Edit tour

Windows Analysis Report
https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5

Overview

General Information

Sample URL:	https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRk
Analysis ID:	1337739
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Stores files to the Windows start menu directory

Creates files inside the system directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3876 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,4919454228787201024,11240303552009847159,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5708 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

mspaint.exe (PID: 6252 cmdline: mspaint.exe "C:\Users\user\Desktop\" MD5: 986A191E95952C9E3FE6BE112FB92026)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097

Avira URL Cloud: detection malicious, Label: phishing

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.117.234.93:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.117.234.93:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49724 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49721 version: TLS 1.0

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097 HTTP/1.1Host: guru.phishing.guruConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UCtVR9eSnzDyvXa&MD=oyD6ctd6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UCtVR9eSnzDyvXa&MD=oyD6ctd6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: unknown	HTTPS traffic detected: 104.117.234.93:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.117.234.93:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49724 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_3876_167568626

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal48.win@18/10@8/7

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,4919454228787201024,11240303552009847159,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097
Source: unknown	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe "C:\Users\user\Desktop\"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,4919454228787201024,11240303552009847159,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097	100%	Avira URL Cloud	phishing

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.251.33.77	true	false	high
www.google.com	142.250.217.100	true	false	high
clients.l.google.com	142.250.217.78	true	false	high
landing.training.knowbe4.com	3.213.228.121	true	false	high
guru.phishing.guru	unknown	unknown	false	unknown
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false	high
https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097	true	unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.217.100	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.217.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.33.77	accounts.google.com	United States	15169	GOOGLEUS	false
3.213.228.121	landing.training.knowbe4.com	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.7
192.168.2.5

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1337739
Start date and time:	2023-11-06 16:32:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@18/10@8/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.211.227, 34.104.35.123, 69.164.40.8, 192.229.211.108, 142.251.215.227, 8.247.118.126
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	2.7374910194847146
Encrypted:	false
SSDEEP:	3:CUnl/7yltxlHh/:/+/
MD5:	07FFF40B5DD495ACA2AC4E1C3FBC60AA
SHA1:	E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4
SHA-256:	A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7
SHA-512:	49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F9FAFF3FEF5F894B31CD57F32245E550FAD656A
Malicious:	false
Reputation:	low
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:33:00 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9724792862927085
Encrypted:	false
SSDEEP:	48:8rdCTOCkH9idAKZdA19ehwiZUklqehRdy+3:8Yfiwdy
MD5:	9F805E3E277F310204328A1929A25936
SHA1:	E6CAE54D1AB4C32CB872604560D8076C55ACBA34
SHA-256:	DAF9D938936FB035D2C87933706F917286DE46DF1464328BE3B899E29305A944
SHA-512:	ED1053828D0447D83C6641F3829D8E49D370F3480B9BB84357E7515DE72D4255A8669C576477CD1FFD8C5D8A08ABE16108B194B4C3F3BFE5D09AF7CF0C2954CE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....gN-.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IfW.\|....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.\|....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.\|....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.\|..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW \|...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:33:00 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.987601301260794
Encrypted:	false
SSDEEP:	48:82+dCTOCkH9idAKZdA1weh/iZUkAQkqehgdy+2:8Kf49Q/dy
MD5:	11F246667C81769E162445F2B620EA51
SHA1:	9A4C85B86093619C81DCBCBD96DF4F1FE4643AA6
SHA-256:	B48C1E1C5A7FBDD98E6001695A05601BF15245C9C1AF2E83C3424C825DD8E80A
SHA-512:	BB1387959C06B07AB4E829733E61A5A814AD15CC9FE5D0BE130647C8D625FD1811505C25FA5411D84AE03CEBF2CAC3D1B439F6690410887D6CA3B02A79410D52
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......".....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IfW.\|....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.\|....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.\|....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.\|..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW \|...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.001613718822973
Encrypted:	false
SSDEEP:	48:8xbdCTOCsH9idAKZdA14tseh7sFiZUkmgqeh7sGdy+BX:8xofYncdy
MD5:	0D4C101F4056C83B65C0C2AC5F6BB598
SHA1:	912900CDF50BC36B422A6C6096489D834F406550
SHA-256:	EBD523BB66301658320AD886BE62B6FBBB05E9002FF071DDCD8AC777A7BC58E4
SHA-512:	0E6AAB5BDF71F3A0EC3662DBE229BBE27F6F7B26A202FBA98526CDC1A895F70D1391304EEC50CC08B84337B3EB13B3D1C902D0EEC4BCA7A931FAE91606487155
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IfW.\|....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.\|....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.\|....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.\|..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:33:00 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.986182374810641
Encrypted:	false
SSDEEP:	48:86dCTOCkH9idAKZdA1vehDiZUkwqehEdy+R:8/fjudy
MD5:	E5BD8B5B5515972DCDE57CA99757303C
SHA1:	07FAAC1ADDC4654B2A7E476A7C14A3D3AF14974E
SHA-256:	4AC1B4CE7199C14D50EFC5629FD24E327B62D174738FB1EC35E6EFA68BE80616
SHA-512:	E1EB0455B3A09B89810AA3D341C341EBA7B789A62A4FF4B37F28F0AB00220FFF3EE6CF3D4D8DE0FE8E292E0D147C88A7A2BF0B3ECBF3AC64990DAA78F49A76F9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....-......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IfW.\|....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.\|....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.\|....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.\|..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW \|...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:33:00 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.976836652693017
Encrypted:	false
SSDEEP:	48:8DdCTOCkH9idAKZdA1hehBiZUk1W1qehCdy+C:8Afz9idy
MD5:	26A15B9C1D21B90DA0349CC89ED8E3C1
SHA1:	394D5368BA775EABC19D687E8D633AC55136DD60
SHA-256:	591F83B66C44948D3C21E589CFDD384F2F91AC6741535C388A0E05F1A3D1F7D6
SHA-512:	C7C950D8D810D52B7261E84656DD516D33DC537C07898DED6EE05419C20817BFF09985AD3CF1741C95B19E8C7FF955637FC7F9B557A202CA13A32CB94232EB32
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......(.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IfW.\|....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.\|....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.\|....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.\|..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW \|...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 6 14:32:59 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.986599496985718
Encrypted:	false
SSDEEP:	48:8fdCTOCkH9idAKZdA1duT+ehOuTbbiZUk5OjqehOuTbcdy+yT+:88fjT/TbxWOvTbcdy7T
MD5:	258B81A4D02016DAD13691FDB2A001D1
SHA1:	B69933077EB4C577A8E0008259D6D258687C9A01
SHA-256:	64BDC666E16EF26309F5C2650BA4B7111C364BB661C8424C0905D18DE13A0583
SHA-512:	5C7E4C4749B03A0B2DD24EF5A57A4CB81F61CC312B854B716913F3C43E676E338671965AECF150E45AA1D67F37716E9D6E69E140BE98B8D34302131A89502D94
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....k.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IfW.\|....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfW.\|....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfW.\|....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfW.\|..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfW \|...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............U.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\67bb63cc-8031-4013-b963-2b84586b17ef.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	2.7374910194847146
Encrypted:	false
SSDEEP:	3:CUnl/7yltxlHh/:/+/
MD5:	07FFF40B5DD495ACA2AC4E1C3FBC60AA
SHA1:	E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4
SHA-256:	A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7
SHA-512:	49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F9FAFF3FEF5F894B31CD57F32245E550FAD656A
Malicious:	false
Reputation:	low
Preview:	GIF89a.............!.......,...........D..;

C:\Windows\debug\WIA\wiatrace.log

Download File

Process:	C:\Windows\SysWOW64\mspaint.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1526
Entropy (8bit):	5.289921874770815
Encrypted:	false
SSDEEP:	24:0ubZWF02k9YXCNWF0qOT0WF0kuqaWF0w3OvWF0HXd/bXE344/Xd/Tz4lgNYxeeTq:0ulWSmXgWS/T0WSkuTWSw3GWS3RzE34g
MD5:	C6EF66FF35A38303A2B0FD1EB87FBE0E
SHA1:	30B1D3CAF9C2FD2EE06AB66B89FB98C0D2D5E4A0
SHA-256:	730D76AB2B20BA580E215F176CE4D06C4DDF997F145D2E659E199908032D98E3
SHA-512:	CCB9F5C6A97F072C27D437AF886AAA5C1E5CFA809AE1D1D19CAD043CA3F45D89FF68490F6C76BF7C0520BD6D0A65137C7CD0B794F76CE2826F98776E9B2A6B3F
Malicious:	false
Reputation:	low
Preview:	..************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [6252] at 2023/11/06 16:34:17:642 **************..WIA: 6252.5136 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 6252.5136 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 03166030 from server...WIA: 6252.5136 16 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 6252.3528 16 0 0 [sti.dll] AsyncRPCEventTransport::CloseNotificationChannel, Closing the async notification channel.....WIA: 6252.3528 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenNotificationChannel, Opening the async notification channel.....WIA: 6252.5136 16 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 6252.5136 16 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 6252.5136 16 0 0 [sti.dll] EventRegistratio

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	2.7374910194847146
Encrypted:	false
SSDEEP:	3:CUnl/7yltxlHh/:/+/
MD5:	07FFF40B5DD495ACA2AC4E1C3FBC60AA
SHA1:	E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4
SHA-256:	A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7
SHA-512:	49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F9FAFF3FEF5F894B31CD57F32245E550FAD656A
Malicious:	false
Reputation:	low
URL:	https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097
Preview:	GIF89a.............!.......,...........D..;

Total Packets: 133
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2023 16:32:54.525099039 CET	49673	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:32:54.869035959 CET	49674	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:32:54.869137049 CET	49675	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:32:59.285619974 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.285650015 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.285706043 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.286035061 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.286047935 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.286624908 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.286664009 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.286715984 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.286900997 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.286909103 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.621937037 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.622220039 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.622240067 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.622765064 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.622831106 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.623408079 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.623577118 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.623610973 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.623673916 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.623730898 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.624412060 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.624480009 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.624974966 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.625027895 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.625333071 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.625341892 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.625436068 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.625488043 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.625571012 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.625579119 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.704581022 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.833302021 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.833487034 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.943080902 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.943206072 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.943243027 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.943435907 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.943504095 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.944328070 CET	49706	443	192.168.2.5	142.251.33.77
Nov 6, 2023 16:32:59.944344997 CET	443	49706	142.251.33.77	192.168.2.5
Nov 6, 2023 16:32:59.946026087 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.946449995 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:32:59.946508884 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.949434996 CET	49705	443	192.168.2.5	142.250.217.78
Nov 6, 2023 16:32:59.949459076 CET	443	49705	142.250.217.78	192.168.2.5
Nov 6, 2023 16:33:00.369944096 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:00.370049000 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:00.370137930 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:00.374828100 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:00.374902010 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:00.374974012 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:00.375340939 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:00.375372887 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:00.375583887 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:00.375622034 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.111306906 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.111671925 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.114226103 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.114263058 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.114322901 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.114366055 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.114722967 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.114774942 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.114809036 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.114850044 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.115315914 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.115365028 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.115786076 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.115840912 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.118892908 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.119134903 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.120170116 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.120186090 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.120523930 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.120625973 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.162831068 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.162882090 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.174510956 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.205759048 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.695560932 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.695735931 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:01.695815086 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.696965933 CET	49710	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:01.696990013 CET	443	49710	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:02.521528959 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.521564960 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.521651983 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.522042990 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.522062063 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.845937967 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.846328974 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.846338034 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.847979069 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.848048925 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.849586010 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.849669933 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.892819881 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:02.892833948 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:02.939706087 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:03.939553022 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:03.939635992 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:03.939748049 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:03.950526953 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:03.950563908 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.127353907 CET	49673	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:04.272969961 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.273097992 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.275145054 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.275171041 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.275613070 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.314786911 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.341775894 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.385339022 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.576210022 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.576277971 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.576450109 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.576524019 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.576565027 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.576592922 CET	49714	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.576608896 CET	443	49714	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.624761105 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.624850035 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.624963045 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.625355959 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.625392914 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.940001011 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.940196037 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.941881895 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.941911936 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.942286015 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:04.943825006 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:04.985295057 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:05.245286942 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:05.245485067 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:05.245685101 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:05.246831894 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:05.246831894 CET	49715	443	192.168.2.5	104.117.234.93
Nov 6, 2023 16:33:05.246875048 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:05.246902943 CET	443	49715	104.117.234.93	192.168.2.5
Nov 6, 2023 16:33:05.668988943 CET	443	49703	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:05.669230938 CET	49703	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:12.847832918 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:12.848006010 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:12.848090887 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:13.305135012 CET	49713	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:33:13.305181980 CET	443	49713	142.250.217.100	192.168.2.5
Nov 6, 2023 16:33:14.626410961 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:14.626437902 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:14.626554012 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:14.629115105 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:14.629127026 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:15.291143894 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:15.291374922 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:15.293409109 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:15.293420076 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:15.293817997 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:15.336759090 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:15.934462070 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:15.969645977 CET	49703	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:15.969645977 CET	49703	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:15.969942093 CET	49721	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:15.970026970 CET	443	49721	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:15.970134020 CET	49721	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:15.970487118 CET	49721	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:15.970523119 CET	443	49721	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:15.977283001 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.151407003 CET	443	49703	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:16.151443958 CET	443	49703	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:16.357287884 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357364893 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357386112 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357425928 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357462883 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.357491970 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357503891 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357517004 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.357517004 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.357534885 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.357556105 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.357721090 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357795954 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.357803106 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357899904 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.357959986 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.392937899 CET	443	49721	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:16.393043041 CET	49721	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:16.747576952 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.747637033 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:16.747658014 CET	49716	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:16.747665882 CET	443	49716	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:35.616620064 CET	443	49721	23.1.237.91	192.168.2.5
Nov 6, 2023 16:33:35.616837978 CET	49721	443	192.168.2.5	23.1.237.91
Nov 6, 2023 16:33:46.174587011 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:46.174611092 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:53.200798988 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:53.200881004 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:53.201008081 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:53.201711893 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:53.201745033 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:53.837810993 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:53.837922096 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:53.845033884 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:53.845062017 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:53.845366955 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:53.878388882 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:53.921267986 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466152906 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466218948 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466270924 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466284990 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466325045 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.466388941 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466429949 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466444969 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.466445923 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.466471910 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466509104 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466511965 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.466531038 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.466551065 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466599941 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.466639996 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466767073 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.466816902 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.474421024 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.474464893 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:54.474492073 CET	49724	443	192.168.2.5	13.85.23.86
Nov 6, 2023 16:33:54.474513054 CET	443	49724	13.85.23.86	192.168.2.5
Nov 6, 2023 16:33:55.851133108 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:55.851353884 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:33:55.851449013 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:57.304256916 CET	49709	443	192.168.2.5	3.213.228.121
Nov 6, 2023 16:33:57.304325104 CET	443	49709	3.213.228.121	192.168.2.5
Nov 6, 2023 16:34:02.425543070 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:02.425581932 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:02.425668001 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:02.425990105 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:02.426007986 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:02.743915081 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:02.744676113 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:02.744692087 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:02.745162010 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:02.745560884 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:02.745646000 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:02.790581942 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:12.731983900 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:12.732053995 CET	443	49726	142.250.217.100	192.168.2.5
Nov 6, 2023 16:34:12.732193947 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:13.305903912 CET	49726	443	192.168.2.5	142.250.217.100
Nov 6, 2023 16:34:13.305934906 CET	443	49726	142.250.217.100	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2023 16:32:59.132421970 CET	53873	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:32:59.132610083 CET	61482	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:32:59.133008003 CET	55406	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:32:59.133167028 CET	49944	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:32:59.272778988 CET	53	52120	1.1.1.1	192.168.2.5
Nov 6, 2023 16:32:59.284965038 CET	53	53873	1.1.1.1	192.168.2.5
Nov 6, 2023 16:32:59.285207987 CET	53	61482	1.1.1.1	192.168.2.5
Nov 6, 2023 16:32:59.285767078 CET	53	49944	1.1.1.1	192.168.2.5
Nov 6, 2023 16:32:59.286083937 CET	53	55406	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:00.037343025 CET	64384	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:33:00.037602901 CET	58093	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:33:00.193545103 CET	53	60423	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:00.368522882 CET	53	58093	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:00.368767977 CET	53	64384	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:02.365782976 CET	52022	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:33:02.366236925 CET	56836	53	192.168.2.5	1.1.1.1
Nov 6, 2023 16:33:02.519093990 CET	53	52022	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:02.519126892 CET	53	56836	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:17.156631947 CET	53	61983	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:36.228589058 CET	53	63916	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:58.438481092 CET	53	54790	1.1.1.1	192.168.2.5
Nov 6, 2023 16:33:58.930387020 CET	53	60254	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2023 16:32:59.132421970 CET	192.168.2.5	1.1.1.1	0xe78a	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:32:59.132610083 CET	192.168.2.5	1.1.1.1	0x2ba3	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Nov 6, 2023 16:32:59.133008003 CET	192.168.2.5	1.1.1.1	0xf374	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:32:59.133167028 CET	192.168.2.5	1.1.1.1	0x6385	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Nov 6, 2023 16:33:00.037343025 CET	192.168.2.5	1.1.1.1	0xe3f9	Standard query (0)	guru.phishing.guru	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.037602901 CET	192.168.2.5	1.1.1.1	0xf727	Standard query (0)	guru.phishing.guru	65	IN (0x0001)	false
Nov 6, 2023 16:33:02.365782976 CET	192.168.2.5	1.1.1.1	0xd33e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:02.366236925 CET	192.168.2.5	1.1.1.1	0x756f	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 6, 2023 16:32:59.284965038 CET	1.1.1.1	192.168.2.5	0xe78a	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:32:59.284965038 CET	1.1.1.1	192.168.2.5	0xe78a	No error (0)	clients.l.google.com		142.250.217.78	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:32:59.285207987 CET	1.1.1.1	192.168.2.5	0x2ba3	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:32:59.286083937 CET	1.1.1.1	192.168.2.5	0xf374	No error (0)	accounts.google.com		142.251.33.77	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368522882 CET	1.1.1.1	192.168.2.5	0xf727	No error (0)	guru.phishing.guru	landing.training.knowbe4.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	guru.phishing.guru	landing.training.knowbe4.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	landing.training.knowbe4.com		3.213.228.121	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	landing.training.knowbe4.com		3.219.5.118	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	landing.training.knowbe4.com		18.205.199.40	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	landing.training.knowbe4.com		34.192.110.118	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	landing.training.knowbe4.com		34.233.78.82	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:00.368767977 CET	1.1.1.1	192.168.2.5	0xe3f9	No error (0)	landing.training.knowbe4.com		44.217.91.195	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:02.519093990 CET	1.1.1.1	192.168.2.5	0xd33e	No error (0)	www.google.com		142.250.217.100	A (IP address)	IN (0x0001)	false
Nov 6, 2023 16:33:02.519126892 CET	1.1.1.1	192.168.2.5	0x756f	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

guru.phishing.guru

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49705	142.250.217.78	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:32:59 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49706	142.251.33.77	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:32:59 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2023-11-06 15:32:59 UTC	1	OUT	Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	142.251.33.77	443	192.168.2.5	49706	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:32:59 UTC	1	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 06 Nov 2023 15:32:59 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-w0bJlhCWGKTrZ1LGt637kA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-11-06 15:32:59 UTC	2	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-11-06 15:32:59 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	142.250.217.78	443	192.168.2.5	49705	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:32:59 UTC	3	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-PG_NaA46UdPny4YvzK68YA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 06 Nov 2023 15:32:59 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6153 X-Daystart: 27179 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-11-06 15:32:59 UTC	3	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 35 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 37 31 37 39 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6153" elapsed_seconds="27179"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-11-06 15:32:59 UTC	4	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-11-06 15:32:59 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49710	3.213.228.121	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:33:01 UTC	4	OUT	GET /XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097 HTTP/1.1 Host: guru.phishing.guru Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	3.213.228.121	443	192.168.2.5	49710	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:33:01 UTC	5	IN	HTTP/1.1 200 OK Date: Mon, 06 Nov 2023 15:33:01 GMT Content-Type: image/gif Content-Length: 43 Connection: close X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer-when-downgrade Content-Disposition: attachment Content-Transfer-Encoding: binary Cache-Control: private ETag: W/"a065920df8cc4016d67c3a464be90099" Content-Security-Policy: X-Request-Id: 9f3181bf-2f35-4d1c-8e89-66a059d8054a X-Runtime: 0.076313 Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
2023-11-06 15:33:01 UTC	6	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 f0 00 00 00 00 00 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a!,D;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49714	104.117.234.93	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:33:04 UTC	6	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-06 15:33:04 UTC	6	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (sac/2518) X-CID: 11 Cache-Control: public, max-age=70137 Date: Mon, 06 Nov 2023 15:33:04 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49715	104.117.234.93	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:33:04 UTC	6	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2023-11-06 15:33:05 UTC	6	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0MNkrYwAAAADiUL7L3dxqSIABzBrl++yWQ082QUEzMTUwODEwMDIxAGNlZmMyNTgzLWE5YjItNDRhNy05NzU1LWI3NmQxN2UwNWY3Zg== Cache-Control: public, max-age=70130 Date: Mon, 06 Nov 2023 15:33:05 GMT Content-Length: 55 Connection: close X-CID: 2
2023-11-06 15:33:05 UTC	7	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49716	13.85.23.86	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:33:15 UTC	7	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UCtVR9eSnzDyvXa&MD=oyD6ctd6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-06 15:33:16 UTC	7	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: aa33c18a-1993-463e-b258-7c4c35191b08 MS-RequestId: 15095fa5-1cd5-4e19-98c7-53396a12bfe0 MS-CV: oibjgwYHYkatWbUu.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 06 Nov 2023 15:33:15 GMT Connection: close Content-Length: 24490
2023-11-06 15:33:16 UTC	8	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2023-11-06 15:33:16 UTC	23	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49724	13.85.23.86	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-06 15:33:53 UTC	32	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UCtVR9eSnzDyvXa&MD=oyD6ctd6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2023-11-06 15:33:54 UTC	32	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 5dd7e511-b734-46f4-93f4-8c4c075e53e5 MS-RequestId: 5a105189-9afe-4456-9039-88c180439828 MS-CV: 3I6AM306QEiCg5dm.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 06 Nov 2023 15:33:53 GMT Connection: close Content-Length: 25457
2023-11-06 15:33:54 UTC	33	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2023-11-06 15:33:54 UTC	48	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe
• mspaint.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe
• mspaint.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	16:32:54
Start date:	06/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	16:32:56
Start date:	06/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,4919454228787201024,11240303552009847159,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	16:32:58
Start date:	06/11/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://guru.phishing.guru/XZWxoU1RVZFpjMVJTV1dsWU5UbE9UR2xFVlhSNFdWaDRPU3RhUVhneE9HNVJja0l3ZVRaTlRFOUpVVnB4YnpkaFRUbHFjVWhZUVcxMFFURmpjMGhvWlVGSU5EVTNNWE0wZGtob2RrNWpWVlJQTUcxSVlUZHdUbUZtVGk5TlVubzRka1kwZEVSYVNETmpVVVZUUTJaalRVdGpOVFJMTUhwdWRsWjZkRUpQU1drdExVcFBVbWhPVjNaWVRqWkthRlJvU1dOaFdtZHNOR2M5UFE9PS0tNjAyNzNhNGY4Yzg4YmNkOTgzZjFiYjA2ZmJiZDNhZWY3MjI4Mjc3Nw==?cid=1784722097
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:34:15
Start date:	06/11/2023
Path:	C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):	true
Commandline:	mspaint.exe "C:\Users\user\Desktop\"
Imagebase:	0x450000
File size:	743'424 bytes
MD5 hash:	986A191E95952C9E3FE6BE112FB92026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\67bb63cc-8031-4013-b963-2b84586b17ef.tmp

C:\Windows\debug\WIA\wiatrace.log

Chrome Cache Entry: 60

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 3876, Parent PID: 5704

General