 18:39:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9983105470923945
Encrypted:	false
SSDEEP:	48:86dATkYcHUidAKZdA1vehDiZUkwqeh8y+R:8VvSCy
MD5:	E7CB34BDA04504880AA150DE7CCD7F85
SHA1:	0E3F96931284DF3684B521A47A512237BC33F1C9
SHA-256:	BA7559C5D5A140E034E8F30B1DDDBD9E9D9C7586AB20343291F252BA57575321
SHA-512:	C5B0DDC4A279C2252F28C6B6E1C9EEC2658C162423DF0E040B8C2AA17B59F8C76DAFF8A1ABDA53F33DC9BAB21EB0ECA2BAA082EB6C88C803CAE3EEF86279696A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....j..B....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............0.O.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 18:39:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9895867866474584
Encrypted:	false
SSDEEP:	48:8HudATkYcHUidAKZdA1hehBiZUk1W1qehGy+C:8HJvi9my
MD5:	9399EC22035A646A582284D366598A79
SHA1:	13B3AA1CF997B5415C609276A2244A7782E6A0C4
SHA-256:	0DEF67902D0F52B205603E655BB8A5D7D096B61DC3CB99413F5AF7C195C2D580
SHA-512:	A8A6EA5493AA1FE60F5A5AE6EBE4187D816694A2D05645D5C1FC96652030D844E835424DAD7FB3D795813490DF6AC831591709BDBCD13F87CEA3A78DB5EDFB65
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..../..B....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............0.O.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 18:39:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.999245980597191
Encrypted:	false
SSDEEP:	48:8jNdATkYcHUidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbUy+yT+:8jAvcT/TbxWOvTbUy7T
MD5:	B8EC72DB49C14B18B23F83D349A5687B
SHA1:	9B0084D096EFD0A6DF2DC052D96FAB61F229DB53
SHA-256:	68DE6747F1AEF7C5085915C01268EFC2031CC46BF35A58068B1E58AD6DF9DEEE
SHA-512:	ADC9AF480D339B535FCA9933A579566804109FA5C77580F4D42FDF399F52E3A12866F027134377E042936421A63ABC75589C52B1FB23A6DD9AB5F971C8D028B2
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....hH.B....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............0.O.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (337), with no line terminators
Category:	downloaded
Size (bytes):	337
Entropy (8bit):	5.139028340994985
Encrypted:	false
SSDEEP:	6:haxU/qHX96TBGSYFD0NlzY2i21VsJCYWOesR2p022bNS6E:haxzHktGSFN62i2LYWOesw
MD5:	D02F3B4746D607557F4DF39D18A956D3
SHA1:	071D18805D8FCF832FD0758AB63E4C61BCA437BB
SHA-256:	39DF0678912F53B68CF1B27036CEAA7F46E808866383DA1D327DBDEE3B278845
SHA-512:	FBC3E9E833DE4CBA7DA910E62BADBF58E3E9F4286C9887DC37BF76DA38C55E11E825A303EA7DAAD106283CA51C737320171EFF179671A9935D2023F91E834098
Malicious:	false
Reputation:	low
URL:	http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net/
Preview:	<!DOCTYPE html><html><head><title>AccountRequiresHttps</title></head><body><h1>The account being accessed does not support http.</h1><p><ul><li>HttpStatusCode: 400</li><li>ErrorCode: AccountRequiresHttps</li><li>RequestId : 023b4a35-f01e-0029-0b91-923667000000</li><li>TimeStamp : 2024-04-19T19:39:15.7746581Z</li></ul></p></body></html>

