Create Interactive Tour

Windows Analysis Report
http://midgard.antifa.se

Overview

General Information

Sample URL:	http://midgard.antifa.se
Analysis ID:	1356061

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates files inside the system directory

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6084 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://midgard.antifa.se/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1996,i,3119294269847868779,6221632383226048611,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: GET / HTTP/1.1Host: midgard.antifa.seConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: midgard.antifa.se

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49739 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6084_1880732038

Source: classification engine

Classification label: clean1.win@15/27@12/110

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://midgard.antifa.se/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1996,i,3119294269847868779,6221632383226048611,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1996,i,3119294269847868779,6221632383226048611,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://midgard.antifa.se	0%	Avira URL Cloud	safe
http://midgard.antifa.se	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
midgard.antifa.se	0%	Virustotal		Browse
antifa.se	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://midgard.antifa.se/	0%	Avira URL Cloud	safe
https://midgard.antifa.se/	0%	Virustotal		Browse
http://midgard.antifa.se/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
accounts.google.com	172.217.2.205	true	false		high
www.google.com	172.217.2.196	true	false		high
antifa.se	135.181.131.152	true	false	0%, Virustotal, Browse	unknown
clients.l.google.com	192.178.50.46	true	false		high
clients1.google.com	unknown	unknown	false		high
midgard.antifa.se	unknown	unknown	false	0%, Virustotal, Browse	unknown
clients2.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://midgard.antifa.se/	false	0%, Virustotal, Browse	unknown
http://midgard.antifa.se/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
135.181.131.152	antifa.se	Germany	24940	HETZNER-ASDE	false
142.250.64.131	unknown	United States	15169	GOOGLEUS	false
142.250.64.142	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
192.178.50.46	clients.l.google.com	United States	15169	GOOGLEUS	false
192.178.50.35	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.2.196	www.google.com	United States	15169	GOOGLEUS	false
172.217.2.205	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17
192.168.2.16

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1356061
Start date and time:	2023-12-08 10:02:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://midgard.antifa.se
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@15/27@12/110

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.250.64.131, 34.104.35.123, 192.229.211.108
Excluded domains from analysis (whitelisted): ocsp.digicert.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 8 08:02:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.984518153978166
Encrypted:	false
SSDEEP:
MD5:	5DC4224D84273FC02EB38852882B1CC2
SHA1:	7F04367B9589C61A9A5C34D5E5EA9E0F1F022CF8
SHA-256:	C6879DA1B9BAA6D4F57909526760F7249FBFE8D628F1A1E1AE49B342183C8264
SHA-512:	175119690BFEA47DEEF493A33B4015FF2DF468A081D347E05C221FAD7DF5EE9B4D68C3B7AD5B5770047CEDD297A3CDE6A25836F2FE98566DEB638C930C3F498A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......R.)..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WPH....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WYH....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WYH....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WYH..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.WZH...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........IE.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 8 08:02:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.999489208725035
Encrypted:	false
SSDEEP:
MD5:	52EC32870884703EFC364CE19A398C52
SHA1:	D37ED727F1FC358008EE5E8B1291E34E4D09B443
SHA-256:	C1B23ABAC014760F30F18C0010334C155DCDF057EEE02479CA707BDD75CE5C99
SHA-512:	776DE6FF7034C9E7A47610285FED14237559B898574956FC2A1AD19A9BE738FC1594220CBA4FD66E20BC433A20A62DDFAA97D078B866E2133C76CEE5423E528D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......R.)..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WPH....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WYH....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WYH....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WYH..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.WZH...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........IE.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.006364491717296
Encrypted:	false
SSDEEP:
MD5:	47EF71BC1921FFA87EE29A7098383325
SHA1:	51D19049E58EFD025FE38130E38257843053F72E
SHA-256:	EE7FFC50BA5984DDD96D332AE599B95F3E09A4F3258D92C7F556EC8FE32B33AD
SHA-512:	437813CA7F5C059F8D213A171329134EF2E33F550C3B8E8E6AC408531D922BD6C09EF9F7AFD5D3817C789E2D2AC4AA78B75ED2278AF81BB70B2C02CF4DE36518
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WPH....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WYH....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WYH....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WYH..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........IE.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 8 08:02:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9971071255552624
Encrypted:	false
SSDEEP:
MD5:	1CF608FDC494CDD3CA030F03C279528B
SHA1:	E55CB5343C57C0A1BEA88B3DB2FDF5D41533FB6A
SHA-256:	2528A0A92B451144A7835B59B4E2404661797A01C9F04ECD1098CD57E9AC7ABC
SHA-512:	2CB2588383C2E6030DF17AD21DB2B3CA80D76500C86A44DF4F478BDD53323FE85FD7C645C2E444BE3824F4ECFFBDC46CD23EB7143B870FF166C1C1FEF72B8F06
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....S.R.)..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WPH....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WYH....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WYH....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WYH..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.WZH...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........IE.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 8 08:02:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9877036573999125
Encrypted:	false
SSDEEP:
MD5:	A586963F3B55BCC9BAAC5E596C50F915
SHA1:	F05FE664A367468732A7D91CCE96FFB763A8BB8E
SHA-256:	B3AB62E5D14A2966EFFBFD1A495D986A5A06F26F938C5857CE767ABF32EF004E
SHA-512:	18E306442F386CF9F3B58FDD320F23A23BD4CD7E0CE81702747505E487EE2E6788AEBC346921DD718A9E7C403A8018D380B6DCA1697267E47942E0A9324428ED
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......R.)..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WPH....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WYH....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WYH....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WYH..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.WZH...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........IE.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 8 08:02:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9966734924762375
Encrypted:	false
SSDEEP:
MD5:	6BF4B6BB2716E862CD235C9D025BA5F2
SHA1:	B2C63682A5B1F9AC87148EF6F9C1DE6DBF879A5F
SHA-256:	A24072BE238D0F874CD33806B69676A3EF60DC94F4354461EA5E297A7C172C97
SHA-512:	1076677D740D1E435A5FD5A39602BFFF44A552F85AD1F59F0DAEED79021CC74C46ADD1E4822304FEDACE03DE2CCB21B3165582B7CAE09CE0A9920FED935166D9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....+.R.)..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WPH....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WYH....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WYH....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WYH..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.WZH...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........IE.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 146060, version 1.0
Category:	downloaded
Size (bytes):	146060
Entropy (8bit):	7.9980589482070545
Encrypted:	true
SSDEEP:
MD5:	B782B01AFC9646C7259701B07E2A71D0
SHA1:	B86A6F0BF3FB4777160165DFE37CA4E99B90216E
SHA-256:	AA8042A77500CFE4A4893E2B7EDBD54DDED92768E40418FA0665BEC8AAE9AE18
SHA-512:	5F727D90952C324DFB9447C4EF702166844E456C614934BC266BE072ED8CA681F8246CBC98B653FA45C6579BDAD24DFAAD04EBE8300F34774ED137254D208FE3
Malicious:	false
Reputation:	low
URL:	https://midgard.antifa.se/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_400.woff2
Preview:	wOF2......:...........:-.............................(..\|.`........d..A..`..6.$..\. ..j...j..[.......`.1.....9F....R...<...?.l..c.>....%.B..3..t.sF..............d!.lvm.JkK....Hh.r.o.r..T'.......G1.#...G%..........T...K..*..7.T..T.O..N.?...k.a...-v..p...i.].z..b.....^.V.v5.....W.......P..7.Y}k....2.WHU..5..A.qE...vq/{a..X....#....=/..&.\.m+.........K.w.j...c.n5..{yZa.Sgmk.NA1%.......Njk....Q.}...9x...t......[.......,.y...'....Z....Z..\.a..dl..4j...))._Jw.M...2)..H.Y.....4....E....U.j.o..Ix.Q.b(&.q...{.E.....K>.h].....j9L.{+.m...w..>.(...^).4..........&)IG...=.,..'....N1.if......d.....".zjT..;....l..........~..."p..1b...G.8.-.pO.K.o.T.mF........G.op..dk...H.{?..n..(..g..=..k.O....fV.0......~.....m\"..bg1....p.Z:n..h..f..l.z.}.F[....l....XJA...}%....9g...R..RJ...Pj......RR.H....s.9#5.QF.?s.3Rm..n:./.........d..K`2DMGY.....#^...ms...><....\|3.=.a.....Y."j.......i..Xh..n.p.m.M.>.Y...h..-;.Dd.ofW...A(<..BH.G..r....y.....a.Y.MLLLu?.._>\|$....s.I..d

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (20451)
Category:	downloaded
Size (bytes):	50401
Entropy (8bit):	5.194359797884941
Encrypted:	false
SSDEEP:
MD5:	2444A3A8622C15D1CE36A62EBCD0798F
SHA1:	86A196A3D5D6C9DECCC5FFF471DED674A426A449
SHA-256:	9D9ED76ABE49E4AD83F88631E5954DF142D1D737F6D52868E84BF8CB6023BFEA
SHA-512:	B6186146709B89025E90E48A034B430381BC30696EB3FD5F585F297A702DAF5DAEB4117646831CA25C507E3D403B6AF0630E909E53736642EBA5643103820FAF
Malicious:	false
Reputation:	low
URL:	https://midgard.antifa.se/
Preview:	<!DOCTYPE html>.<html lang="sv-SE">.<head>..<meta charset="UTF-8" />..<meta name="viewport" content="width=device-width, initial-scale=1" />.<meta name='robots' content='max-image-preview:large' />.<title>midgard.antifa.se – L.r k.nna din lokala nazist</title>.<link rel="alternate" type="application/rss+xml" title="midgard.antifa.se » Webbfl.de" href="https://midgard.antifa.se/feed/" />.<link rel="alternate" type="application/rss+xml" title="midgard.antifa.se » kommentarsfl.de" href="https://midgard.antifa.se/comments/feed/" />.<script>.window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/midgard.antifa.se\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.4.2"}};./! This file is auto-generated /.!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessi

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3586), with no line terminators
Category:	downloaded
Size (bytes):	3586
Entropy (8bit):	5.013802080340281
Encrypted:	false
SSDEEP:
MD5:	F13A5E9C3B948C72A8F92878F5D8CFC9
SHA1:	F8B8BB1CCD7736793B5A26330F5E791903D20089
SHA-256:	ECFC357AD95E64230925CFE8FC310394FE5C1B4385EB08354B8FEC69AF0D6966
SHA-512:	1F3B3508ABBD5FDA04BADDAFC5E26F527945597F85DFC571B1C1F7535F61FAFDB712AC22F4C00EECA64E8CD1FD048A24AB6B5244405AF36FD13EC433C77F90DA
Malicious:	false
Reputation:	low
URL:	https://midgard.antifa.se/wp-includes/blocks/navigation/view.min.js?ver=e3d6f3216904b5b42831
Preview:	"use strict";(self.__WordPressPrivateInteractivityAPI__=self.__WordPressPrivateInteractivityAPI__\|\|[]).push([[3],{932:function(e,n,o){var t=o(754);const a=["a[href]",'input:not([disabled]):not([type="hidden"]):not([aria-hidden])',"select:not([disabled]):not([aria-hidden])","textarea:not([disabled]):not([aria-hidden])","button:not([disabled]):not([aria-hidden])","[contenteditable]",'[tabindex]:not([tabindex^="-"])'];document.addEventListener("click",(()=>{}));const i=(e,n)=>{const{context:o,selectors:t}=e;t.core.navigation.menuOpenedBy(e)[n]=!0,"overlay"===o.core.navigation.type&&document.documentElement.classList.add("has-modal-open")},c=(e,n)=>{const{context:o,selectors:t}=e;t.core.navigation.menuOpenedBy(e)[n]=!1,t.core.navigation.isMenuOpen(e)\|\|(o.core.navigation.modal?.contains(window.document.activeElement)&&o.core.navigation.previousFocus?.focus(),o.core.navigation.modal=null,o.core.navigation.previousFocus=null,"overlay"===o.core.navigation.type&&document.documentElement.classLi

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (15718)
Category:	downloaded
Size (bytes):	18692
Entropy (8bit):	4.754375391922092
Encrypted:	false
SSDEEP:
MD5:	4CC444663C1E69CB8AC7B909E7192BCA
SHA1:	D00DDC5B9526193FA99BC3995A6D05F995452EA1
SHA-256:	4F79A89D16A5F717110FE080C0BF90B7E05FF95A4C4983F64D33110BF5F9C230
SHA-512:	AE37D08D11AA4337650CBEC0D0F1205A5505CB3E82373873E82CBA093019521CD2B93CFE2DBE4840CE098717287E1F732E9330C90063B122F1C6358664F1B8EE
Malicious:	false
Reputation:	low
URL:	https://midgard.antifa.se/wp-includes/js/wp-emoji-release.min.js?ver=6.4.2
Preview:	/! This file is auto-generated /.// Source: wp-includes/js/twemoji.min.js.var twemoji=function(){"use strict";var m={base:"https://twemoji.maxcdn.com/v/14.0.2/",ext:".png",size:"72x72",className:"emoji",convert:{fromCodePoint:function(d){d="string"==typeof d?parseInt(d,16):d;if(d<65536)return e(d);return e(55296+((d-=65536)>>10),56320+(1023&d))},toCodePoint:o},onerror:function(){this.parentNode&&this.parentNode.replaceChild(x(this.alt,!1),this)},parse:function(d,u){u&&"function"!=typeof u\|\|(u={callback:u});return m.doNotParse=u.doNotParse,("string"==typeof d?function(d,a){return n(d,function(d){var u,f,c=d,e=N(d),b=a.callback(e,a);if(e&&b){for(f in c="<img ".concat('class="',a.className,'" ','draggable="false" ','alt="',d,'"',' src="',b,'"'),u=a.attributes(d,e))u.hasOwnProperty(f)&&0!==f.indexOf("on")&&-1===c.indexOf(" "+f+"=")&&(c=c.concat(" ",f,'="',u[f].replace(t,r),'"'));c=c.concat("/>")}return c})}:function(d,u){var f,c,e,b,a,t,r,n,o,i,s,l=function d(u,f){var c,e,b=u.childNodes,

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (16534), with no line terminators
Category:	downloaded
Size (bytes):	16534
Entropy (8bit):	4.710387177481971
Encrypted:	false
SSDEEP:
MD5:	2AE7FD3571E46CC052E105900FC6CF08
SHA1:	F9C40CA81ED324DF5B822B508F0AAF5AC067FD20
SHA-256:	38B1136CF93F9CB1DC433FD40347FED72EBCE9522A55393F95FEAE15A8268233
SHA-512:	9C99A883D3DEE3E0DAE96933A273E823A53000F9D9B7D74DF4A649533A6F81306615C192945249E24DC7451EFD5B0FBFF2D865710016AB9F78F675ACB4C89895
Malicious:	false
Reputation:	low
URL:	https://midgard.antifa.se/wp-includes/blocks/navigation/style.min.css?ver=6.4.2
Preview:	.wp-block-navigation{--navigation-layout-justification-setting:flex-start;--navigation-layout-direction:row;--navigation-layout-wrap:wrap;--navigation-layout-justify:flex-start;--navigation-layout-align:center;position:relative}.wp-block-navigation ul{margin-bottom:0;margin-left:0;margin-top:0;padding-left:0}.wp-block-navigation ul,.wp-block-navigation ul li{list-style:none;padding:0}.wp-block-navigation .wp-block-navigation-item{align-items:center;background-color:inherit;display:flex;position:relative}.wp-block-navigation .wp-block-navigation-item .wp-block-navigation__submenu-container:empty{display:none}.wp-block-navigation .wp-block-navigation-item__content{display:block}.wp-block-navigation .wp-block-navigation-item__content.wp-block-navigation-item__content{color:inherit}.wp-block-navigation.has-text-decoration-underline .wp-block-navigation-item__content,.wp-block-navigation.has-text-decoration-underline .wp-block-navigation-item__content:active,.wp-block-navigation.has-text-de

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 326628, version 1.0
Category:	downloaded
Size (bytes):	326628
Entropy (8bit):	7.999033732376951
Encrypted:	true
SSDEEP:
MD5:	9C9CFF93A0D5A209225C1BAE18D80A9D
SHA1:	40546DBFD5C467C3257D8F3A4AD8AF0D9995AEB6
SHA-256:	E931823FFD0B6CFD1624E3A7C1C49861ED3420297862E727F07E04C8BE1CC89B
SHA-512:	6D60EBA8B9AE8B8B85AC93D4DA1F3ECAC3D8472E9821F9A580EDE27ED778B5AA590A5083CCB960602CC2B9D345FA17ED67355CAC4A1D07427B1B4330A63ABFF1
Malicious:	false
Reputation:	low
URL:	"https://midgard.antifa.se/wp-content/themes/twentytwentyfour/assets/fonts/inter/Inter-VariableFont_slnt,wght.woff2"
Preview:	wOF2..............K....n..........................[...0...x?HVAR.?.`?STAT.F..../.............P.0....6.$..J. ..~......[....B..K......_G.^.8.!.....#.;;o."4.=.....m.IJz.+.j'n..!."..'jk...9et.5l8U......Id...............^..O..f..?..n..9n.A.9.B ...S.C...PE..Z[.....+....d...J..2.l.O.C!M..D.>U.U.kR...z.Yo.a..."...,.v.^_u.-.1..E.+.Wkk....8...-.m..Rd..Z~..d..3.....C..nu.V..B......T!6.}..V (.9l.P.Y.....a..q.S!'.?gb......?...zu.......6w.....Pa'.f...\...&_c..g.R..f....%\.7.V.1..UA.T{.....\|c........y......yA..0}a..c33g;Nd..*.......M...8a...Hpoo..<.n1t(.&.w..D..n1...P...'9....\|.l._`..`$.JI.f...)....{....=...[#.~.....I.q.{.B...^._...k....Q.^I.'....5.....^.;e.14c_..2>}..E".nRG3.I,}2.ii.a,.K....4.,a......>......YG.M.c.i...a.......J.?r]X....u..;m.....k......:q[{.o....Ib..L....7.4..\.C).pC&...F...5.)s......6.0.!?......K.....I.,...M.C.......Y....@..U9.RU.R.Q...b.W.v......M.~.%....._!..(S..O.Su..^.N`.....N....,s...!...(o,....YJ..?.....1o.o../l.!... .A.m2{H.

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32246)
Category:	downloaded
Size (bytes):	32281
Entropy (8bit):	5.26513249539309
Encrypted:	false
SSDEEP:
MD5:	39756A31C539260197A02334DFCD0B15
SHA1:	DB436B9522831AAF15E60A0B8D39B74FD7B555C9
SHA-256:	8DEBF919F9D44BA37FA60607809C029F16307D1B27D5472ECCB2234563D713BC
SHA-512:	0583785DD3722A7AF497F0854971FDA72B79939DBBD6D01387CC93BC259C1D3EE6BA3676291EDD7CD6862F45F060390950DEF16FEF272F26875D37ABCD7EAEEB
Malicious:	false
Reputation:	low
URL:	https://midgard.antifa.se/wp-includes/js/dist/interactivity.min.js?ver=6.4.2
Preview:	/! This file is auto-generated /.!function(){"use strict";var t,e={754:function(t,e,n){n.d(e,{c4:function(){return Ve},tL:function(){return De},h:function(){return le}});var r,o,i,_,s,c,u,l,a,f={},h=[],p=/acit\|ex(?:s\|g\|n\|p\|$)\|rph\|grid\|ows\|mnc\|ntw\|ine[ch]\|zoo\|^ord\|itera/i,d=Array.isArray;function v(t,e){for(var n in e)t[n]=e[n];return t}function y(t){var e=t.parentNode;e&&e.removeChild(t)}function m(t,e,n){var o,i,_,s={};for(_ in e)"key"==_?o=e[_]:"ref"==_?i=e[_]:s[_]=e[_];if(arguments.length>2&&(s.children=arguments.length>3?r.call(arguments,2):n),"function"==typeof t&&null!=t.defaultProps)for(_ in t.defaultProps)void 0===s[_]&&(s[_]=t.defaultProps[_]);return g(t,s,o,i,null)}function g(t,e,n,r,_){var s={type:t,props:e,key:n,ref:r,__k:null,__:null,__b:0,__e:null,__d:void 0,__c:null,__h:null,constructor:void 0,__v:null==_?++i:_,__i:-1};return null==_&&null!=o.vnode&&o.vnode(s),s}function b(t){return t.children}function w(t,e){this.props=t,this.context=e}function x(t,e){if(null==e)retur

Static File Info

⊘No static file info

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://midgard.antifa.se

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Static File Info

Windows Analysis Report
http://midgard.antifa.se