Edit tour

Windows Analysis Report
https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1

Overview

General Information

Sample URL:	https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1
Analysis ID:	1309172
Infos:

Errors URL not reachable

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5504 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 3420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2340,i,948603337675666231,5668153619294458144,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 2120 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

cleanup

Joe Sandbox Signatures

• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: global traffic

HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: classification engine

Classification label: unknown0.win@18/6@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2340,i,948603337675666231,5668153619294458144,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2340,i,948603337675666231,5668153619294458144,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
forumflowequipment.com	84.32.84.32	true	false	unknown
accounts.google.com	142.251.41.77	true	false	high
www.google.com	172.217.1.4	true	false	high
clients.l.google.com	142.251.32.78	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.41.77	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.32.78	clients.l.google.com	United States	15169	GOOGLEUS	false
84.32.84.32	forumflowequipment.com	Lithuania	33922	NTT-LT-ASLT	false
172.217.1.4	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1309172
Start date and time:	2023-09-15 20:33:53 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 1m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	UNKNOWN
Classification:	unknown0.win@18/6@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	URL browsing timeout or error

Errors

URL not reachable

Warnings

Excluded IPs from analysis (whitelisted): 142.251.33.163, 34.104.35.123, 142.251.41.35, 204.79.197.200, 13.107.21.200
Excluded domains from analysis (whitelisted): www.bing.com, edgedl.me.gvt1.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, clientservices.googleapis.com, www.gstatic.com, www-www.bing.com.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.009907902181272
Encrypted:	false
SSDEEP:	48:8JdcdfIlRmHtidAKZdA1o9ehwiZUklqehrBA3:8JdXlRBE
MD5:	4A2EBA3977A03BBCA42D5C6031AF3106
SHA1:	4821C838F82A339D17C4787BAA6DA34CD0638180
SHA-256:	17C7CA4C17BB349DB85CFA3B0696365F4EB604EC45823A769F676EB44B2D30FF
SHA-512:	F1B2676B5F786D76281F59C45DE787068F303ADDA4A6FA5918201F7A504F70BF031D08067235AF77311551C18477A595A73E891F64E1ADC90EDC5399B2BF6FFB
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L./WW.....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;/WW...............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;/WW...........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;/WW............................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.02779716783459
Encrypted:	false
SSDEEP:	48:8JdcdfIlRmHtidAKZdA1t9eh/iZUkAQkqehUBA2:8JdXlRN9Q5
MD5:	527754FC6E80E36909A38A4A725A1274
SHA1:	91022CB6B47702617992A5FAB722890E21E32BB4
SHA-256:	E70C2D4C4047FB2AA301FE64C99ACC48A4F2A65259264B245732E29E3A3DC997
SHA-512:	01CCE8CBA69085773C26A302A80567C3D972DC445505AA76F628928453DE5C9C09EBEEDBA812A4E113CFF83DB705F5AFA12CA36FA09519D37E656DEBACAE4550
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L./WW.....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;/WW...............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;/WW...........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;/WW............................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2691
Entropy (8bit):	4.040168146696727
Encrypted:	false
SSDEEP:	48:8JdcdfIlRmHtidAKZdA14J9eh7sFiZUkmgqeh7syBABX:8JdXlRjnA
MD5:	64954C6456D9DC40ED857768EC33570E
SHA1:	FAB993D8EBE8B4C385B7430533BF52E538981001
SHA-256:	BB89649C0B7AA79A0EB320F7332799DCA29BA14BD2BA9A6A76239E28AE764AB8
SHA-512:	BEF020C7BB13FF90E715A6DE8C24242217EC7D9E86FC5EB5C887DBE3DC8B4725D62038664A83B1916C218DC4878418A624792BE6B7E54DEB74DFCEEC85762100
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L./WW.....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;/WW...............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;/WW...........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;/WW............................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.0252364627841555
Encrypted:	false
SSDEEP:	48:8JdcdfIlRmHtidAKZdA1u9ehDiZUkwqehIBAR:8JdXlRw6
MD5:	4E4DC1DE6698D34A2029F13F37C3766F
SHA1:	E47E93AAE73A18F1B3AF9D72185B9815D3A28698
SHA-256:	D91B76C014B5F006753DEFBD4E36F0313DC64AA05D05B16616F8B992949578F2
SHA-512:	FD9CEC7AD3541B35734CFE59F2461D6C1DD016A6D5FE01EF15377B75BA7093535504558DE4F13E657240055D3FE48BCEDBC96565FF4B490A548806582F63F01E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L./WW.....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;/WW...............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;/WW...........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;/WW............................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.013772536632816
Encrypted:	false
SSDEEP:	48:8JdcdfIlRmHtidAKZdA1c9ehBiZUk1W1qeh+BAC:8JdXlRQ9e
MD5:	DADCBF3EDC0443568CD82C4470CD4588
SHA1:	36C0A4B36E8EF00E25504D095BA7DACE2F8CBD0A
SHA-256:	522419EA4DDB0174F363CEFB96F111ECA7889A248E7742E9B2B5113FAC64B521
SHA-512:	5A46F1DC26AB64A089FC8C68257882EAC0DF378B401B3547AB92AEB84F0E788CC90E71CD44C2418A6C91DE47C263DC4AFE890A13ADDEE352FB393328585E7509
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L./WW.....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;/WW...............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;/WW...........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;/WW............................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.028866796101373
Encrypted:	false
SSDEEP:	48:8JdcdfIlRmHtidAKZdA1duTn9ehOuTbbiZUk5OjqehOuTbABAyT+:8JdXlRVTqTbxWOvTbAPT
MD5:	D6438E82D3D66D5F27737BB4082613A3
SHA1:	9461950E32EF0031F0594E5557525A71D048531C
SHA-256:	7EB125C620643357BE4DA33D8C31746146BF3A291E2655E5C2FB1C9FF9703920
SHA-512:	289CEEE869DACA4E002F19528B337BF57CCDCE7715A173D9EBD2C5680D3FFF70B5613EAE8F32646259D48D1C970E9E173E74006136568D89AF4399EB52562872
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L./WW.....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;/WW...............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;/WW...........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;/WW............................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............j.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Total Packets: 60
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2023 20:34:47.708229065 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.708257914 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.708316088 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.708786011 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.708817959 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.708955050 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.709130049 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.709141016 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.710716963 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.710726023 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.969459057 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.969984055 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.970052004 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.971538067 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.971632957 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.973097086 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.975328922 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.975358963 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.975696087 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.975737095 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.975763083 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.975831985 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.976296902 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:47.976326942 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:47.976365089 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.976421118 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.977391005 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.977447033 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:47.977643967 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:47.977654934 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:48.016412973 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:48.032072067 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:48.218820095 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:48.219784021 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:48.219974995 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:48.224633932 CEST	49708	443	192.168.2.4	142.251.32.78
Sep 15, 2023 20:34:48.224648952 CEST	443	49708	142.251.32.78	192.168.2.4
Sep 15, 2023 20:34:48.230402946 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:48.230537891 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:48.230606079 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:48.231651068 CEST	49709	443	192.168.2.4	142.251.41.77
Sep 15, 2023 20:34:48.231667042 CEST	443	49709	142.251.41.77	192.168.2.4
Sep 15, 2023 20:34:48.833580017 CEST	49710	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:48.833647966 CEST	443	49710	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:48.833736897 CEST	49710	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:48.833923101 CEST	49710	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:48.833944082 CEST	443	49710	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.112677097 CEST	49711	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.112725019 CEST	443	49711	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.112827063 CEST	49711	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.113409042 CEST	49711	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.113428116 CEST	443	49711	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.440172911 CEST	443	49710	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.440284967 CEST	443	49710	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.440362930 CEST	49710	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.528860092 CEST	49710	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.528922081 CEST	443	49710	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.533351898 CEST	49712	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.533406973 CEST	443	49712	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.533489943 CEST	49712	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.535629988 CEST	49712	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.535646915 CEST	443	49712	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.723227978 CEST	443	49711	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.723371983 CEST	443	49711	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.723434925 CEST	49711	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.770287991 CEST	49711	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.770325899 CEST	443	49711	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.772264957 CEST	49713	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.772300005 CEST	443	49713	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:49.772367954 CEST	49713	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.772921085 CEST	49713	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:49.772933006 CEST	443	49713	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:50.142343044 CEST	443	49712	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:50.142410994 CEST	443	49712	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:50.142518997 CEST	49712	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:50.142725945 CEST	49712	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:50.142751932 CEST	443	49712	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:50.379484892 CEST	443	49713	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:50.379575014 CEST	443	49713	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:50.379652977 CEST	49713	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:50.555361032 CEST	49713	443	192.168.2.4	84.32.84.32
Sep 15, 2023 20:34:50.555412054 CEST	443	49713	84.32.84.32	192.168.2.4
Sep 15, 2023 20:34:51.690903902 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:51.690948963 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:51.691075087 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:51.691525936 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:51.691540003 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:51.942763090 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:51.988002062 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:52.057950020 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:52.057970047 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:52.059313059 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:52.059393883 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:52.061682940 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:52.061754942 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:52.112894058 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:34:52.112916946 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:34:52.159785986 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:35:01.930861950 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:35:01.930963039 CEST	443	49716	172.217.1.4	192.168.2.4
Sep 15, 2023 20:35:01.931020975 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:35:02.453721046 CEST	49716	443	192.168.2.4	172.217.1.4
Sep 15, 2023 20:35:02.453803062 CEST	443	49716	172.217.1.4	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2023 20:34:47.598834038 CEST	60316	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:47.599294901 CEST	51816	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:47.599886894 CEST	51391	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:47.600240946 CEST	49785	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:47.697415113 CEST	53	51391	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:47.697767019 CEST	53	60316	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:47.699219942 CEST	53	49785	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:47.699615002 CEST	53	51816	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:47.700159073 CEST	53	63362	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:48.455482006 CEST	53	62550	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:48.713219881 CEST	64803	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:48.714183092 CEST	64829	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:48.831976891 CEST	53	64829	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:48.832830906 CEST	53	64803	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:50.929955959 CEST	53	52086	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:51.586590052 CEST	54863	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:51.587101936 CEST	55398	53	192.168.2.4	8.8.8.8
Sep 15, 2023 20:34:51.678225994 CEST	53	55398	8.8.8.8	192.168.2.4
Sep 15, 2023 20:34:51.683698893 CEST	53	54863	8.8.8.8	192.168.2.4
Sep 15, 2023 20:35:05.491620064 CEST	53	52359	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 15, 2023 20:34:47.598834038 CEST	192.168.2.4	8.8.8.8	0xe9ab	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:47.599294901 CEST	192.168.2.4	8.8.8.8	0x5871	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Sep 15, 2023 20:34:47.599886894 CEST	192.168.2.4	8.8.8.8	0xeb1b	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:47.600240946 CEST	192.168.2.4	8.8.8.8	0x4f1a	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Sep 15, 2023 20:34:48.713219881 CEST	192.168.2.4	8.8.8.8	0x2d70	Standard query (0)	forumflowequipment.com	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:48.714183092 CEST	192.168.2.4	8.8.8.8	0xd050	Standard query (0)	forumflowequipment.com	65	IN (0x0001)	false
Sep 15, 2023 20:34:51.586590052 CEST	192.168.2.4	8.8.8.8	0xbe15	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:51.587101936 CEST	192.168.2.4	8.8.8.8	0x2cd4	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 15, 2023 20:34:47.697415113 CEST	8.8.8.8	192.168.2.4	0xeb1b	No error (0)	accounts.google.com		142.251.41.77	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:47.697767019 CEST	8.8.8.8	192.168.2.4	0xe9ab	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 15, 2023 20:34:47.697767019 CEST	8.8.8.8	192.168.2.4	0xe9ab	No error (0)	clients.l.google.com		142.251.32.78	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:47.699615002 CEST	8.8.8.8	192.168.2.4	0x5871	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 15, 2023 20:34:48.832830906 CEST	8.8.8.8	192.168.2.4	0x2d70	No error (0)	forumflowequipment.com		84.32.84.32	A (IP address)	IN (0x0001)	false
Sep 15, 2023 20:34:51.678225994 CEST	8.8.8.8	192.168.2.4	0x2cd4	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 15, 2023 20:34:51.683698893 CEST	8.8.8.8	192.168.2.4	0xbe15	No error (0)	www.google.com		172.217.1.4	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49709	142.251.41.77	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-15 18:34:47 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g
2023-09-15 18:34:47 UTC	0	OUT	Data Raw: 20 Data Ascii:
2023-09-15 18:34:48 UTC	2	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 15 Sep 2023 18:34:48 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-9m6S2zvZcT46-TRUK1BC_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-09-15 18:34:48 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-09-15 18:34:48 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49708	142.251.32.78	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-15 18:34:47 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-115.0.5790.171 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-15 18:34:48 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-dNYQkwyfULYtenl5Ejud7Q' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 15 Sep 2023 18:34:48 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6101 X-Daystart: 41688 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-09-15 18:34:48 UTC	2	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 30 31 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 34 31 36 38 38 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6101" elapsed_seconds="41688"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-09-15 18:34:48 UTC	2	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-09-15 18:34:48 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	20:34:44
Start date:	15/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:34:45
Start date:	15/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2340,i,948603337675666231,5668153619294458144,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:34:47
Start date:	15/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5504, Parent PID: 4932

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

Process Activities

Process Created

Process Terminated

Thread Activities

Thread Terminated

Windows Analysis Report
https://forumflowequipment.com/&c=E,1,f_FK1IMq8cRiDtjkPIJshof-GJF-qtdgUzu2bdmrWPeCZNN5yVrVaRqJberCHZM2GRGkElotgPjZBCHMj8YKaNLY0D2P46SsdKogRNVa1dk,&typo=1