Edit tour

Windows Analysis Report
https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download

Overview

General Information

Sample URL:	https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download
Analysis ID:	1403483
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Downloads suspicious files via Chrome

Drops password protected ZIP file

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Tries to load missing DLLs

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5952 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2356,i,9309288945864814519,1849516547289388514,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

unarchiver.exe (PID: 4072 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 4560 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wfyl0eyp.svy" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 3800 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49719 version: TLS 1.0

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49720 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49719 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg
Source: global traffic	HTTP traffic detected: GET /uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg
Source: global traffic	HTTP traffic detected: GET /download?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y3c9VdhC9udV3oy&MD=9gpeVbRK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y3c9VdhC9udV3oy&MD=9gpeVbRK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: drive.usercontent.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49720 version: TLS 1.2

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip (copy)

Jump to dropped file

Drops password protected ZIP file

Source: 14ae6381-e6b5-46f9-81ab-ef0eb7e840a5.tmp.0.dr	Zip Entry: encrypted
Source: chromecache_47.2.dr	Zip Entry: encrypted

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: classification engine

Classification label: mal48.win@22/6@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\14ae6381-e6b5-46f9-81ab-ef0eb7e840a5.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2356,i,9309288945864814519,1849516547289388514,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wfyl0eyp.svy" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2356,i,9309288945864814519,1849516547289388514,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wfyl0eyp.svy" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4A20000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 611			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9360			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5836	Thread sleep count: 611 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5836	Thread sleep time: -305500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5836	Thread sleep count: 9360 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5836	Thread sleep time: -4680000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 5_2_00D3B1D6 GetSystemInfo,

5_2_00D3B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wfyl0eyp.svy" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.usercontent.google.com	142.250.80.97	true	false		high
www.google.com	142.251.40.132	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.40.132	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.80.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1403483
Start date and time:	2024-03-05 15:33:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@22/6@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.35.163, 142.250.65.206, 172.253.63.84, 34.104.35.123, 72.21.81.240, 192.229.211.108, 142.251.40.195
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download

Simulations

Behavior and APIs

Time	Type	Description
15:35:14	API Interceptor	207121x Sleep call for process: unarchiver.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2236
Entropy (8bit):	5.120967102398691
Encrypted:	false
SSDEEP:	48:bBceGKGbKGKGpoGu+vGKGp2GbUGvGyGwGKGKGmBGKGTGKGmr1L1leE+:bZajMp
MD5:	051C023B2FEA1FA5B6AB8264EA9A1682
SHA1:	BD640F7CE546998942F4CD5E56D427A34B72467D
SHA-256:	2B9D00C0B9F37CD56849A4A01DB39E639A0CA609CC9F32FA6330D50CAC58314A
SHA-512:	973437F68FF87C265F9F9B9DC253A09C85E7329953BF7FF5BC52D1F4490F9A8CDEF490DB39A34970B92A63D9243E7696F14D93346A3B679CF51B11E35E59DD26
Malicious:	false
Reputation:	low
Preview:	03/05/2024 3:34 PM: Unpack: C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip..03/05/2024 3:34 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\wfyl0eyp.svy..03/05/2024 3:34 PM: Received from standard error: ERROR: Wrong password : Summaryform_TgQFBSAqdC.wsf..03/05/2024 3:34 PM: Received from standard out: ..03/05/2024 3:34 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..03/05/2024 3:34 PM: Received from standard out: ..03/05/2024 3:34 PM: Received from standard out: Scanning the drive for archives:..03/05/2024 3:34 PM: Received from standard out: 1 file, 612 bytes (1 KiB)..03/05/2024 3:34 PM: Received from standard out: ..03/05/2024 3:34 PM: Received from standard out: Extracting archive: C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip..03/05/2024 3:34 PM: Received from standard out: --..03/05/2024 3:34 PM: Received from standard out: Path = C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip..03/05/2024 3:34 PM: Re

C:\Users\user\Downloads\14ae6381-e6b5-46f9-81ab-ef0eb7e840a5.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	612
Entropy (8bit):	7.252186285235145
Encrypted:	false
SSDEEP:	12:5jVvbjghdj9QTRdSq4GDIWbL3bTqiaTKFmkAjdFyia4E:9VvBldF4XWf3r5gNjzE
MD5:	015885D6F41D87FAF2BA3FF84B14EDD7
SHA1:	190998335054871E3C25D4514FFD43025B4F7E8A
SHA-256:	618071D265A7E8ECCE116311736145E343C89AEA5548E424A5A911D1FE249151
SHA-512:	4A7289AC5F1C64B01E9CC790EE6213109BF2E1722DFC5BB45E2B88EC327B9A3814F8DD03CDDC5BC627F6F6BD4E51A2FB9CB7FCBB810801E230E30C6773F34E95
Malicious:	false
Reputation:	low
Preview:	PK........T.dXN.'<.....9......Summaryform_TgQFBSAqdC.wsf..g.....P.....c.pv..0a..Z5.wq...l....5C.].xY..(.<-...."...>...6..*u....q...\!.c.r2..x.=.ite!R....LU...9.A.A=T.{". q5Y.1l..L$...........]fn.=...!.6..&...A.R...."5..o.c..........L..u.c....:@z.9......[T.....?=...<x0\|.z..XE.....=.".w.h..y....._...@.%.._.+.X.r.4E^w.].l..".......[K...8...OX..L.......S4..[..2L...u..^...(.HM^.........Sj..s.?..4..X.};.z'.......J..L...B..jR.2.....;.yY..[........PK..N.'<.....9..PK..........T.dXN.'<.....9....$....... .......Summaryform_TgQFBSAqdC.wsf.. ..........&...n...&...n.......n..PK..........l.........

C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	612
Entropy (8bit):	7.252186285235145
Encrypted:	false
SSDEEP:	12:5jVvbjghdj9QTRdSq4GDIWbL3bTqiaTKFmkAjdFyia4E:9VvBldF4XWf3r5gNjzE
MD5:	015885D6F41D87FAF2BA3FF84B14EDD7
SHA1:	190998335054871E3C25D4514FFD43025B4F7E8A
SHA-256:	618071D265A7E8ECCE116311736145E343C89AEA5548E424A5A911D1FE249151
SHA-512:	4A7289AC5F1C64B01E9CC790EE6213109BF2E1722DFC5BB45E2B88EC327B9A3814F8DD03CDDC5BC627F6F6BD4E51A2FB9CB7FCBB810801E230E30C6773F34E95
Malicious:	true
Reputation:	low
Preview:	PK........T.dXN.'<.....9......Summaryform_TgQFBSAqdC.wsf..g.....P.....c.pv..0a..Z5.wq...l....5C.].xY..(.<-...."...>...6..*u....q...\!.c.r2..x.=.ite!R....LU...9.A.A=T.{". q5Y.1l..L$...........]fn.=...!.6..&...A.R...."5..o.c..........L..u.c....:@z.9......[T.....?=...<x0\|.z..XE.....=.".w.h..y....._...@.%.._.+.X.r.4E^w.].l..".......[K...8...OX..L.......S4..[..2L...u..^...(.HM^.........Sj..s.?..4..X.};.z'.......J..L...B..jR.2.....;.yY..[........PK..N.'<.....9..PK..........T.dXN.'<.....9....$....... .......Summaryform_TgQFBSAqdC.wsf.. ..........&...n...&...n.......n..PK..........l.........

C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	612
Entropy (8bit):	7.252186285235145
Encrypted:	false
SSDEEP:	12:5jVvbjghdj9QTRdSq4GDIWbL3bTqiaTKFmkAjdFyia4E:9VvBldF4XWf3r5gNjzE
MD5:	015885D6F41D87FAF2BA3FF84B14EDD7
SHA1:	190998335054871E3C25D4514FFD43025B4F7E8A
SHA-256:	618071D265A7E8ECCE116311736145E343C89AEA5548E424A5A911D1FE249151
SHA-512:	4A7289AC5F1C64B01E9CC790EE6213109BF2E1722DFC5BB45E2B88EC327B9A3814F8DD03CDDC5BC627F6F6BD4E51A2FB9CB7FCBB810801E230E30C6773F34E95
Malicious:	false
Reputation:	low
Preview:	PK........T.dXN.'<.....9......Summaryform_TgQFBSAqdC.wsf..g.....P.....c.pv..0a..Z5.wq...l....5C.].xY..(.<-...."...>...6..*u....q...\!.c.r2..x.=.ite!R....LU...9.A.A=T.{". q5Y.1l..L$...........]fn.=...!.6..&...A.R...."5..o.c..........L..u.c....:@z.9......[T.....?=...<x0\|.z..XE.....=.".w.h..y....._...@.%.._.+.X.r.4E^w.].l..".......[K...8...OX..L.......S4..[..2L...u..^...(.HM^.........Sj..s.?..4..X.};.z'.......J..L...B..jR.2.....;.yY..[........PK..N.'<.....9..PK..........T.dXN.'<.....9....$....... .......Summaryform_TgQFBSAqdC.wsf.. ..........&...n...&...n.......n..PK..........l.........

Chrome Cache Entry: 47

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	downloaded
Size (bytes):	612
Entropy (8bit):	7.252186285235145
Encrypted:	false
SSDEEP:	12:5jVvbjghdj9QTRdSq4GDIWbL3bTqiaTKFmkAjdFyia4E:9VvBldF4XWf3r5gNjzE
MD5:	015885D6F41D87FAF2BA3FF84B14EDD7
SHA1:	190998335054871E3C25D4514FFD43025B4F7E8A
SHA-256:	618071D265A7E8ECCE116311736145E343C89AEA5548E424A5A911D1FE249151
SHA-512:	4A7289AC5F1C64B01E9CC790EE6213109BF2E1722DFC5BB45E2B88EC327B9A3814F8DD03CDDC5BC627F6F6BD4E51A2FB9CB7FCBB810801E230E30C6773F34E95
Malicious:	false
Reputation:	low
URL:	https://drive.usercontent.google.com/download?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download
Preview:	PK........T.dXN.'<.....9......Summaryform_TgQFBSAqdC.wsf..g.....P.....c.pv..0a..Z5.wq...l....5C.].xY..(.<-...."...>...6..*u....q...\!.c.r2..x.=.ite!R....LU...9.A.A=T.{". q5Y.1l..L$...........]fn.=...!.6..&...A.R...."5..o.c..........L..u.c....:@z.9......[T.....?=...<x0\|.z..XE.....=.".w.h..y....._...@.%.._.+.X.r.4E^w.].l..".......[K...8...OX..L.......S4..[..2L...u..^...(.HM^.........Sj..s.?..4..X.};.z'.......J..L...B..jR.2.....;.yY..[........PK..N.'<.....9..PK..........T.dXN.'<.....9....$....... .......Summaryform_TgQFBSAqdC.wsf.. ..........&...n...&...n.......n..PK..........l.........

Static File Info

⊘No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 116
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2024 15:34:30.721304893 CET	49674	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:30.721410990 CET	49673	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:31.033813000 CET	49672	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:37.552535057 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.552577972 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.552653074 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.553061962 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.553111076 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.553169012 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.553503036 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.553520918 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.553682089 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.553697109 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.777261019 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.777556896 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.777571917 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.779031038 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.779117107 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.780014038 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.780102015 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.780245066 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.780253887 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.783962965 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.784179926 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.784198999 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.785242081 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.785304070 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.786058903 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.786120892 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.827876091 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.827879906 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.827888012 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.877820969 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.973752022 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.973927021 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.974020004 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.975999117 CET	49705	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:37.976021051 CET	443	49705	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:37.977859974 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.017944098 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.178420067 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.178500891 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.178519011 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.178569078 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.180788994 CET	49704	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.180807114 CET	443	49704	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.182095051 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.182115078 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.182176113 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.182981968 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.182992935 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.378262043 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.380793095 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.380816936 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.381686926 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.382478952 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.382550001 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.382949114 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.425903082 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.979764938 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.979856968 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:38.979931116 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.980137110 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:38.980184078 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:39.005170107 CET	49708	443	192.168.2.6	142.250.80.97
Mar 5, 2024 15:34:39.005198956 CET	443	49708	142.250.80.97	192.168.2.6
Mar 5, 2024 15:34:39.465284109 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.465379000 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:39.465478897 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.465734005 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.465764999 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:39.745116949 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:39.745446920 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.745491982 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:39.746783018 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:39.746882915 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.928219080 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.928622961 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:39.972196102 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:39.972253084 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:40.020288944 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:40.330410957 CET	49673	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:40.330410957 CET	49674	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:40.335055113 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.335140944 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.335232019 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.337965965 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.338001013 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.532202005 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.532303095 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.541541100 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.541564941 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.542020082 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.585342884 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.643230915 CET	49672	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:40.668014050 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.709933043 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.756803036 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.756890059 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.757071018 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.757071018 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.757162094 CET	49710	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.757201910 CET	443	49710	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.810055971 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.810146093 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.810229063 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.810847998 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.810867071 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.994476080 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.994569063 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.996180058 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:40.996200085 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.996579885 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:40.998629093 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:41.045911074 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:41.169104099 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:41.198647022 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:41.198712111 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:41.198829889 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:41.198848963 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:41.198859930 CET	49711	443	192.168.2.6	23.51.58.94
Mar 5, 2024 15:34:41.198864937 CET	443	49711	23.51.58.94	192.168.2.6
Mar 5, 2024 15:34:42.022905111 CET	443	49698	173.222.162.64	192.168.2.6
Mar 5, 2024 15:34:42.024107933 CET	49698	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:49.727570057 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:49.727715015 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:49.727806091 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:50.992536068 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:50.992556095 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:50.992639065 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:50.995877981 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:50.995893002 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:51.418741941 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:51.418823957 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:51.427895069 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:51.427906036 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:51.428318024 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:51.469372034 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:51.677431107 CET	49709	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:34:51.677493095 CET	443	49709	142.251.40.132	192.168.2.6
Mar 5, 2024 15:34:51.839164972 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:51.881907940 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100230932 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100260019 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100267887 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100280046 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100315094 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100332975 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.100346088 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100383997 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.100507975 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100550890 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.100555897 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100583076 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.100603104 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.100603104 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.100642920 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.263123035 CET	49698	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:52.263290882 CET	49698	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:52.263664007 CET	49719	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:52.263715982 CET	443	49719	173.222.162.64	192.168.2.6
Mar 5, 2024 15:34:52.263796091 CET	49719	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:52.264508963 CET	49719	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:34:52.264538050 CET	443	49719	173.222.162.64	192.168.2.6
Mar 5, 2024 15:34:52.342618942 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.342618942 CET	49712	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:34:52.342636108 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.342643976 CET	443	49712	13.85.23.86	192.168.2.6
Mar 5, 2024 15:34:52.422818899 CET	443	49698	173.222.162.64	192.168.2.6
Mar 5, 2024 15:34:52.422841072 CET	443	49698	173.222.162.64	192.168.2.6
Mar 5, 2024 15:34:52.592863083 CET	443	49719	173.222.162.64	192.168.2.6
Mar 5, 2024 15:34:52.592926025 CET	49719	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:35:11.756544113 CET	443	49719	173.222.162.64	192.168.2.6
Mar 5, 2024 15:35:11.756643057 CET	49719	443	192.168.2.6	173.222.162.64
Mar 5, 2024 15:35:28.837025881 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:28.837057114 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:28.837125063 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:28.838840008 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:28.838852882 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.262713909 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.262794018 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.270404100 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.270432949 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.270950079 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.304716110 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.345911026 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664498091 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664562941 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664607048 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664632082 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664640903 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.664669991 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664680004 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.664699078 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.664735079 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.664829969 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664875031 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664906979 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.664918900 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.664988041 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.664994001 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.665047884 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.665105104 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.681715012 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.681730032 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:29.681746006 CET	49720	443	192.168.2.6	13.85.23.86
Mar 5, 2024 15:35:29.681751966 CET	443	49720	13.85.23.86	192.168.2.6
Mar 5, 2024 15:35:39.415081978 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:39.415119886 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:39.415184021 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:39.415563107 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:39.415580988 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:39.684592009 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:39.684853077 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:39.684868097 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:39.685340881 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:39.685668945 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:39.685749054 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:39.735598087 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:49.678061962 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:49.678236008 CET	443	49722	142.251.40.132	192.168.2.6
Mar 5, 2024 15:35:49.678289890 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:51.679250956 CET	49722	443	192.168.2.6	142.251.40.132
Mar 5, 2024 15:35:51.679275036 CET	443	49722	142.251.40.132	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2024 15:34:35.409954071 CET	53	58161	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:35.415860891 CET	53	57472	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:36.049969912 CET	53	50108	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:37.460025072 CET	56262	53	192.168.2.6	1.1.1.1
Mar 5, 2024 15:34:37.460191965 CET	52820	53	192.168.2.6	1.1.1.1
Mar 5, 2024 15:34:37.548026085 CET	53	56262	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:37.548989058 CET	53	52820	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:39.373867989 CET	64314	53	192.168.2.6	1.1.1.1
Mar 5, 2024 15:34:39.374468088 CET	50635	53	192.168.2.6	1.1.1.1
Mar 5, 2024 15:34:39.461946011 CET	53	64314	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:39.462768078 CET	53	50635	1.1.1.1	192.168.2.6
Mar 5, 2024 15:34:53.136404991 CET	53	65000	1.1.1.1	192.168.2.6
Mar 5, 2024 15:35:11.856775045 CET	53	63251	1.1.1.1	192.168.2.6
Mar 5, 2024 15:35:34.480350971 CET	53	62747	1.1.1.1	192.168.2.6
Mar 5, 2024 15:35:35.055671930 CET	53	49766	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 5, 2024 15:34:37.460025072 CET	192.168.2.6	1.1.1.1	0xdf1a	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Mar 5, 2024 15:34:37.460191965 CET	192.168.2.6	1.1.1.1	0x7592	Standard query (0)	drive.usercontent.google.com	65	IN (0x0001)	false
Mar 5, 2024 15:34:39.373867989 CET	192.168.2.6	1.1.1.1	0x3d7a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 5, 2024 15:34:39.374468088 CET	192.168.2.6	1.1.1.1	0x4b67	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 5, 2024 15:34:37.548026085 CET	1.1.1.1	192.168.2.6	0xdf1a	No error (0)	drive.usercontent.google.com	142.250.80.97	A (IP address)	IN (0x0001)	false
Mar 5, 2024 15:34:39.461946011 CET	1.1.1.1	192.168.2.6	0x3d7a	No error (0)	www.google.com	142.251.40.132	A (IP address)	IN (0x0001)	false
Mar 5, 2024 15:34:39.462768078 CET	1.1.1.1	192.168.2.6	0x4b67	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

drive.usercontent.google.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49705	142.250.80.97	443	6092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:34:37 UTC	1044	OUT	GET /u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg
2024-03-05 14:34:37 UTC	1591	IN	HTTP/1.1 302 Found Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Mar 2024 14:34:37 GMT Location: https://drive.usercontent.google.com/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-jBINj65w1WC6XpoUpc_nzQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49704	142.250.80.97	443	6092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:34:37 UTC	1333	OUT	GET /uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg
2024-03-05 14:34:38 UTC	1601	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Mar 2024 14:34:38 GMT Location: https://drive.usercontent.google.com/download?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-3BPE5s8WzB0zM2cBxtNE6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49708	142.250.80.97	443	6092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:34:38 UTC	1339	OUT	GET /download?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg
2024-03-05 14:34:38 UTC	4690	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPo9jMQmhjjVu6xlEp8y0VIa2Xmz2SVrx2TUDeKqQe29mxZNkXXScVhlhcrv5P4gB2GldVQ Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="Summaryform_TgQFBSAqdC.zip" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-user-App-ID-Token, X-Earth-user-Computation-Profile, X-Earth-user-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 612 Last-Modified: Tue, 05 Mar 2024 03:35:30 GMT Date: Tue, 05 Mar 2024 14:34:38 GMT Expires: Tue, 05 Mar 2024 14:34:38 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=fj+Fvw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-03-05 14:34:38 UTC	612	IN	Data Raw: 50 4b 03 04 14 00 09 00 08 00 54 9c 64 58 4e fa 27 3c 9a 01 00 00 e2 39 00 00 1a 00 00 00 53 75 6d 6d 61 72 79 66 6f 72 6d 5f 54 67 51 46 42 53 41 71 64 43 2e 77 73 66 15 fb 67 f9 0f 82 08 f7 50 b7 e6 aa 92 fe 06 e1 63 c2 70 76 fc 1a 30 61 dc 8d da 5a 35 dd 77 71 14 e1 07 6c 92 e6 b7 f6 cd 35 43 de 5d cd 78 59 ec c1 28 f7 3c 2d 93 c7 cd c6 22 b0 86 17 3e 94 13 b4 36 8f d5 2a 75 ba ea f0 e4 71 b5 85 dc 5c 21 d1 63 8f 72 32 f6 ec 78 eb 3d f7 69 74 65 21 52 fc 85 ee 1c 4c 55 da b9 e6 a8 9a d2 39 94 41 eb 41 3d 54 16 7b 22 16 20 71 35 59 e7 31 6c 80 d0 4c 24 a4 da d3 02 e5 f5 f1 1c 01 a0 cb 5d 66 6e 07 3d 82 bb ad 21 1f 36 e7 f0 26 e3 b5 b2 bd da 41 f1 96 52 b2 13 df e4 22 35 d1 ad b4 6f 9d 63 98 17 ac fa 90 a5 19 c9 85 b6 be 4c ae fa 75 fa 63 96 ec 10 1b 3a Data Ascii: PKTdXN'<9Summaryform_TgQFBSAqdC.wsfgPcpv0aZ5wql5C]xY(<-">6*uq\!cr2x=ite!RLU9AA=T{" q5Y1lL$]fn=!6&AR"5ocLuc:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49710	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:34:40 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-03-05 14:34:40 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/07A7) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=17416 Date: Tue, 05 Mar 2024 14:34:40 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49711	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:34:40 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-03-05 14:34:41 UTC	455	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 Cache-Control: public, max-age=17461 Date: Tue, 05 Mar 2024 14:34:41 GMT Content-Length: 55 Connection: close X-CID: 2
2024-03-05 14:34:41 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49712	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:34:51 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y3c9VdhC9udV3oy&MD=9gpeVbRK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-03-05 14:34:52 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 612b6c63-5875-46ec-a117-64b5a21a70ce MS-RequestId: b69c3c0a-0405-497d-8db6-d2ccf8ab953a MS-CV: 3AYaXeS180+eiGPo.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 05 Mar 2024 14:34:51 GMT Connection: close Content-Length: 24490
2024-03-05 14:34:52 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-03-05 14:34:52 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49720	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-03-05 14:35:29 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y3c9VdhC9udV3oy&MD=9gpeVbRK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-03-05 14:35:29 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 962a6f5b-30fe-4490-bda3-e5dc03ab8263 MS-RequestId: 1d322720-8849-4153-9663-0743a411b71a MS-CV: mrKralyu3kuqtAz/.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 05 Mar 2024 14:35:28 GMT Connection: close Content-Length: 25457
2024-03-05 14:35:29 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-03-05 14:35:29 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe
• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe
• unarchiver.exe
• 7za.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5952, Parent PID: 3424

Function Logs

General

Target ID:	0
Start time:	15:34:30
Start date:	05/03/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6092, Parent PID: 5952

Function Logs

General

Target ID:	2
Start time:	15:34:33
Start date:	05/03/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2356,i,9309288945864814519,1849516547289388514,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3800, Parent PID: 3424

Function Logs

General

Target ID:	3
Start time:	15:34:36
Start date:	05/03/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Analysis Process: unarchiver.exePID: 4072, Parent PID: 5952

Function Logs

General

Target ID:	5
Start time:	15:34:40
Start date:	05/03/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip
Imagebase:	0x420000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 4560, Parent PID: 4072

Function Logs

General

Target ID:	6
Start time:	15:34:40
Start date:	05/03/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wfyl0eyp.svy" "C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip
Imagebase:	0xca0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2084, Parent PID: 4560

Function Logs

General

Target ID:	7
Start time:	15:34:40
Start date:	05/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: unarchiver.exePID: 4072, Parent PID: 5952COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	19.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00D3B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00D3B208

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 034d02f4a26d15e15c91d0754fbfbea385fd2b70b584adc69aeb8723905a249b
Instruction ID: 0f258447cbdfecd2353f118626ff8008ae4ef65d84f2dc002dd9d5ab1a274f6f
Opcode Fuzzy Hash: 034d02f4a26d15e15c91d0754fbfbea385fd2b70b584adc69aeb8723905a249b
Instruction Fuzzy Hash: FC018F749002409FDB10CF15E88576AFBE4EF44320F08C5ABDE889F252E379AA08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D3B2F3

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f4a46fc0e7acfe2f1d48c45c0ed22cd859710acc0af098c1f37d39e5823bcbe3
Instruction ID: 0a7de399987f7bbebb36dc40e130e6748e01572eae12f684c7bc888be64748f3
Opcode Fuzzy Hash: f4a46fc0e7acfe2f1d48c45c0ed22cd859710acc0af098c1f37d39e5823bcbe3
Instruction Fuzzy Hash: 46319471504344AFE7228B61DC45FAABFBCEF45324F0484AAEA85DB162D374A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D3ADA7

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c89443ef0ba1e04fb75ba0bddba41faab9f03511f0bc08d482363c7fe7c6ee4
Instruction ID: b5e4e4a8f40ac3875818a3ce21536b78c5782cb72444feeed94c4f64d006ee9c
Opcode Fuzzy Hash: 1c89443ef0ba1e04fb75ba0bddba41faab9f03511f0bc08d482363c7fe7c6ee4
Instruction Fuzzy Hash: A131C7715043846FE7228B65DC45F67BFACEF05224F04449EF985DB552D334A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AB76 Relevance: 1.6, APIs: 1, Instructions: 93
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00D3AC36

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 8e51690b3451e64a469c4ce65504db4e23eea4dc02d836953eea768aa2843228
Instruction ID: a2685500335777ca5edd0d39d7961eee94b998e57f98ac844d507c6ba4d0fa73
Opcode Fuzzy Hash: 8e51690b3451e64a469c4ce65504db4e23eea4dc02d836953eea768aa2843228
Instruction Fuzzy Hash: 1A316D7250E3C06FD3038B718C65A56BFB4AF47610F1A85DBD8C8DF1A3D2296919C762

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D3A67D

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bd685d7b28cb964cd2c814b07a975994cfe81355200e85886ae1bfc67e19f7d5
Instruction ID: 4bf5bf35e5e3352a1b5f2a55078cb799eefcf7b17b9a155c74d193f523570605
Opcode Fuzzy Hash: bd685d7b28cb964cd2c814b07a975994cfe81355200e85886ae1bfc67e19f7d5
Instruction Fuzzy Hash: AD319F71604740AFE721CF25DC45F66BBE8EF05220F0884AEE9858B252D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00D3A1C2

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ecf56d151e291a8358c4193b7950d0a6ba0cb27da90118a10783a9a28a0d6c20
Instruction ID: 3242c2c94344eddf191a01874c7aeacf4a24f6b0a1dc397e671c60d1de1bb1bf
Opcode Fuzzy Hash: ecf56d151e291a8358c4193b7950d0a6ba0cb27da90118a10783a9a28a0d6c20
Instruction Fuzzy Hash: BA21D17140D3C06FD3128B258C51BA6BFB4EF47610F0981DBDC849F593D239AA1ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A40C

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 06d062f63cd0da38f3f197e63f7abe0d21bb0cb52eb4691c376e67469e6128d0
Instruction ID: eeac8d3403f2e0e248d7d5fb0c4a5ca04e7b3c9908156740217470d67dca8734
Opcode Fuzzy Hash: 06d062f63cd0da38f3f197e63f7abe0d21bb0cb52eb4691c376e67469e6128d0
Instruction Fuzzy Hash: CA217C72604744AFD721CB15DC85FA6BBF8AF45710F08849AE9858B292D364E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D3B2F3

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e75583cd2977ecbd9d9d1460e3d02dcffc178a66bfb96ebc12cd0fd918fa7362
Instruction ID: 6af56dcf89f51feb1f21cd76a8b5bb22ebcef526e81ba520d521cd02b7078d56
Opcode Fuzzy Hash: e75583cd2977ecbd9d9d1460e3d02dcffc178a66bfb96ebc12cd0fd918fa7362
Instruction Fuzzy Hash: F6219271500304AFEB21DF65DC45F6BBBECEF04324F04856AEA859B151E774A6088B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D3ADA7

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9294b7cd9c54b6162d79cab77f795ac4a64cd104d54f8fec57ce6d7bbc33292
Instruction ID: a7726278210f83b7e6ab8a25eec9ad291aab0cf7d1d9d5910dad81731d45bdf0
Opcode Fuzzy Hash: d9294b7cd9c54b6162d79cab77f795ac4a64cd104d54f8fec57ce6d7bbc33292
Instruction Fuzzy Hash: F7219272600304AFEB21CF65DC45F6BBBECEF04324F04846AEA859B551E774A6488B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A8DE

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 94caacffd0c2260807e29aa45a1d3f4afa47c45f4d6949ee7269dd3a10d1fed5
Instruction ID: 2456ecf2483d541c5d665c37d03055072a44cf0fb414888bfd0108e28205042c
Opcode Fuzzy Hash: 94caacffd0c2260807e29aa45a1d3f4afa47c45f4d6949ee7269dd3a10d1fed5
Instruction Fuzzy Hash: 8A21A1715083806FE7228B24DC45F66BFB8EF46724F0984DAE9849F152D274AA09CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A9C1

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1b907ceba5b4fb7d5f30595ddcf61004064786075fc874015e53f32f24018842
Instruction ID: 11edb819901e6d4194da8f9013567f0ffd7678ec4d7f92965e0b0d2e6e00bf93
Opcode Fuzzy Hash: 1b907ceba5b4fb7d5f30595ddcf61004064786075fc874015e53f32f24018842
Instruction Fuzzy Hash: C2219F71509380AFDB22CF25DC45F96BFB8EF46214F08849AE9849F152D275A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D3A67D

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0e58183625a43c93005b34a4c18c6cfedabd42f5cef6fb8f4751ba51d56af974
Instruction ID: fdc290fea030e594e8d4851f160d8f387f9c4a71f1e4e2062b33fdc9ddeb8b25
Opcode Fuzzy Hash: 0e58183625a43c93005b34a4c18c6cfedabd42f5cef6fb8f4751ba51d56af974
Instruction Fuzzy Hash: CC218171600600AFE721DF29DD46F66FBE8EF04310F08856DE9858B251E375E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A815

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: afb7eaeada0c74028db23e4cff43f09e79685fcdd5ad28dda9ad280f4e8dead3
Instruction ID: ed14d5c598372dea46005b67cd60ba53363dd682dc4531f26afc929f8fff8921
Opcode Fuzzy Hash: afb7eaeada0c74028db23e4cff43f09e79685fcdd5ad28dda9ad280f4e8dead3
Instruction Fuzzy Hash: 4621D8B55083806FE7128B21DC45BA6BFB8DF46314F0880DBE9848F193D268AA09C775

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00D3A748

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 261c9e13d0cdffd45a0510900864c88207fc96998bf6a87721a8513d7643c585
Instruction ID: cf27b44984498f1530463208368eeaac22457ec78762ac65ec22d0d7b3506cb9
Opcode Fuzzy Hash: 261c9e13d0cdffd45a0510900864c88207fc96998bf6a87721a8513d7643c585
Instruction Fuzzy Hash: 3A2192B59093C05FDB128B25DC95752BFB8EF07320F0984DADD858F2A3D2649909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00D3AA8B

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b05ff82ef432ef5147e7f0bdd5577ee23f4f6ec365ebd1b430897b3a378f310c
Instruction ID: b4de3a3c3d2249129a8cbb0bd974081fbb852c339a02614dcb19e11250d77b45
Opcode Fuzzy Hash: b05ff82ef432ef5147e7f0bdd5577ee23f4f6ec365ebd1b430897b3a378f310c
Instruction Fuzzy Hash: 64217F726083C05FDB12CB29DC55B92BFE8AF06324F0D84EAE984CF153D2659909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A40C

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 75e083d5cacb2ed3dfb7dce49e726e025a088a30b9bec2fb74e945943bb5fd13
Instruction ID: 05afd247cf7d5d57a0dcd89c68a2668466fbd4752084ef66da46975381161c40
Opcode Fuzzy Hash: 75e083d5cacb2ed3dfb7dce49e726e025a088a30b9bec2fb74e945943bb5fd13
Instruction Fuzzy Hash: D8215E756006049FE721CF69DC85F66F7ECEF04710F08855AE9858B291E774EA09CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A9C1

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 66ec0987ca744cf0deef90749e8c0b4a556be384c5bc6dfd9d6d08acba5a6d2b
Instruction ID: 116a5fc89d3a95271027d048b8bd0df859303986722838ebe5927ce09ae9410d
Opcode Fuzzy Hash: 66ec0987ca744cf0deef90749e8c0b4a556be384c5bc6dfd9d6d08acba5a6d2b
Instruction Fuzzy Hash: C111C471600200AFEB21CF65DC45F6AFBE8EF04724F04855AEE859B251D374A648CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A8DE

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 19403203e3e5651d13b901e3176b0067058d73d7a8160d653d3e04ed4f60e047
Instruction ID: 79b6d8901306800b00a931e2f8b03f8d816ad858fc1d9b95511a0e01f964de5d
Opcode Fuzzy Hash: 19403203e3e5651d13b901e3176b0067058d73d7a8160d653d3e04ed4f60e047
Instruction Fuzzy Hash: FF119471600204AFEB21CF65DC45F6AFBE8EF44724F14845AED859B251D374AA09CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D3A30C

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d79655ca4fc0921fe5490825efd28ed4d28402a46effe5f3b7f3f35f55bc179e
Instruction ID: 5ecb2dd218f5e80f4213385e7b434950fafa643f519ad03dbbe6a829dc1659ab
Opcode Fuzzy Hash: d79655ca4fc0921fe5490825efd28ed4d28402a46effe5f3b7f3f35f55bc179e
Instruction Fuzzy Hash: EE1191755093C09FD7228B25DC55A52BFB4DF47320F0980DBDD848F163D265A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,70757E43,00000000,00000000,00000000,00000000), ref: 00D3A815

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: afcb8edf4589f66afc865bd1c7da7adcb6847363642af63a44e9f08d8bb74d29
Instruction ID: a6c4981a49f10691f1761e48a513795751d1c25288c924dab0862b60a97e4e45
Opcode Fuzzy Hash: afcb8edf4589f66afc865bd1c7da7adcb6847363642af63a44e9f08d8bb74d29
Instruction Fuzzy Hash: 0C01FE71614300AEE710CB15DC45F6AFBD8DF44724F14C09AED854F241E378EA09CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00D3AA8B

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 810b12b1747de8e2b29fdd17944afc45bd28cb4ff4ffec741de1116d7be0cbaa
Instruction ID: 8f589ff027938117afab5143d9e8a25a258c14cedc5809124090a9c542c928c9
Opcode Fuzzy Hash: 810b12b1747de8e2b29fdd17944afc45bd28cb4ff4ffec741de1116d7be0cbaa
Instruction Fuzzy Hash: B7113C727042409FEB50CF29D985B56BBD8AF04720F0884AADD89CB251E675E908CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00D3AFE4

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f07553de2105129ba1254f6fc93a185f7930ead1fc00bf489034301dcf12d876
Instruction ID: 0ebbe91aae81ab06fd6f3ff1ce33349116c3aa139696966405737f63340b87a1
Opcode Fuzzy Hash: f07553de2105129ba1254f6fc93a185f7930ead1fc00bf489034301dcf12d876
Instruction Fuzzy Hash: 39119E755093C09FD7128B25DC45A52BFF4EF46220F0984DBED858B262D364A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00D3B208

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: aea3b6f85b11670c80eea590e7e3f1edfe6aa3e1e4bfb6d03617bd48bad2dd4f
Instruction ID: 79a2b624559b9085d91b2e9cc4fdf8e4c9d9c60f7b57f08c06ab2113956da87e
Opcode Fuzzy Hash: aea3b6f85b11670c80eea590e7e3f1edfe6aa3e1e4bfb6d03617bd48bad2dd4f
Instruction Fuzzy Hash: 48115E755093809FDB12CF15DC45B56BFA4DF46220F0884EBED889F252D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00D3A1C2

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 7ceaf084a5a3263e7d60d4d88091efe492b416989b64ff3fc30ad461458b6846
Instruction ID: 75896b58cf5c461cc70651f8e551a15e1e5f3be5af10604c6edc5a4069c39d1a
Opcode Fuzzy Hash: 7ceaf084a5a3263e7d60d4d88091efe492b416989b64ff3fc30ad461458b6846
Instruction Fuzzy Hash: 8D018471900600AFD310DF26DC46B66FBE8FB88A20F14856AED489B741E735FA15CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00D3AC36

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: ae286664be36507504b8de23a6258b0772f5fa00d658e7740d2a1dd6fa38d23f
Instruction ID: a9e0805e0595d2e2afe5a3d98509aed5652ad980c4d7642e4a812f80045adb2f
Opcode Fuzzy Hash: ae286664be36507504b8de23a6258b0772f5fa00d658e7740d2a1dd6fa38d23f
Instruction Fuzzy Hash: 7F01B171900200AFD310DF26DC46B26FBE8FB88A20F14816AEC489B641E735BA15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00D3A748

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 589776035693c26c7a66c44843e395d07f75df2f0fb475edd7afdf7769ab83a0
Instruction ID: 172c13a95cc8888340fdefb31fc97f07bfe87ecf9be6007b98d9b150203ef24a
Opcode Fuzzy Hash: 589776035693c26c7a66c44843e395d07f75df2f0fb475edd7afdf7769ab83a0
Instruction Fuzzy Hash: 4E01A7B5A003409FDB10CF29D986756FBE4DF04321F18C4AADD858F251D379EA58DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00D3AFE4

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: bc0e7aa53ca8e95997bd7b63da9257dd2b7c1664c2bb1fe9d669009134dcbddc
Instruction ID: 1c3957b7ccdc766d9b7cb0618b5a39bfddcc304ebc3c26d6ef324f5b9a5dd9c5
Opcode Fuzzy Hash: bc0e7aa53ca8e95997bd7b63da9257dd2b7c1664c2bb1fe9d669009134dcbddc
Instruction Fuzzy Hash: 4301D1756002408FDB108F29D885766FBE4EF05320F08C0AADD858B256E379EA48DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D3A30C

Memory Dump Source

Source File: 00000005.00000002.2902111398.0000000000D3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d3a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 81a258022d779b80af075dacfafcc40439f0e2c593db26231f067a8c9b2f80ef
Instruction ID: 61fdafea1869bb9942f6a223ce280f2594e86f99250fd13ab17353798f4c7f90
Opcode Fuzzy Hash: 81a258022d779b80af075dacfafcc40439f0e2c593db26231f067a8c9b2f80ef
Instruction Fuzzy Hash: DEF0A4346042408FDB10CF19D885766FBE0EF04720F08C09ADD854F252E379AA18CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F60798 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

\O;k, xrefs: 00F60966

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID: \O;k
API String ID: 0-1032581651
Opcode ID: 0c5663aa52cea8399302ec1b9326c03ea97563d2b1da38b5b2fa60083acc7abb
Instruction ID: 7c0063552d62855002ae55d9440cd325b9c43f46f9d79d01e4cdd00f29d098eb
Opcode Fuzzy Hash: 0c5663aa52cea8399302ec1b9326c03ea97563d2b1da38b5b2fa60083acc7abb
Instruction Fuzzy Hash: 14A16D34B002148FDB28AF78D856B7E77A3EB94308F248529D906D7399DF788D42DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F60C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

KM!, xrefs: 00F60D6E, 00F60D73

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID: KM!
API String ID: 0-1580089921
Opcode ID: fbdb265be7cd20086dc18dd6643d6f2d12652fcfb2ccf3c9b5fb51410dc097d1
Instruction ID: aca637630ff555c079c83182ecd1107e7b06ba888deff5637c6586cd6f966567
Opcode Fuzzy Hash: fbdb265be7cd20086dc18dd6643d6f2d12652fcfb2ccf3c9b5fb51410dc097d1
Instruction Fuzzy Hash: 9A213531B002108FD756DB7984517AEBAE79B89304F55452CD085CB381DF76E94287A6

Uniqueness

Uniqueness Score: -1.00%

Function 00F60CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

KM!, xrefs: 00F60D6E, 00F60D73

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID: KM!
API String ID: 0-1580089921
Opcode ID: b7a976070004cebfd14b24b077bb132237ff71c40b99af34ba8fba491eee293e
Instruction ID: 1d15112e796a0a1a6aafc23186fc521bf224ea1c1f41d1abe57e786267f22361
Opcode Fuzzy Hash: b7a976070004cebfd14b24b077bb132237ff71c40b99af34ba8fba491eee293e
Instruction Fuzzy Hash: 7121F330B003148BC755EB3984517AEB6E79BC5304B55882DD046CB381DF79EA4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C10807 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

C~up, xrefs: 00C10851, 00C10855

Memory Dump Source

Source File: 00000005.00000002.2902010138.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_unarchiver.jbxd

Similarity

API ID:
String ID: C~up
API String ID: 0-4106719514
Opcode ID: 1d68ad69f833fb1b88b1443165a3552a0e325f29f4a7f0e1dca45bd2d8dca560
Instruction ID: 2f76e99abca639abc8250bf25dbeecd74a323e0857cd37ca1038f1fed99bfc3f
Opcode Fuzzy Hash: 1d68ad69f833fb1b88b1443165a3552a0e325f29f4a7f0e1dca45bd2d8dca560
Instruction Fuzzy Hash: 1801D8B240D3806FD701CB25AD41C56FFF8DF83520B0885AEEC848B102D265AE19CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C1082E Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

C~up, xrefs: 00C10851, 00C10855

Memory Dump Source

Source File: 00000005.00000002.2902010138.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_unarchiver.jbxd

Similarity

API ID:
String ID: C~up
API String ID: 0-4106719514
Opcode ID: 27d7af24f4debaa2f5562b37e3ff6851b373eab909d07f1e12f9f882008e77d0
Instruction ID: dbfd56e4ae21f698e5e608c6f6a3a90b716f248f82393837b7f11b23d6080099
Opcode Fuzzy Hash: 27d7af24f4debaa2f5562b37e3ff6851b373eab909d07f1e12f9f882008e77d0
Instruction Fuzzy Hash: 86F082B29052046B9200DF15ED4685AF7ECEF84531F04C56AEC488B300E276AE158AF2

Uniqueness

Uniqueness Score: -1.00%

Function 00F602C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda8ee2ebfc3d4fe104ad20f3ec159203edd6345bcb9c4f5b9cb9f8509128981
Instruction ID: 7631de5c7898cde79bd815d3f0ea2d5969c3ce778a046943bb3a2f8eae8a3459
Opcode Fuzzy Hash: fda8ee2ebfc3d4fe104ad20f3ec159203edd6345bcb9c4f5b9cb9f8509128981
Instruction Fuzzy Hash: BBB15E38B05210CFC768EF68E955B6A77B2EF99350B248524DA0697358DF349D02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F60BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcea05573e93b740ae52c611608750b6362c2416242139c9e261df3fcf3925a
Instruction ID: 96abd6017c1f72f0018a8e03e8bda4b149cee09e2f0666711ca8d6ea875ccd89
Opcode Fuzzy Hash: 2fcea05573e93b740ae52c611608750b6362c2416242139c9e261df3fcf3925a
Instruction Fuzzy Hash: BE119132B10118AFCB54EBB8D845DAF7BF6FF88214B054575E606E7264DF35A8168780

Uniqueness

Uniqueness Score: -1.00%

Function 00C105DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902010138.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d12c6ba24a02b6735f8e09d8c5bdc29fd3b5a06977cb7423a6b167e9235ec3b
Instruction ID: 09f619ba7930506f4f3384aeece1cef38fe6c6c5c3b3d92ec21a8276cd04256f
Opcode Fuzzy Hash: 6d12c6ba24a02b6735f8e09d8c5bdc29fd3b5a06977cb7423a6b167e9235ec3b
Instruction Fuzzy Hash: A2018BB65093805FD712CF15AC41863FFE8DE8652070981EFEC898B652D165A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00F60C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efac792d79756ab099cbbf0fee014ad613cb8842e7c6a9aa0362cfcae13c657a
Instruction ID: 973837f14d7ab5240dbf4784a5b365864eba89a0fca87a4898483768784ef697
Opcode Fuzzy Hash: efac792d79756ab099cbbf0fee014ad613cb8842e7c6a9aa0362cfcae13c657a
Instruction Fuzzy Hash: 19E0DF22F102681FDB44DEF944812AF7FE5CF81124F81467A9008DB341EA398A038390

Uniqueness

Uniqueness Score: -1.00%

Function 00C10606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902010138.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43f336ac622a21c1d6aea22af72f3c2abf73fe00077c24c22627f15c114b11f
Instruction ID: 0ce173f573bc92f08a9122ddd14cdc7ac1a2a5f210a3f43b06d02907abe09b94
Opcode Fuzzy Hash: b43f336ac622a21c1d6aea22af72f3c2abf73fe00077c24c22627f15c114b11f
Instruction Fuzzy Hash: DCE092B6A006004B9650CF0AFC42452F7D8EB84630708C07FDC0D8B701E239BA18CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F60C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe74354193a24e308f31ed3e65b50fe09693b8448586f095d14912afa206198
Instruction ID: abddddc57894028f3d24e868dd68b0b32cbff897b630fee1513a03a0cda533ad
Opcode Fuzzy Hash: 7fe74354193a24e308f31ed3e65b50fe09693b8448586f095d14912afa206198
Instruction Fuzzy Hash: 0DD01231F002282B8B44DAB9588255F7BEA9BC5154B9544799009D7340EF3999428790

Uniqueness

Uniqueness Score: -1.00%

Function 00F60E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878796ddee7839f525ab79d8c1f23cf9e5b9ae4a1ff2b4f38f3ed530115a2527
Instruction ID: f4ed837d97009f3531373f4c558f32bbe11f9a81a4a05cdd0bf2dbdce3f871dd
Opcode Fuzzy Hash: 878796ddee7839f525ab79d8c1f23cf9e5b9ae4a1ff2b4f38f3ed530115a2527
Instruction Fuzzy Hash: 23E0C23228A3504FDB07D7349C55AAE7FA05BA2304F9AC2AA8049CB2A3C665C806C700

Uniqueness

Uniqueness Score: -1.00%

Function 00F60DD1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a0a45c24a120e87f3ae693a91d269f2b1922e770a482706d0d221f15c71a9a
Instruction ID: 5eabfff7bb9f8bd9f828999e2cc348511f12d8ef79fb92b4af43a2f6b979868b
Opcode Fuzzy Hash: e4a0a45c24a120e87f3ae693a91d269f2b1922e770a482706d0d221f15c71a9a
Instruction Fuzzy Hash: 3DD02B262453404FC7035B7494145763F6167D1304F8A82A1C4444F363DA24CD41D390

Uniqueness

Uniqueness Score: -1.00%

Function 00D323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902075158.0000000000D32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d32000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788ea4d20c1fe4fd0db48c2c67ed5edf7a663aad36ab218ccecf1b244d4ca46c
Instruction ID: 516de2a009bb742a2703eab6bbed98a42aa4a1773b7c7dc25880ab224ce10bd2
Opcode Fuzzy Hash: 788ea4d20c1fe4fd0db48c2c67ed5edf7a663aad36ab218ccecf1b244d4ca46c
Instruction Fuzzy Hash: 17D05E796056814FD3269A1CC1A6BA537D4AB61714F4A44F9A8008B763C768E981D620

Uniqueness

Uniqueness Score: -1.00%

Function 00D323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902075158.0000000000D32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d32000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c480dcf11cc6dd97db5f65062a7c7f4b05565a93fa07343bb4566dd4c89f599c
Instruction ID: 0f4b3a5651a5358bc67fbc7bf2cfd6862d731afd0dcf2c5cd7d2c73816f26918
Opcode Fuzzy Hash: c480dcf11cc6dd97db5f65062a7c7f4b05565a93fa07343bb4566dd4c89f599c
Instruction Fuzzy Hash: 48D05E356412814BC725EA1CC2D4F6973D4AB40B14F0A44ECAC108B662C7A9D9C0CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00F60E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c394adab62f77cec5af2e5b9e35fc6ba758dce6e506ebccfc39dfa079f50562
Instruction ID: 8cae4459da5e62a5603457d65fdd40366c4c7cf29bd2a43318daad4c3771994c
Opcode Fuzzy Hash: 5c394adab62f77cec5af2e5b9e35fc6ba758dce6e506ebccfc39dfa079f50562
Instruction Fuzzy Hash: 9FC012312402188BC708A778D959E2AB7D997D4304F95C56454094B355CF74EC41D640

Uniqueness

Uniqueness Score: -1.00%

Function 00F60DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2902475712.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f60000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb69a6c4e318172afab476770294d65f11a3061c228389faaea64f66d388b7d
Instruction ID: 56119ce76f8973ddcee70870213a5f007912ae35d21c2085b64496bfdc410c81
Opcode Fuzzy Hash: bfb69a6c4e318172afab476770294d65f11a3061c228389faaea64f66d388b7d
Instruction Fuzzy Hash: 0EC012302402188BC704A778D859E3B73DA97D0314F95C56494094B355CF74EC41D684

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\Downloads\14ae6381-e6b5-46f9-81ab-ef0eb7e840a5.tmp

C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip (copy)

C:\Users\user\Downloads\Summaryform_TgQFBSAqdC.zip.crdownload (copy)

Chrome Cache Entry: 47

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 5952, Parent PID: 3424

General

File Activities

File Opened

File Created

File Deleted

Windows Analysis Report
https://drive.usercontent.google.com/u/0/uc?id=1TmK4HJr3uREvbbX32pEPGn4J2OXNu2OH&export=download