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (337), with no line terminators
Category:	downloaded
Size (bytes):	337
Entropy (8bit):	5.131610302317065
Encrypted:	false
SSDEEP:	6:haxU/qHX96TBGSYFD0NlzY2i21VsJCYWOTt1hsR2p022bD+E:haxzHktGSFN62i2LYWOTtDs7P
MD5:	223DF441121EE67AA44BF21BAB4D86AC
SHA1:	8A36C7DE5DF8C8C7208DF57447FB2039F93B3ECE
SHA-256:	C7BEF036BB5D274E0399699639D557708E3BF9E3951E3356D97790CF33CB0ACA
SHA-512:	7EDEB2BF38F0A6D313CF205F495D6AB0C942DA45420FF31C3A7953029799B9809E22697FDBE679A99605E38B7CA59CCA0A3499D0B353AC7619CE81ADA04E2A6C
Malicious:	false
Reputation:	low
URL:	http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net/favicon.ico
Preview:	<!DOCTYPE html><html><head><title>AccountRequiresHttps</title></head><body><h1>The account being accessed does not support http.</h1><p><ul><li>HttpStatusCode: 400</li><li>ErrorCode: AccountRequiresHttps</li><li>RequestId : 023b4aa9-f01e-0029-7b91-923667000000</li><li>TimeStamp : 2024-04-19T19:39:15.9855392Z</li></ul></p></body></html>

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 21:39:09.320941925 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:09.320962906 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:09.461575985 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:18.057123899 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.057151079 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.057213068 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.060281038 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.060295105 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.279618979 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.279928923 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.279947996 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.280972004 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.281106949 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.480532885 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.480668068 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.527384043 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.527405024 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:18.577373981 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:18.933553934 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:18.933562994 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:19.037364960 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.037388086 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.037635088 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.041359901 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.041373968 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.074194908 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:19.289666891 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.289741039 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.296637058 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.296653032 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.297025919 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.339791059 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.408354998 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.456115961 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.525425911 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.525532961 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.525582075 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.525665998 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.525676966 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.525688887 CEST	49716	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.525692940 CEST	443	49716	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.563291073 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.563355923 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.563441992 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.563746929 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.563781977 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.777626038 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.777705908 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.780030966 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.780040979 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.780421972 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.786314011 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:19.832115889 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.989794016 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.989895105 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:19.990092039 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:20.014437914 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:20.014481068 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:20.014511108 CEST	49717	443	192.168.2.5	23.60.84.144
Apr 19, 2024 21:39:20.014525890 CEST	443	49717	23.60.84.144	192.168.2.5
Apr 19, 2024 21:39:20.449762106 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:20.449875116 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:28.285500050 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:28.285562992 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:28.285671949 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:28.329407930 CEST	49715	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:39:28.329437017 CEST	443	49715	172.253.124.106	192.168.2.5
Apr 19, 2024 21:39:30.762980938 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:30.763328075 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:30.763669968 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:30.763726950 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:30.763796091 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:30.764259100 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:30.764273882 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:30.915352106 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:30.915653944 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.073410988 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.073506117 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.215018034 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.215066910 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.216226101 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.216310024 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.256999016 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.257071972 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.257308006 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.257323027 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.607590914 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.607662916 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.607837915 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.607888937 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.607991934 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.608047009 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.649153948 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.649218082 CEST	443	49722	23.1.237.91	192.168.2.5
Apr 19, 2024 21:39:31.649246931 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:39:31.649275064 CEST	49722	443	192.168.2.5	23.1.237.91
Apr 19, 2024 21:40:18.175957918 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:18.176006079 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:18.176100969 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:18.176475048 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:18.176487923 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:18.389481068 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:18.389805079 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:18.389812946 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:18.390124083 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:18.391413927 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:18.391480923 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:18.433337927 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:28.394648075 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:28.394705057 CEST	443	49727	172.253.124.106	192.168.2.5
Apr 19, 2024 21:40:28.395690918 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:30.327764034 CEST	49727	443	192.168.2.5	172.253.124.106
Apr 19, 2024 21:40:30.327788115 CEST	443	49727	172.253.124.106	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 21:39:13.933502913 CEST	53	64661	1.1.1.1	192.168.2.5
Apr 19, 2024 21:39:13.986531973 CEST	53	56103	1.1.1.1	192.168.2.5
Apr 19, 2024 21:39:14.596657991 CEST	53	55370	1.1.1.1	192.168.2.5
Apr 19, 2024 21:39:17.900218010 CEST	52320	53	192.168.2.5	1.1.1.1
Apr 19, 2024 21:39:17.900974035 CEST	50869	53	192.168.2.5	1.1.1.1
Apr 19, 2024 21:39:18.004894972 CEST	53	52320	1.1.1.1	192.168.2.5
Apr 19, 2024 21:39:18.005620003 CEST	53	50869	1.1.1.1	192.168.2.5
Apr 19, 2024 21:39:32.464970112 CEST	53	58399	1.1.1.1	192.168.2.5
Apr 19, 2024 21:39:51.434900045 CEST	53	56464	1.1.1.1	192.168.2.5
Apr 19, 2024 21:40:13.939927101 CEST	53	62128	1.1.1.1	192.168.2.5
Apr 19, 2024 21:40:14.587981939 CEST	53	57654	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 21:39:17.900218010 CEST	192.168.2.5	1.1.1.1	0x8014	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:17.900974035 CEST	192.168.2.5	1.1.1.1	0x4fe8	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 21:39:18.004894972 CEST	1.1.1.1	192.168.2.5	0x8014	No error (0)	www.google.com		172.253.124.106	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:18.004894972 CEST	1.1.1.1	192.168.2.5	0x8014	No error (0)	www.google.com		172.253.124.105	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:18.004894972 CEST	1.1.1.1	192.168.2.5	0x8014	No error (0)	www.google.com		172.253.124.104	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:18.004894972 CEST	1.1.1.1	192.168.2.5	0x8014	No error (0)	www.google.com		172.253.124.147	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:18.004894972 CEST	1.1.1.1	192.168.2.5	0x8014	No error (0)	www.google.com		172.253.124.103	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:18.004894972 CEST	1.1.1.1	192.168.2.5	0x8014	No error (0)	www.google.com		172.253.124.99	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:18.005620003 CEST	1.1.1.1	192.168.2.5	0x4fe8	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 19, 2024 21:39:30.396893024 CEST	1.1.1.1	192.168.2.5	0x3bd6	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:30.396893024 CEST	1.1.1.1	192.168.2.5	0x3bd6	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:30.514934063 CEST	1.1.1.1	192.168.2.5	0xd9cc	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 21:39:30.514934063 CEST	1.1.1.1	192.168.2.5	0xd9cc	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:39:43.905457973 CEST	1.1.1.1	192.168.2.5	0x896c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 21:39:43.905457973 CEST	1.1.1.1	192.168.2.5	0x896c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:40:06.681607008 CEST	1.1.1.1	192.168.2.5	0x611	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 21:40:06.681607008 CEST	1.1.1.1	192.168.2.5	0x611	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

https:

www.bing.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	23.60.84.144	443

Timestamp	Bytes transferred	Direction	Data
2024-04-19 19:39:19 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-19 19:39:19 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=127455 Date: Fri, 19 Apr 2024 19:39:19 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	23.60.84.144	443

Timestamp	Bytes transferred	Direction	Data
2024-04-19 19:39:19 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-19 19:39:19 UTC	456	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 Cache-Control: public, max-age=127490 Date: Fri, 19 Apr 2024 19:39:19 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-19 19:39:19 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	49722	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-19 19:39:31 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713555538737&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-04-19 19:39:31 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-04-19 19:39:31 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-04-19 19:39:31 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 88CED804DB6344009D4900498C32D630 Ref B: LAX311000112033 Ref C: 2024-04-19T19:39:31Z Date: Fri, 19 Apr 2024 19:39:31 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1713555571.12fa7b32

Target ID:	0
Start time:	21:39:09
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	21:39:11
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,6815876806089879004,10038107220045899808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	21:39:14
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.84.144
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6252, Parent PID: 5376

General

Chronological Activities

Analysis Process: chrome.exePID: 6352, Parent PID: 6252

General

Chronological Activities

Analysis Process: chrome.exePID: 2232, Parent PID: 5376

General

Windows Analysis Report
http://habdjfvjkdfjlbjlkbj.z19.web.core.windows.net