Windows Analysis Report
https://218.4.51.20:85/sztjj/qytb.action

ID:	1544361
Product:	CloudBasic
Start time:	10:21:24
Start date:	29.10.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 08:21:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	8AC39C6CC2D5E065E097C583845CAC75	7D81EA7D5BE232CBEE3689DBD0F72E9E6FA2372A	45C831C0266F907AA4DE086D916E4F3416139A247027DDE2B4AEF5A3764AF258
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 08:21:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	1FACB3C534D5C7BB6FCBFBECAA822971	55E51A427D327FECF47AB311060C2E4CDE59A79F	3C79E823C4D32800B2ADA3B907D3EF936DE672AC193FEAED98E0DF6ED00B705A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	8B149D01DFF56CAC4929205C23742915	34348FFF5F82DB6EA69A8F0CADE97BD105D55A77	5C345D650FDD6E62F3C1D5161C83A864FB3918F69F094AE7F37420247C23B505
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 08:21:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	9E5D674744AEE5BDBB89A15E6E925475	804C47D812E6442A27191DC2D56C63608229BAF9	6C2ECC30E86291EDC801259F319B413D35184B994CE6A2421B4A5613BA17AC03
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 08:21:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A8C8903C6FCE4445DB0DBAAD2545419E	8A48097F233D36FD13A7858FE3BF6800A167B143	F18319C3C2C7574E0BA8183557B95D0B31E4D7B4FD4D9D7301B5AB302593D984
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 08:21:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B422E33197E64818A036746378EC0361	17FF0C16A72EC02A413D909BBC803DA52D7259AA	6DD31F2FCF2C4B06D0348548BE04CDD0C828F4C9861047B309445D9DBDA6A845
Chrome Cache Entry: 102	ASCII text, with no line terminators	5ADB4AAF9ED7F081FDC19862DCA08081	AF174F038DA045870EF416AC9E215E7461FF1ADE	AC2AB9319F756449BEEC32D0EF2BEF507A6474C15F774FA1A88EFEFD53FF8317
Chrome Cache Entry: 103	ASCII text, with no line terminators	525601F94CB88FE2FDDFBBC8210C559B	1346DF4DF452B0645F446C4188E58DB04EC42022	CF79B904EC129563E450D5F0722B3A43D48AD29315278AF07F9918401F4B47AA

Phishing

Source: https://218.4.51.20:85/sztjj/qytb.action

LLM: Score: 9 Reasons: The URL is an IP address (218.4.51.20) which is unusual for legitimate brand websites, as they typically use domain names., The brand 'China.com' is a known brand and typically associated with the domain 'china.com'., IP addresses are often used in phishing attempts to obscure the true destination of the link., The presence of input fields for '' (user account) and '' (password) suggests an attempt to collect sensitive information., There is no direct association between the IP address and the legitimate domain 'china.com'. DOM: 1.3.pages.csv

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: Number of links: 0
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: Number of links: 0
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: Number of links: 0

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: Title: WBTJ- V3[2024-07-26 14:40][2024-10-29 17:22] does not match URL
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: Title: WBTJ- V3[2024-07-26 14:40][2024-10-29 17:23] does not match URL
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: Title: WBTJ- V3[2024-07-26 14:40][2024-10-29 17:23] does not match URL

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: <input type="password" .../> found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: <input type="password" .../> found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: <input type="password" .../> found

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No favicon
Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No favicon
Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No favicon
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: No favicon
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: No favicon
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: No favicon

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No <meta name="author".. found
Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No <meta name="author".. found
Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No <meta name="author".. found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: No <meta name="author".. found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: No <meta name="author".. found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: No <meta name="author".. found

Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No <meta name="copyright".. found
Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No <meta name="copyright".. found
Source: https://218.4.51.20:85/sztjj/qytb.action	HTTP Parser: No <meta name="copyright".. found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: No <meta name="copyright".. found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193803509&web_check=99ef26e1623489cf777b1b56f8707f6b209d9038574e4e87c6a3601581344940	HTTP Parser: No <meta name="copyright".. found
Source: https://218.4.51.20:85/sztjj/qytb.action?WEB_TOKEN=noToken&web_csrf=WBENCRYPT1_1730193814683&web_check=cdce6882cbdc2d76a455595767be0464da99849f4af8d0cc5305b02cf8168fb6	HTTP Parser: No <meta name="copyright".. found

Compliance

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:53231 version: TLS 1.2

Networking

Source: global traffic

TCP traffic: 192.168.2.16:53179 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20
Source: unknown	TCP traffic detected without corresponding DNS query: 218.4.51.20

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dprbd5XupfAglTl&MD=YoD2ahD9 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dprbd5XupfAglTl&MD=YoD2ahD9 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53231
Source: unknown	Network traffic detected: HTTP traffic on port 53231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:53231 version: TLS 1.2

System Summary

Source: classification engine

Classification label: mal52.phis.win@21/10@2/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1892,i,9188576701095020588,11155318289269312982,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://218.4.51.20:85/sztjj/qytb.action"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1892,i,9188576701095020588,11155318289269312982,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Persistence and Installation Behavior

Source: Email

JoeBoxAI: AI detected IP in URL: URL: https://218.4.51.20:85

Boot Survival

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior