Edit tour

Windows Analysis Report
http://yfxmjmbpd.ru

Overview

General Information

Sample URL:	http://yfxmjmbpd.ru
Analysis ID:	1583498
Infos:

Errors URL not reachable

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2236,i,5175913674340574420,3226963822534671686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://yfxmjmbpd.ru" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T21:01:16.726597+0100	2018642	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.5	61953	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2018642 - Severity 1 - ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain : 1.1.1.1:53 -> 192.168.2.5:61953

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: yfxmjmbpd.ruConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: yfxmjmbpd.ru

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: classification engine

Classification label: mal48.win@20/6@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2236,i,5175913674340574420,3226963822534671686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://yfxmjmbpd.ru"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2236,i,5175913674340574420,3226963822534671686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://yfxmjmbpd.ru	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://yfxmjmbpd.ru/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.185.132	true	false		high
yfxmjmbpd.ru	204.95.99.243	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://yfxmjmbpd.ru/	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
204.95.99.243	yfxmjmbpd.ru	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583498
Start date and time:	2025-01-02 21:00:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://yfxmjmbpd.ru
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@20/6@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	URL browsing timeout or error

Errors

URL not reachable

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.212.131, 142.250.186.142, 173.194.76.84, 172.217.16.142, 142.250.186.46, 142.250.184.206, 217.20.57.35, 192.229.221.95, 172.217.18.14, 142.250.185.238, 184.28.90.27, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://yfxmjmbpd.ru

Simulations

Behavior and APIs

⊘No simulations

Input	Output
URL: http://yfxmjmbpd.ru Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: http://yfxmjmbpd.ru

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 2 19:01:11 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.977929817861678
Encrypted:	false
SSDEEP:	48:8RdfTXjfH/idAKZdA19ehwiZUklqehGy+3:8Lv5Fy
MD5:	068C4A6E4A2B6977898E06126513A469
SHA1:	606F442C466BF53C26BC47689DE002BB65DA5357
SHA-256:	2A927DAD8F92E9C9270E7801FC56B4D1813AC117B629A32BB1063B91F732E73F
SHA-512:	D803D32BD2B20CBF8591154CD3AC6CFB01B3E7D75B516501BB118EFA873C5BAC9F259A43F2E8297D0CB9D386CE45F489EB8A25DC7B8B86C2854AA827F3E27E1E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....W`.Q]..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"Z$.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V"Z$.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V"Z$.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V"Z$............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V"Z&............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%..r.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 2 19:01:11 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.993686488970811
Encrypted:	false
SSDEEP:	48:8FdfTXjfH/idAKZdA1weh/iZUkAQkqeh1y+2:8Xvr9Q4y
MD5:	3E44602F6400E5FF89CB8C0587333D1F
SHA1:	CCB5CD32D12241E212810DDA963426929B168DFA
SHA-256:	65C6C97AAD2D2F5BA24688CA0342C8AF329482C5AE17572B16FDDA8626C8B5B2
SHA-512:	F8DB10FF37F86C7E84D45536641628C4A03410FF1505C89C0057665EFDA34898949FE03A3C07A8B7636450080B7E39D1DB1F1E8332FFE3176278234C39B9D6BE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......R.Q]..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"Z$.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V"Z$.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V"Z$.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V"Z$............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V"Z&............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%..r.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.00524422843409
Encrypted:	false
SSDEEP:	48:8xsdfTXjsH/idAKZdA14tseh7sFiZUkmgqeh7sHy+BX:8x8vinhy
MD5:	467745603D928805029584D7382DDDB5
SHA1:	A46BF54B956E64564B127AA5BD206E670592D010
SHA-256:	BE9EE19410A5D1119085580C3C810C0BDE013EEB6B3F3A13A5024B154F6DECB2
SHA-512:	AFA21F9E4D50CDC3BDE7B598B7A43F0495336C2DE6ECFFC283D735164C5C2532D4C98E8D9AD6BF34B15E8F059612A9DA2ADA2C386348DACAD768BBEE9B84BCFD
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"Z$.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V"Z$.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V"Z$.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V"Z$............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%..r.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 2 19:01:11 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.992179726179293
Encrypted:	false
SSDEEP:	48:8TdfTXjfH/idAKZdA1vehDiZUkwqehJy+R:8VvoPy
MD5:	92FC5FAE814FE5D3B9EB74CEE10CE6BD
SHA1:	900BD90543022C80E6EDC00F67D13F07F2B21215
SHA-256:	987D1CB772EB3A070B4B40BEE8D4773F6D374CFA385AE8492A3B35ACC69FF019
SHA-512:	2887F9716531154AE0DD17CA891D79E8ABE21C9A75359293B0D3844797054E14DF54143F58D242C5E54838B7E9028DA33EE5A1A757467F5B6EACFD231B5C40FE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....DM.Q]..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"Z$.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V"Z$.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V"Z$.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V"Z$............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V"Z&............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%..r.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 2 19:01:11 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.982312331901966
Encrypted:	false
SSDEEP:	48:8OdfTXjfH/idAKZdA1hehBiZUk1W1qehDy+C:8mv49jy
MD5:	AFF3DB6B9BF44A8F21BF171E50DF76F7
SHA1:	BEE76A7D1E5853B77C4A3829D1640BC6A83A473A
SHA-256:	C5368AA37ABAA50CF29ED826416C77CE6F6FC1EC841A0AECD7FC1505A024365E
SHA-512:	E7A9F15FF865C0A36DF18867641DA5E880FF3596C4FAE4587ECA4CD4F406FF5BFB3709CB861F33C9971860FFA360EFFD68F92EF71AD76D1FC1299E6459E909A7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....0Y.Q]..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"Z$.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V"Z$.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V"Z$.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V"Z$............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V"Z&............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%..r.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 2 19:01:11 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9917210680920636
Encrypted:	false
SSDEEP:	48:8edfTXjfH/idAKZdA1duT+ehOuTbbiZUk5OjqehOuTbhy+yT+:8WvWT/TbxWOvTbhy7T
MD5:	77F9E0FBB55784D3632594142BF5EA56
SHA1:	038B95B09D1F864357799F0446D4C38D1280DDE0
SHA-256:	8BEA1038708741E8F471C71C737F8620AA10A5AD7067D63743BCAD50E86FE0C0
SHA-512:	45C27DC249C2DCF10771DB78EBFC5F24E217F005789C07E0542E236D2F65EC78911A55C87827DB33B36F56B9A9856ACB9C701035F29F5EB03376606A1E3322ED
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....C.Q]..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I"Z$.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V"Z$.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V"Z$.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V"Z$............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V"Z&............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%..r.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T21:01:16.726597+0100	2018642	ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain	1	1.1.1.1	53	192.168.2.5	61953	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 21:01:04.149832010 CET	49674	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:04.149833918 CET	49675	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:04.274863958 CET	49673	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:13.754328966 CET	49675	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:13.754329920 CET	49674	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:13.879317045 CET	49673	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:14.856909990 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:14.856935978 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:14.856992006 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:14.857242107 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:14.857255936 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:15.503245115 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:15.503504992 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:15.503519058 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:15.504379034 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:15.504477024 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:15.505462885 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:15.505527973 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:15.551357985 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:15.551367044 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:15.598254919 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:15.604266882 CET	443	49703	23.1.237.91	192.168.2.5
Jan 2, 2025 21:01:15.604387045 CET	49703	443	192.168.2.5	23.1.237.91
Jan 2, 2025 21:01:16.727401972 CET	49714	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:16.727988005 CET	49715	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:16.732192039 CET	80	49714	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:16.732364893 CET	49714	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:16.732548952 CET	49714	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:16.732734919 CET	80	49715	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:16.732790947 CET	49715	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:16.737337112 CET	80	49714	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:17.241013050 CET	80	49714	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:17.241226912 CET	49714	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:17.241816044 CET	49714	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:17.246583939 CET	80	49714	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:17.265309095 CET	80	49715	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:17.265374899 CET	49715	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:17.297090054 CET	49715	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:17.301948071 CET	80	49715	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:18.288297892 CET	49717	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.288858891 CET	49718	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.294984102 CET	80	49717	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:18.295317888 CET	49717	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.295515060 CET	80	49718	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:18.295572042 CET	49718	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.295653105 CET	49717	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.302617073 CET	80	49717	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:18.835664988 CET	80	49718	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:18.840704918 CET	49718	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.845525026 CET	80	49717	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:18.846723080 CET	49717	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.857028961 CET	49717	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:18.862525940 CET	80	49717	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:19.460690022 CET	49718	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:19.465583086 CET	80	49718	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:23.871562958 CET	49719	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:23.871716976 CET	49720	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:23.876386881 CET	80	49719	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:23.876467943 CET	49719	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:23.876527071 CET	80	49720	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:23.876594067 CET	49720	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:23.879931927 CET	49719	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:23.884778976 CET	80	49719	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.384645939 CET	80	49719	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.384727001 CET	49719	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.384819031 CET	49719	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.385144949 CET	49720	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.389554977 CET	80	49719	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.389919043 CET	80	49720	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.393690109 CET	80	49720	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.393755913 CET	49720	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.393826008 CET	49720	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.394279003 CET	49721	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.398574114 CET	80	49720	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.399055004 CET	80	49721	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:24.399131060 CET	49721	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.399302959 CET	49721	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:24.404073954 CET	80	49721	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:25.310767889 CET	80	49721	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:25.310852051 CET	49721	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:25.316329002 CET	49721	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:25.321094036 CET	80	49721	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:25.412919998 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:25.412980080 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:25.413044930 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:25.462301016 CET	49712	443	192.168.2.5	142.250.185.132
Jan 2, 2025 21:01:25.462321997 CET	443	49712	142.250.185.132	192.168.2.5
Jan 2, 2025 21:01:31.642121077 CET	49749	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:31.642271042 CET	49750	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:31.646941900 CET	80	49749	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:31.647046089 CET	49749	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:31.647070885 CET	80	49750	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:31.647124052 CET	49750	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:31.651082993 CET	49749	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:31.655917883 CET	80	49749	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.149804115 CET	80	49750	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.150042057 CET	49750	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.163850069 CET	80	49749	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.164016008 CET	49749	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.164254904 CET	49749	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.164257050 CET	49750	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.164520025 CET	49756	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.169140100 CET	80	49749	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.169161081 CET	80	49750	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.169362068 CET	80	49756	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.169423103 CET	49756	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.169583082 CET	49756	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.174385071 CET	80	49756	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.690220118 CET	80	49756	204.95.99.243	192.168.2.5
Jan 2, 2025 21:01:32.690391064 CET	49756	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.690567970 CET	49756	80	192.168.2.5	204.95.99.243
Jan 2, 2025 21:01:32.695342064 CET	80	49756	204.95.99.243	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 21:01:11.235035896 CET	53	56245	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:11.249737978 CET	53	56200	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:12.328531981 CET	53	54232	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:14.848995924 CET	64946	53	192.168.2.5	1.1.1.1
Jan 2, 2025 21:01:14.849205017 CET	55848	53	192.168.2.5	1.1.1.1
Jan 2, 2025 21:01:14.855863094 CET	53	64946	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:14.856156111 CET	53	55848	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:16.517987967 CET	61953	53	192.168.2.5	1.1.1.1
Jan 2, 2025 21:01:16.518268108 CET	59284	53	192.168.2.5	1.1.1.1
Jan 2, 2025 21:01:16.653698921 CET	53	59284	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:16.726597071 CET	53	61953	1.1.1.1	192.168.2.5
Jan 2, 2025 21:01:29.340898037 CET	53	58384	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 21:01:14.848995924 CET	192.168.2.5	1.1.1.1	0x9f7b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 21:01:14.849205017 CET	192.168.2.5	1.1.1.1	0x9263	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 2, 2025 21:01:16.517987967 CET	192.168.2.5	1.1.1.1	0x29af	Standard query (0)	yfxmjmbpd.ru	A (IP address)	IN (0x0001)	false
Jan 2, 2025 21:01:16.518268108 CET	192.168.2.5	1.1.1.1	0xb77a	Standard query (0)	yfxmjmbpd.ru	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 21:01:14.855863094 CET	1.1.1.1	192.168.2.5	0x9f7b	No error (0)	www.google.com	142.250.185.132	A (IP address)	IN (0x0001)	false
Jan 2, 2025 21:01:14.856156111 CET	1.1.1.1	192.168.2.5	0x9263	No error (0)	www.google.com		65	IN (0x0001)	false
Jan 2, 2025 21:01:16.726597071 CET	1.1.1.1	192.168.2.5	0x29af	No error (0)	yfxmjmbpd.ru	204.95.99.243	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

yfxmjmbpd.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:16.732548952 CET	427	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:18.295653105 CET	453	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:23.879931927 CET	453	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:24.385144949 CET	453	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:24.399302959 CET	453	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49749	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:31.651082993 CET	453	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49756	204.95.99.243	80	5052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 21:01:32.169583082 CET	453	OUT	GET / HTTP/1.1 Host: yfxmjmbpd.ru Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 2800, Parent PID: 5728

General

Target ID:	0
Start time:	15:01:05
Start date:	02/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5052, Parent PID: 2800

General

Target ID:	2
Start time:	15:01:09
Start date:	02/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2236,i,5175913674340574420,3226963822534671686,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3224, Parent PID: 5728

General

Target ID:	3
Start time:	15:01:15
Start date:	02/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://yfxmjmbpd.ru"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://yfxmjmbpd.ru

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2800, Parent PID: 5728

General

Chronological Activities

Analysis Process: chrome.exePID: 5052, Parent PID: 2800

General

Chronological Activities

Analysis Process: chrome.exePID: 3224, Parent PID: 5728

General

Windows Analysis Report
http://yfxmjmbpd.ru