Windows Analysis Report
https://hightailspaces-us-east-1.s3.amazonaws.com/1ea3bd2d-d820-4963-aaed-9f1480fe08c2?response-content-disposition=attachment%3B%20filename%2A%3DUTF-8%27%27Lena--paul_photos%252B18s%20.zip&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEAsaCXVzLWVhc3QtMSJIMEYCIQDm7mgm%2F3yD5%2Bz4jVRC%2Bq%2BaTpqP2igd9ZomW07D2

Overview

General Information

Sample URL:	https://hightailspaces-us-east-1.s3.amazonaws.com/1ea3bd2d-d820-4963-aaed-9f1480fe08c2?response-content-disposition=attachment%3B%20filename%2A%3DUTF-8%27%27Lena--paul_photos%252B18s%20.zip&X-Amz-Secu
Analysis ID:	1566850

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Stores files to the Windows start menu directory

Classification

Signatures

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.186:443 -> 192.168.2.18:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49708 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.158.186

Source: global traffic	DNS traffic detected: DNS query: hightailspaces-us-east-1.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.186:443 -> 192.168.2.18:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49708 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@17/6@4/101

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1896,i,4686970303018976477,7733449025737329463,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://hightailspaces-us-east-1.s3.amazonaws.com/1ea3bd2d-d820-4963-aaed-9f1480fe08c2?response-content-disposition=attachment%3B%20filename%2A%3DUTF-8%27%27Lena--paul_photos%252B18s%20.zip&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEAsaCXVzLWVhc3QtMSJIMEYCIQDm7mgm%2F3yD5%2Bz4jVRC%2Bq%2BaTpqP2igd9ZomW07D2vKt%2BwIhAMG2JC%2BE8ZfI1vnT50lw04YRgzXdofaWt2J2iOVpE78%2FKrsFCLP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMNzA3OTQyMTU3MzIwIgy5yRqns9APGWoLh6QqjwU6NQFYdX7sNL9ni28CaOrTq7Jn74FVCSQ6erO%2FDVRxossfXhXo8wHS5tjrSzufs11fAt0pFU14hiQgAg4UrpG2OZlsYxbdD1BUUA6qH5Js%2Fmz%2BB0%2FDzmf%2FutPh0B9FP%2FdT3SjSOxl6lDtRK%2BGFSJUx%2BEeuOdZqXqy4N0C8LUIZW5yPFlnPWKA%2BEkrcU4cyqHKIwJNVDxF9jAmxeijFiXSIO5pXapBLl8hjSOF0PY4SaPfhHllopBPapprTDimcxNQ9PtUoX490c6bioWCClRkoCV58Nc4sdCX%2FixC939nOhN5KNQCCmwUdKyb9N6fVvbsrm8nU75ekT%2FjCCbfQdG4I%2FeOCZXU8WQDbBwWYVta%2Bu5gTgDzu671YzqikrX73yNcmhkRJ0Bqj3cUMh7QYQb292muQ4Ki%2BC1ca837IDzxzxOIeYozp3d6ErCJdHkhjUeVjn5%2FW43h0%2BrkACN8GKqxG0oN3IbXVftyAZP%2BEgbAak7PzyTThwnhjoc4iElwNjIThUPlhZOaYEQwuoj76MgTB6E18jpwyUxMzoyE6kaXLYUkfkQlsL5bA14qUYLOGi49CKptqNgjHu84tkOuYB8tb2%2Fk30qsLWQQzFkS%2BQSD5Gp6xEzKqBVOWwSWUSBKQRhgYsf61%2FKmDDneV7cTOaKc17pWoEqom%2BgbCgn4wrb4kJs6EMXYPZDvnbDPvJVuqjQzQDGN%2BD8dy2xohIJ0pjyOYX%2FBtuvmvpRKfocVkRgsdc0MCa1BQr%2F3bCM9THcnsThZz%2FfBlrrt1m4BnwwHmDO9ap6DhMNn9fP4QIwPaDKupfaaNNt20ocfW4QnrQcOKxJAchIKfnc%2B3qu7WK8OqNfUBoIN40hMYatshfrERPdO2MNewtLoGOrABi%2FWrgW38KpoBKYHgDvWjhKqOZYcALwkvtzQZm8b3kD5gUOl7mzbJnBBGbFEmXFOGjBRYJl2IR0vXXOGOdTnI7GXumqfOUJS7XvCVQulYBNQYjDU7wVtlBdREYjhWc%2B4Cc557d88vKbjuU2Kz2tChmIhAYoJaihRYiu5OkRoYvFDE8Xt%2BRIuCZThhgmj879AfyEUbBJGpd8jMy199ae54dl%2FBY5rDQXNW0N%2F9yxMb4J8%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241202T022606Z&X-Amz-SignedHeaders=host&X-Amz-Credential=ASIA2JVFEBQEFOAF4TZO%2F20241202%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=28800&X-Amz-Signature=8a8fdb41c0af7e05ed8bd4ed523c5b698595db8f449e7f445d2bed92028eed3c"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1896,i,4686970303018976477,7733449025737329463,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.19.206	unknown	United States	15169	GOOGLEUS	false
74.125.205.84	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
172.217.17.35	unknown	United States	15169	GOOGLEUS	false
3.5.29.78	s3-w.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
172.217.21.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.18

Contacted Domains

Name	IP	Active
s3-w.us-east-1.amazonaws.com	3.5.29.78	true
www.google.com	172.217.21.36	true
hightailspaces-us-east-1.s3.amazonaws.com	unknown	unknown

ID:	1566850
Product:	CloudBasic
Start time:	18:39:07
Start date:	02.12.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 2 16:39:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	AE2FC1775928D21CD66DFE098F9AF4D1	643DF91C9F875186C02191AE0CF3DDB2EAAB2495	CAC9B34C75B2DD50E771B5C62712928DEFF577D4EA3585F6956E36F2527B7087
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 09:23:19 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	7CD646A612DA1DC8320E71DD0C95DC77	F477B1476EEADAAF924D2F246101FD49F8B347FC	2E20912B9E4E470FD01475E87346BA9C601AEBF95941A68208F605053D301425
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 2 16:39:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	CD05366EA3C9873B934E790FC505CB0B	5D7D8D892FB44BAB82A57098A050C932042817A8	AF48A2C50FD539AC22BC3AF17FA48D1F19F23CAA8A2FB32E4F21466BCC78F256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 2 16:39:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	2D6CF6348E2CDD3AC675371D20BFCD63	4A275677691BD17623AE76B9A79F5323D53C8107	6EBFBC7FF16BDB19C9CEDA629A62B8541B61F0A959423E816BC8A3CC21558755
Chrome Cache Entry: 61	XML 1.0 document, ASCII text, with very long lines (362)	A60AD4589F7788558141D09ACC4CF46B	759EA8018EB5BF9397F102F94846693B28D6A4C2	C76061714F31A0B8E3185F827723E728941586EB3407D0EDC53B3BF85971C483
Chrome Cache Entry: 62	XML 1.0 document, ASCII text	89311FF5758B2F3BCC9D56B7A643838F	FAB125CA122C6646A982CFD741C0F68E8030ABEC	29A302A994043CEDF2C6776E27EF452CE90FBABAD753BCBA27AC7536EB12D850

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Boot Survival

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains