Windows
Analysis Report
https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w7x64
- cmd.exe (PID: 2668 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://fi les.cchsfs .com/doc/a tx/2021/He lp/Content /Both-SSou rce/Instal lation/Dow nloading%2 0ATX.htm" > cmdline. out 2>&1 MD5: AD7B9C14083B52BC532FBA5948342B98) - wget.exe (PID: 1568 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://fil es.cchsfs. com/doc/at x/2021/Hel p/Content/ Both-SSour ce/Install ation/Down loading%20 ATX.htm" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- chrome.exe (PID: 3024 cmdline:
C:\Program Files (x8 6)\Google\ Chrome\App lication\c hrome.exe" --start-m aximized - - "C:\User s\user\Des ktop\downl oad\Downlo ading ATX. htm.html MD5: 6ACAE527E744C80997B25EF2A0485D5E) - chrome.exe (PID: 2028 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --fie ld-trial-h andle=1008 ,101900091 6465979311 ,666285239 5727443255 ,131072 -- lang=en-US --service -sandbox-t ype=networ k --enable -audio-ser vice-sandb ox --mojo- platform-c hannel-han dle=1436 / prefetch:8 MD5: 6ACAE527E744C80997B25EF2A0485D5E)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | HTTPS traffic detected: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Code function: | 3_2_007F4E71 | |
Source: | Code function: | 3_2_007F1B47 | |
Source: | Code function: | 3_2_007FA303 | |
Source: | Code function: | 3_2_007F59D8 |
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Window detected: |
Source: | Code function: | 3_2_007F4685 | |
Source: | Code function: | 3_2_007F6F39 | |
Source: | Code function: | 3_2_007FBD91 | |
Source: | Code function: | 3_2_007EF8E3 | |
Source: | Code function: | 3_2_007F54ED | |
Source: | Code function: | 3_2_007F9F01 | |
Source: | Code function: | 3_2_007F9D81 | |
Source: | Code function: | 3_2_007F6B41 | |
Source: | Code function: | 3_2_007FB745 | |
Source: | Code function: | 3_2_007F9D99 | |
Source: | Code function: | 3_2_007F9FC1 | |
Source: | Code function: | 3_2_007F6FB9 | |
Source: | Code function: | 3_2_007F9BD1 | |
Source: | Code function: | 3_2_00C16CDA | |
Source: | Code function: | 3_2_00C16CD2 | |
Source: | Code function: | 3_2_00C16CD2 | |
Source: | Code function: | 3_2_00C1B271 | |
Source: | Code function: | 3_2_00C16B5A |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 12 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 12 System Information Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 Remote System Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 3 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 4 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 1 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
accounts.google.com | 142.250.203.109 | true | false | high | |
www.google.com | 142.250.203.100 | true | false | high | |
clients.l.google.com | 216.58.215.238 | true | false | high | |
sni1gl.wpc.edgecastcdn.net | 152.199.21.175 | true | false | high | |
files.cchsfs.com | unknown | unknown | false | high | |
clients2.google.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | low | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
216.58.215.238 | clients.l.google.com | United States | 15169 | GOOGLEUS | false | |
142.250.203.100 | www.google.com | United States | 15169 | GOOGLEUS | false | |
152.199.21.175 | sni1gl.wpc.edgecastcdn.net | United States | 15133 | EDGECASTUS | false | |
142.250.203.109 | accounts.google.com | United States | 15169 | GOOGLEUS | false |
IP |
---|
192.168.2.255 |
127.0.0.1 |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 694551 |
Start date and time: | 2022-08-31 23:40:22 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | urldownload.jbs |
Sample URL: | https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 2 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean2.win@29/2@4/7 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe
- Excluded IPs from analysis (whitelisted): 142.250.203.99, 34.104.35.123, 172.217.168.78
- Excluded domains from analysis (whitelisted): az393887.vo.msecnd.net, edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com, www.gstatic.com, www.google-analytics.com
- Execution Graph export aborted for target wget.exe, PID 1568 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
- Report size getting too big, too many NtWriteVirtualMemory calls found.
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 614 |
Entropy (8bit): | 5.208818046642858 |
Encrypted: | false |
SSDEEP: | 12:HgFpdftToi4dENVCrWXCrwtT1De5RhKj1DbpbKb3ni1VmyRipbKb3RRa:SpRtTJ4d7rZrOxePgj1BbcEJRsbcLa |
MD5: | 886CD67138B262F20D4FEFDDE2C9D030 |
SHA1: | 8DE41B7CCC15A8B4ADFAA1E21EB0F33A1ABF4B9F |
SHA-256: | 2ADB51673672E55B64534D773E5581F69B0C2B709BB74C5BC5AD164B57028D8E |
SHA-512: | 93A5052CA654C6B09890048D7FDE1035D0903312F204A9CD6431F64A71224418013BCA3E8C0723BBC1C8935FCA31535DD3115442B46156FD9CA2AD13AD3D4668 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\wget.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8577 |
Entropy (8bit): | 4.948305470120674 |
Encrypted: | false |
SSDEEP: | 96:NGJK7LLipGgyNE10YE1oxSqeQKqxEYkY02Xusc:NGJK7u9115QQKJvR |
MD5: | 9F844B6827EF34B8BE5E6D3FDBADB6E9 |
SHA1: | 3806E376AF067E23F25FA610EEEDB67858EF6695 |
SHA-256: | 78D2CF034E63796F3B7B2281CDD4B5741AE3E260A9FD1D7C7BE4A41E796F75BF |
SHA-512: | CAAB3D5AAF960C1220DC1542D752CF04FEE50926BF0E6DF930D4D6C253FB062D699D4886F2F7BB2DA7426C0AB502CA35C8F8D18BBE16C4E247F0B3EAC45AB1D0 |
Malicious: | false |
Reputation: | low |
Preview: |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2022 23:41:19.106123924 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.106163025 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.106218100 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.110198021 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.110217094 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.179549932 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.179743052 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.198069096 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.198112965 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.198365927 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.201191902 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.243365049 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.581839085 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.581958055 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.582048893 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.582050085 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:19.582094908 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.750538111 CEST | 49173 | 443 | 192.168.2.22 | 152.199.21.175 |
Aug 31, 2022 23:41:19.750575066 CEST | 443 | 49173 | 152.199.21.175 | 192.168.2.22 |
Aug 31, 2022 23:41:28.537720919 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.537770033 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.537839890 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.602472067 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.602543116 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.602699995 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.611823082 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.611857891 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.612135887 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.612179041 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.613923073 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:28.613965034 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:28.614036083 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:28.614372015 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:28.614387035 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:28.666033983 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.668195009 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.673752069 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:28.716207981 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.716249943 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.716799974 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.716856003 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.717058897 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:28.717108965 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:28.717453957 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.717536926 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.718559027 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:28.718647003 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:28.719094038 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:28.719172955 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:28.719909906 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:28.719971895 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:29.508254051 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:29.508462906 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:29.508631945 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:29.508654118 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:29.508657932 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:29.508789062 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:29.509161949 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:29.509191990 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:29.509243965 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:29.509269953 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:29.543838024 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:29.543910027 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:29.543920040 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:29.543934107 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:29.543976068 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:29.586033106 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:29.586292028 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:29.586524963 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:29.587258101 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:29.719418049 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:29.719526052 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:30.180073977 CEST | 49176 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:30.180113077 CEST | 443 | 49176 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:30.180613041 CEST | 49175 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:30.180650949 CEST | 443 | 49175 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:30.784313917 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.784372091 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.784447908 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.785588026 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.785653114 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.785727024 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.793322086 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.793380976 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.793853998 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.793900967 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.850653887 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.855654001 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.893690109 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.893723011 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.895031929 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.895117998 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.905047894 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:30.905132055 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.907831907 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:30.907919884 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:31.997870922 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:31.998112917 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:31.998135090 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:31.998294115 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:32.015254974 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:32.015285015 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:32.033536911 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:32.033636093 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:32.036925077 CEST | 49179 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:32.036946058 CEST | 443 | 49179 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:32.207362890 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:32.207492113 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:40.870920897 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:40.871032000 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:40.871112108 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:41.179861069 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:41.180186987 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:41.180258989 CEST | 443 | 49174 | 142.250.203.109 | 192.168.2.22 |
Aug 31, 2022 23:41:41.180274010 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:41.180315018 CEST | 49174 | 443 | 192.168.2.22 | 142.250.203.109 |
Aug 31, 2022 23:41:41.181679964 CEST | 49180 | 443 | 192.168.2.22 | 142.250.203.100 |
Aug 31, 2022 23:41:41.181730032 CEST | 443 | 49180 | 142.250.203.100 | 192.168.2.22 |
Aug 31, 2022 23:41:42.512320042 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.512363911 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.512435913 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.514729977 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.514763117 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.566848040 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.567313910 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.567362070 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.567697048 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.568329096 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.568430901 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.568583012 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.611367941 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.626319885 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.626444101 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Aug 31, 2022 23:41:42.626528978 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.628612995 CEST | 49198 | 443 | 192.168.2.22 | 216.58.215.238 |
Aug 31, 2022 23:41:42.628634930 CEST | 443 | 49198 | 216.58.215.238 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2022 23:41:18.937033892 CEST | 58836 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 31, 2022 23:41:27.871912956 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:28.023561954 CEST | 50108 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 31, 2022 23:41:28.043100119 CEST | 53 | 50108 | 8.8.8.8 | 192.168.2.22 |
Aug 31, 2022 23:41:28.113667965 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:28.225126982 CEST | 54723 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 31, 2022 23:41:28.244508982 CEST | 53 | 54723 | 8.8.8.8 | 192.168.2.22 |
Aug 31, 2022 23:41:28.618118048 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:28.863960028 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:28.933747053 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:29.368880033 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:29.614661932 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:29.683285952 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:30.433396101 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:30.756593943 CEST | 55244 | 53 | 192.168.2.22 | 8.8.8.8 |
Aug 31, 2022 23:41:30.775914907 CEST | 53 | 55244 | 8.8.8.8 | 192.168.2.22 |
Aug 31, 2022 23:41:34.031162024 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:34.032438040 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:34.373091936 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:34.781018972 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:34.781955957 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:35.125859022 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:35.531505108 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:35.547050953 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:35.890403986 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:36.328377962 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:36.329225063 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:37.089637995 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:37.089874029 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:37.854212046 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:37.854537010 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:38.463912010 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:39.212840080 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:39.379249096 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:39.380043983 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:39.380413055 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:39.963140965 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:40.123166084 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:40.123651028 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:40.123667002 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:40.880435944 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:40.880568981 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:40.880574942 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:41:47.565970898 CEST | 138 | 138 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:42:27.999362946 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:42:28.757688046 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:42:29.522181034 CEST | 137 | 137 | 192.168.2.22 | 192.168.2.255 |
Aug 31, 2022 23:43:17.124361992 CEST | 138 | 138 | 192.168.2.22 | 192.168.2.255 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Aug 31, 2022 23:41:18.937033892 CEST | 192.168.2.22 | 8.8.8.8 | 0x5f2b | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 31, 2022 23:41:28.023561954 CEST | 192.168.2.22 | 8.8.8.8 | 0x6d1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 31, 2022 23:41:28.225126982 CEST | 192.168.2.22 | 8.8.8.8 | 0xabf0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Aug 31, 2022 23:41:30.756593943 CEST | 192.168.2.22 | 8.8.8.8 | 0x77e8 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Aug 31, 2022 23:41:19.084029913 CEST | 8.8.8.8 | 192.168.2.22 | 0x5f2b | No error (0) | az393887.vo.msecnd.net | CNAME (Canonical name) | IN (0x0001) | ||
Aug 31, 2022 23:41:19.084029913 CEST | 8.8.8.8 | 192.168.2.22 | 0x5f2b | No error (0) | sni1gl.wpc.edgecastcdn.net | CNAME (Canonical name) | IN (0x0001) | ||
Aug 31, 2022 23:41:19.084029913 CEST | 8.8.8.8 | 192.168.2.22 | 0x5f2b | No error (0) | 152.199.21.175 | A (IP address) | IN (0x0001) | ||
Aug 31, 2022 23:41:28.043100119 CEST | 8.8.8.8 | 192.168.2.22 | 0x6d1 | No error (0) | clients.l.google.com | CNAME (Canonical name) | IN (0x0001) | ||
Aug 31, 2022 23:41:28.043100119 CEST | 8.8.8.8 | 192.168.2.22 | 0x6d1 | No error (0) | 216.58.215.238 | A (IP address) | IN (0x0001) | ||
Aug 31, 2022 23:41:28.244508982 CEST | 8.8.8.8 | 192.168.2.22 | 0xabf0 | No error (0) | 142.250.203.109 | A (IP address) | IN (0x0001) | ||
Aug 31, 2022 23:41:30.775914907 CEST | 8.8.8.8 | 192.168.2.22 | 0x77e8 | No error (0) | 142.250.203.100 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49173 | 152.199.21.175 | 443 | C:\Windows\SysWOW64\wget.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-31 21:41:19 UTC | 0 | OUT | |
2022-08-31 21:41:19 UTC | 0 | IN | |
2022-08-31 21:41:19 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49175 | 142.250.203.109 | 443 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-31 21:41:29 UTC | 9 | OUT | |
2022-08-31 21:41:29 UTC | 9 | OUT | |
2022-08-31 21:41:29 UTC | 12 | IN | |
2022-08-31 21:41:29 UTC | 13 | IN | |
2022-08-31 21:41:29 UTC | 13 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49176 | 216.58.215.238 | 443 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-31 21:41:29 UTC | 9 | OUT | |
2022-08-31 21:41:29 UTC | 10 | IN | |
2022-08-31 21:41:29 UTC | 11 | IN | |
2022-08-31 21:41:29 UTC | 11 | IN | |
2022-08-31 21:41:29 UTC | 12 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.22 | 49179 | 142.250.203.100 | 443 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-31 21:41:32 UTC | 13 | OUT | |
2022-08-31 21:41:32 UTC | 14 | IN | |
2022-08-31 21:41:32 UTC | 14 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.22 | 49198 | 216.58.215.238 | 443 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-08-31 21:41:42 UTC | 14 | OUT | |
2022-08-31 21:41:42 UTC | 15 | IN | |
2022-08-31 21:41:42 UTC | 16 | IN | |
2022-08-31 21:41:42 UTC | 16 | IN | |
2022-08-31 21:41:42 UTC | 17 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 23:40:18 |
Start date: | 31/08/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4a0b0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 3 |
Start time: | 23:40:20 |
Start date: | 31/08/2022 |
Path: | C:\Windows\SysWOW64\wget.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3895184 bytes |
MD5 hash: | 3DADB6E2ECE9C4B3E1E322E617658B60 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 4 |
Start time: | 23:40:25 |
Start date: | 31/08/2022 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f4f0000 |
File size: | 1820656 bytes |
MD5 hash: | 6ACAE527E744C80997B25EF2A0485D5E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 5 |
Start time: | 23:40:27 |
Start date: | 31/08/2022 |
Path: | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f4f0000 |
File size: | 1820656 bytes |
MD5 hash: | 6ACAE527E744C80997B25EF2A0485D5E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Function 007F59D8 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007F1B47 Relevance: .7, Instructions: 716COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007F4E71 Relevance: .6, Instructions: 613COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007FA303 Relevance: .5, Instructions: 458COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |