Edit tour

Windows Analysis Report
http://twomancake.com

Overview

General Information

Sample URL:	http://twomancake.com
Analysis ID:	1447260
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 2932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2168,i,8641132215159082791,12555900835733439550,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 4196 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://twomancake.com" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:41:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: ExpressAccess-Control-Allow-Origin: *Content-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9NZVRDebILBnleGFDEvrwKKgmCxWzK8nLOfXTlxtBeoHct%2FOFG9AoilCQGlUtQY5BBUW7I8Q2u1HaQA6nRLKs83WSQX3rQuEZwQtgv%2FYO%2B%2FOMD7yGSMcUL%2Bwjjyha3Ep9w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 888e63501a0e0fa8-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 37 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 2c 8d b1 0e c2 30 0c 44 77 7f 85 c9 8e bc 32 b8 5e 4a c4 08 43 97 8e 86 1a 8a 94 26 28 98 a1 7f 8f 02 9d 4e f7 9e 4e c7 bb e3 b9 1f c6 4b c4 d9 97 24 c0 2d 30 69 7e 74 c1 72 68 c0 74 12 e0 c5 5c f1 36 6b 7d 9b 77 e1 e3 f7 fd a1 59 7f 7a 32 89 b5 96 ca f4 2f c0 b4 6d ae 65 5a 05 f8 55 4d 7a cd b9 38 9e e2 80 c4 d4 08 30 6d 9e 7e d7 5f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 e6 4f 23 54 8b 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7f,0Dw2^JC&(NNK$-0i~trht\6k}wYz2/meZUMz80m~_bO#T0

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.10:49715 version: TLS 1.2

Source: classification engine

Classification label: mal48.win@16/8@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2168,i,8641132215159082791,12555900835733439550,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://twomancake.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2168,i,8641132215159082791,12555900835733439550,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://twomancake.com	100%	Avira URL Cloud	malware

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
twomancake.com	188.114.97.3	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://twomancake.com/	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	twomancake.com	European Union	13335	CLOUDFLARENETUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.10

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447260
Start date and time:	2024-05-24 17:40:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://twomancake.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@16/8@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.185.174, 64.233.184.84, 34.104.35.123, 20.114.59.183, 88.221.110.106, 20.242.39.171, 93.184.221.240, 13.95.31.18, 142.250.185.131
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: http://twomancake.com

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:41:05 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9936944983355436
Encrypted:	false
SSDEEP:	48:8ftbdtT0OHpidAKZdA1uehwiZUklqehGy+3:8f5Yrty
MD5:	CC99758B7A91D9E3ED9BC14C5E0A3A50
SHA1:	2F00306D2A2C103F01F8121036FA22A6FA905FEE
SHA-256:	823F3601D1511BCF136C1EE026F011324712BDE1DC077C3EA38D21A9677D121D
SHA-512:	ADD019CAEBFC563BA4F9920BEBFE40B742BAE9EAF50DA85A7B48259133FE6E33EC3028EEC8C84B3E63FD85C22DC2F03ADCD345B92EA42BEE16205FBA225B5B37
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....=..........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.X!}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X!}....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.X!}....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.X!}...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X#}....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:41:05 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.009904006684992
Encrypted:	false
SSDEEP:	48:8atbdtT0OHpidAKZdA1Heh/iZUkAQkqehdy+2:8a5Yl9Qgy
MD5:	2D4CB852C09D7EFDDA91EEB09AF3837D
SHA1:	4DC03DC8560BB2E17766CCC1A557D103DD008413
SHA-256:	05075EB855E6E04932F4FDC650EF307587EA939AB0AACB1009A9F8A1B3B8DCD2
SHA-512:	0FE37315C5708BFA3A6AAE1C9296AA1E376F98DEABF7D7AF32FF746BDC4E1BDE78A665903799370EDF8BF24E2CE481DC3565BE7961648FE56EDAF988347580E0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...............y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.X!}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X!}....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.X!}....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.X!}...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X#}....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 08:59:33 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.015285717975794
Encrypted:	false
SSDEEP:	48:8FtbdtT0bHpidAKZdA149eh7sFiZUkmgqeh7sXy+BX:8F5Y2nJy
MD5:	3D44215038B74D66D4DD54F2EA4017E5
SHA1:	EEE8622BDB4E66CC9D61F1339207125811EC335B
SHA-256:	F9E95D12A77D6EDF2797CB0BB23E6B19CF2F2C83C44D0DA1E84174C252015993
SHA-512:	9AA0A1E4C597C09791CFB404CBF90BBCEC30282948197C21C246B476EE6DD2C18C574837A5041BEE031F6251879AB592534D92A4EFD1CE0569064EBC71EC16FA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....K..r.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.X!}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X!}....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.X!}....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.X!}...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VEW.L....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:41:05 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.004490571704533
Encrypted:	false
SSDEEP:	48:83tbdtT0OHpidAKZdA14ehDiZUkwqehhy+R:835Y2Py
MD5:	42F5922705AF38703C7E8B71EB90E487
SHA1:	D7889B3598D4B8F39CB2275686DECD977BC843D5
SHA-256:	F9F2A25C668639E9B990E90B1CC757CA1CE895F8975816414147BD0F0339A03F
SHA-512:	C2B2182F799427DB274E0503FAFA86FB5143A4F35B8741A570B0861847FE5FAEB02A382E45AB7B803FA9C5C6CB270FE88A18D9E396838B16D4F9BD97A869CFCD
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....qd.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.X!}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X!}....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.X!}....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.X!}...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X#}....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:41:05 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9951858432974205
Encrypted:	false
SSDEEP:	48:8NtbdtT0OHpidAKZdA1mehBiZUk1W1qehzy+C:8N5YG9Ty
MD5:	2D764253D7794904062FD97A17A92039
SHA1:	A5B8FFD30322CCB1D4E572EC107C6217D1625094
SHA-256:	6336683DB18E1430305B67CE4A4B2DC21F9E62A985F3615278E70AE976216D4D
SHA-512:	B7F4B729CAB279F8B7732B760F30FB47AFF85BF0B55EA97BA82E7133109FBD5112C9F4DB3A48F11250226F92F57AF643CD2289F6C81E61541A09CE20128E5595
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...............y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.X!}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X!}....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.X!}....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.X!}...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X#}....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:41:05 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.008401462392728
Encrypted:	false
SSDEEP:	48:8FtbdtT0OHpidAKZdA1duT1ehOuTbbiZUk5OjqehOuTbJy+yT+:8F5YNTyTbxWOvTbJy7T
MD5:	7A54BD44BCB84EB522FC6376E1CF2C07
SHA1:	9FB973D65E5E38F20858F5A77EC8CFAB8E1E8624
SHA-256:	6C780939784D77D03F83147650663EB71DDE2FC2527F803949DC00ADC74EF5C1
SHA-512:	92A731AA04CB3C3243EF907B1D4CEBECD582D3D45C1FDA7BF03A942FBF0BF2F7D057B643234F689164B193326092D802A24EA98ACFBE57D127756283104EE924
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....$..........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.X!}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X!}....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.X!}....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.X!}...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X#}....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, from Unix, original size modulo 2^32 139
Category:	downloaded
Size (bytes):	138
Entropy (8bit):	6.286858305684119
Encrypted:	false
SSDEEP:	3:FttQ9VpbXFk6iIjm1kdD7tEG0mEn5CxlO2mq/:XtQ3pLliIVdDaNncin6
MD5:	94FB98BE8BDD4DBEE04466394AAAEADF
SHA1:	9491C61EE46AF33BE0FEB8168B1101219DF044EE
SHA-256:	1EE2F7A9E4FEAADE11E46B95DBA2701B8E2EF59A9C01F60D92C6BD82ABF02F21
SHA-512:	F03965618A244991BDC06CD8B73993DDD209AE717214134C73CE89632A8813454A6FB8F5C002EFFEA7B7792402C5158C34E1DE86D532C2F522E824E941E675EF
Malicious:	false
Reputation:	low
URL:	http://twomancake.com/
Preview:	..........,....0.Dw....2.^J..C......&(......N..N....K..$.-0i~t.rh.t...\.6k}.w.....Y.z2...../..m.eZ..UMz.8.....0m.~._.........O#T....

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 17:41:00.676331043 CEST	49674	443	192.168.2.10	173.222.162.55
May 24, 2024 17:41:00.676429987 CEST	49675	443	192.168.2.10	173.222.162.55
May 24, 2024 17:41:00.719525099 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:01.020049095 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:01.629429102 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:02.832675934 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:05.351299047 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:05.508109093 CEST	49709	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:05.508578062 CEST	49710	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:05.513259888 CEST	80	49709	188.114.97.3	192.168.2.10
May 24, 2024 17:41:05.513336897 CEST	49709	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:05.513495922 CEST	49709	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:05.518182993 CEST	80	49710	188.114.97.3	192.168.2.10
May 24, 2024 17:41:05.518245935 CEST	49710	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:05.523129940 CEST	80	49709	188.114.97.3	192.168.2.10
May 24, 2024 17:41:06.071635008 CEST	80	49709	188.114.97.3	192.168.2.10
May 24, 2024 17:41:06.119342089 CEST	49709	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:08.127446890 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.127479076 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.127624035 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.128046036 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.128060102 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.768194914 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.768836021 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.768851995 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.769840956 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.769922972 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.771343946 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.771418095 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.816029072 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.816039085 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:08.863018036 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:08.926182985 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:09.093893051 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.093935013 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:09.094187975 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.096280098 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.096292973 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:09.237893105 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:09.763696909 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:09.763758898 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.767730951 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.767741919 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:09.768006086 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:09.816036940 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.835498095 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:09.847279072 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:09.878532887 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.067482948 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.067543030 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.067594051 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.067694902 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.067723036 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.067733049 CEST	49714	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.067739010 CEST	443	49714	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.102348089 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.102380991 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.102461100 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.102838993 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.102847099 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.153106928 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:10.286608934 CEST	49674	443	192.168.2.10	173.222.162.55
May 24, 2024 17:41:10.286679983 CEST	49675	443	192.168.2.10	173.222.162.55
May 24, 2024 17:41:10.852416992 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.852591038 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.855011940 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.855031013 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.855276108 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:10.857039928 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:10.902504921 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:11.052704096 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:11.170367956 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:11.170433044 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:11.170497894 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:11.171233892 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:11.171233892 CEST	49715	443	192.168.2.10	2.19.244.127
May 24, 2024 17:41:11.171251059 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:11.171260118 CEST	443	49715	2.19.244.127	192.168.2.10
May 24, 2024 17:41:13.458568096 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:18.269145012 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:18.677637100 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:18.677720070 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:18.677933931 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:19.753526926 CEST	49671	443	192.168.2.10	204.79.197.203
May 24, 2024 17:41:20.714970112 CEST	49713	443	192.168.2.10	216.58.206.68
May 24, 2024 17:41:20.714993954 CEST	443	49713	216.58.206.68	192.168.2.10
May 24, 2024 17:41:20.892393112 CEST	80	49710	188.114.97.3	192.168.2.10
May 24, 2024 17:41:20.894418955 CEST	49710	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:22.505081892 CEST	49710	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:22.548754930 CEST	80	49710	188.114.97.3	192.168.2.10
May 24, 2024 17:41:27.878535032 CEST	49677	443	192.168.2.10	20.42.65.85
May 24, 2024 17:41:51.082098961 CEST	49709	80	192.168.2.10	188.114.97.3
May 24, 2024 17:41:51.087080002 CEST	80	49709	188.114.97.3	192.168.2.10
May 24, 2024 17:42:08.161211014 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:08.161268950 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:08.161535025 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:08.161887884 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:08.161900043 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:08.810993910 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:08.811300993 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:08.811337948 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:08.811872005 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:08.812237024 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:08.812351942 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:08.863903046 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:18.707101107 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:18.707170010 CEST	443	49722	216.58.206.68	192.168.2.10
May 24, 2024 17:42:18.707233906 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:20.506462097 CEST	49722	443	192.168.2.10	216.58.206.68
May 24, 2024 17:42:20.506525993 CEST	443	49722	216.58.206.68	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 17:41:04.027107000 CEST	53	55525	1.1.1.1	192.168.2.10
May 24, 2024 17:41:04.068471909 CEST	53	55098	1.1.1.1	192.168.2.10
May 24, 2024 17:41:05.274235964 CEST	53	51041	1.1.1.1	192.168.2.10
May 24, 2024 17:41:05.475945950 CEST	51821	53	192.168.2.10	1.1.1.1
May 24, 2024 17:41:05.475945950 CEST	64434	53	192.168.2.10	1.1.1.1
May 24, 2024 17:41:05.494463921 CEST	53	51821	1.1.1.1	192.168.2.10
May 24, 2024 17:41:05.528249979 CEST	53	64434	1.1.1.1	192.168.2.10
May 24, 2024 17:41:08.110763073 CEST	53606	53	192.168.2.10	1.1.1.1
May 24, 2024 17:41:08.110968113 CEST	64894	53	192.168.2.10	1.1.1.1
May 24, 2024 17:41:08.118452072 CEST	53	53606	1.1.1.1	192.168.2.10
May 24, 2024 17:41:08.126128912 CEST	53	64894	1.1.1.1	192.168.2.10
May 24, 2024 17:41:22.691555977 CEST	53	65371	1.1.1.1	192.168.2.10
May 24, 2024 17:41:41.424614906 CEST	53	65302	1.1.1.1	192.168.2.10
May 24, 2024 17:42:03.800565958 CEST	53	50757	1.1.1.1	192.168.2.10
May 24, 2024 17:42:04.083504915 CEST	53	50241	1.1.1.1	192.168.2.10
May 24, 2024 17:42:08.029881001 CEST	138	138	192.168.2.10	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 24, 2024 17:41:05.528469086 CEST	192.168.2.10	1.1.1.1	c233	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 17:41:05.475945950 CEST	192.168.2.10	1.1.1.1	0xf839	Standard query (0)	twomancake.com	A (IP address)	IN (0x0001)	false
May 24, 2024 17:41:05.475945950 CEST	192.168.2.10	1.1.1.1	0x7bd0	Standard query (0)	twomancake.com	65	IN (0x0001)	false
May 24, 2024 17:41:08.110763073 CEST	192.168.2.10	1.1.1.1	0x78ce	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 24, 2024 17:41:08.110968113 CEST	192.168.2.10	1.1.1.1	0x4da	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 24, 2024 17:41:05.494463921 CEST	1.1.1.1	192.168.2.10	0xf839	No error (0)	twomancake.com	188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 17:41:05.494463921 CEST	1.1.1.1	192.168.2.10	0xf839	No error (0)	twomancake.com	188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 17:41:05.528249979 CEST	1.1.1.1	192.168.2.10	0x7bd0	No error (0)	twomancake.com		65	IN (0x0001)	false
May 24, 2024 17:41:08.118452072 CEST	1.1.1.1	192.168.2.10	0x78ce	No error (0)	www.google.com	216.58.206.68	A (IP address)	IN (0x0001)	false
May 24, 2024 17:41:08.126128912 CEST	1.1.1.1	192.168.2.10	0x4da	No error (0)	www.google.com		65	IN (0x0001)	false
May 24, 2024 17:41:56.496697903 CEST	1.1.1.1	192.168.2.10	0x99f	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
May 24, 2024 17:41:56.496697903 CEST	1.1.1.1	192.168.2.10	0x99f	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

twomancake.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49709	188.114.97.3	80	2932	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 17:41:05.513495922 CEST	429	OUT	GET / HTTP/1.1 Host: twomancake.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
May 24, 2024 17:41:06.071635008 CEST	903	IN	HTTP/1.1 404 Not Found Date: Fri, 24 May 2024 15:41:06 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: Express Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9NZVRDebILBnleGFDEvrwKKgmCxWzK8nLOfXTlxtBeoHct%2FOFG9AoilCQGlUtQY5BBUW7I8Q2u1HaQA6nRLKs83WSQX3rQuEZwQtgv%2FYO%2B%2FOMD7yGSMcUL%2Bwjjyha3Ep9w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888e63501a0e0fa8-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 37 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 2c 8d b1 0e c2 30 0c 44 77 7f 85 c9 8e bc 32 b8 5e 4a c4 08 43 97 8e 86 1a 8a 94 26 28 98 a1 7f 8f 02 9d 4e f7 9e 4e c7 bb e3 b9 1f c6 4b c4 d9 97 24 c0 2d 30 69 7e 74 c1 72 68 c0 74 12 e0 c5 5c f1 36 6b 7d 9b 77 e1 e3 f7 fd a1 59 7f 7a 32 89 b5 96 ca f4 2f c0 b4 6d ae 65 5a 05 f8 55 4d 7a cd b9 38 9e e2 80 c4 d4 08 30 6d 9e 7e d7 5f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 e6 4f 23 54 8b 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7f,0Dw2^JC&(NNK$-0i~trht\6k}wYz2/meZUMz80m~_bO#T0
May 24, 2024 17:41:51.082098961 CEST	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49714	2.19.244.127	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:41:09 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-24 15:41:10 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=174465 Date: Fri, 24 May 2024 15:41:09 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49715	2.19.244.127	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:41:10 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-24 15:41:11 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=174509 Date: Fri, 24 May 2024 15:41:11 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-24 15:41:11 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Target ID:	1
Start time:	11:41:00
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:41:01
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2168,i,8641132215159082791,12555900835733439550,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:41:04
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://twomancake.com"
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: twomancake.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: twomancake.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://twomancake.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 59

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6672, Parent PID: 4000

General

Chronological Activities

Analysis Process: chrome.exePID: 2932, Parent PID: 6672

General

Windows Analysis Report
http://twomancake.com