Edit tour

Windows Analysis Report
https://telegrams-az.org/

Overview

General Information

Sample URL:	https://telegrams-az.org/
Analysis ID:	1591446
Infos:

Errors URL not reachable

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

AI detected suspicious URL

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3436 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1972,i,8036542976446090997,406102996211981079,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3348 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://telegrams-az.org/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://telegrams-az.org/

Avira URL Cloud: detection malicious, Label: phishing

Phishing

AI detected suspicious URL

Source: URL	Joe Sandbox AI: AI detected Brand spoofing attempt in URL: https://telegrams-az.org
Source: URL	Joe Sandbox AI: AI detected Typosquatting in URL: https://telegrams-az.org

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: telegrams-az.org
Source: global traffic	DNS traffic detected: DNS query: google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: classification engine

Classification label: mal52.win@20/6@17/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1972,i,8036542976446090997,406102996211981079,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://telegrams-az.org/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1972,i,8036542976446090997,406102996211981079,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://telegrams-az.org/	100%	Avira URL Cloud	phishing

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
google.com	142.250.75.238	true	false	high
www.google.com	216.58.206.36	true	false	high
telegrams-az.org	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
216.58.206.36	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591446
Start date and time:	2025-01-15 00:49:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://telegrams-az.org/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.win@20/6@17/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	URL browsing timeout or error

Errors

URL not reachable

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.35, 142.250.185.110, 142.250.110.84, 142.250.186.110, 172.217.16.206, 172.217.18.14, 84.201.210.23, 2.17.190.73, 142.250.184.206, 142.250.185.206, 142.250.185.238, 184.28.90.27, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://telegrams-az.org/

Simulations

Behavior and APIs

⊘No simulations

Input	Output
URL: https://telegrams-az.org Model: Joe Sandbox AI	{ "typosquatting": true, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": true, "third_party_hosting": true }
URL: https://telegrams-az.org

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 22:50:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9729209961937055
Encrypted:	false
SSDEEP:	48:8jdWTSmiKWHqidAKZdA19ehwiZUklqeh9y+3:8wTiKHey
MD5:	9A0AB86DF2615F7CFF9C8754EBD8BE37
SHA1:	B6B162AE744A8D9FA201304C374F698A777B74DD
SHA-256:	CD99F42AAF64D5D35F28003E0545B4A0A24DD89343F14F9702FE4691F8EA0CE7
SHA-512:	1FD9E0A0156383E0D33C2203791F6BC1750891A6DEBDCD4150895511578A4015A45227A5A4578A9A10FF54A92F2ED032EE7D6E41C014897AEA67A7A9D1486E13
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....e...f..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.ZM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZM.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZM.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZM............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.ZO............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'.l}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 22:50:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9874572040632392
Encrypted:	false
SSDEEP:	48:87dWTSmiKWHqidAKZdA1weh/iZUkAQkqehOy+2:8YTiKt9Qry
MD5:	87E6DF3A2686D19D53FC896435BF5EE0
SHA1:	30078CB47EBA38D3AC4CF72BE7743C6451B4C1CF
SHA-256:	46559158A243804917A612231E30A3ACB61D9007E588A5A2D32BFB478BC0AA6B
SHA-512:	0B403BE0ECE06D9E5F5B457513B09F9CAA7DAF6A11B2D21B5A2B74383D22E04771FBBE48546D437A9D01BAFFC92D621C03B5B74BA42B375ECB3B6DD97DD052A2
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....A....f..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.ZM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZM.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZM.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZM............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.ZO............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'.l}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.00255505030068
Encrypted:	false
SSDEEP:	48:8xndWTSmsHqidAKZdA14tseh7sFiZUkmgqeh7ssy+BX:8xMTHnKy
MD5:	1B2819709E6A5156DFCD4634A93056D5
SHA1:	312702E762FA79C2835A6E7F22E5030C7B3E741A
SHA-256:	A9F0126BD34FD33D616DD6FBB05FC5E99B05228BFBE31EC3959D0DA1EBE0EA19
SHA-512:	F1BD1426EAE2985B9801C3CA44C51B4C73D5E95A09CA371E8E9077892175AE69AB9C52E190A0E2C4A48B23CA2438BB56FF54DB64D28841330AE39E0285EDD242
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.ZM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZM.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZM.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZM............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'.l}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 22:50:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.988133466776056
Encrypted:	false
SSDEEP:	48:82dWTSmiKWHqidAKZdA1vehDiZUkwqehiy+R:8zTiKOky
MD5:	D6D8149995B4F65B6CC66E693A68AC4B
SHA1:	53B399D2333C55CA709A2836BB3F3C81EDD806AE
SHA-256:	87A03BA044E62C9F99985318CFD66BD81656AEB414056BA60A845E6240F35C28
SHA-512:	4F4124757DBAE277B840DE3D8B176EC129BB429B83855E72A160E795BDCD10BC06CE3E558191E5884EABFE2DE69DA7F3BEEB366ED9757285C2DD9615DA3B2ED8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.........f..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.ZM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZM.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZM.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZM............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.ZO............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'.l}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 22:50:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.977186470744621
Encrypted:	false
SSDEEP:	48:8OdWTSmiKWHqidAKZdA1hehBiZUk1W1qehYy+C:87TiK+94y
MD5:	5DEAB390B51D8F0A24224C26288936BF
SHA1:	7F5F67CAB799AC908C7C9730345F523C055E0AB6
SHA-256:	20DF2B915FFDB075D9E0FEE754D4A3A445B133E4ACB9D5311C9CCC1DD243726B
SHA-512:	0CD4EA2F552BAD7D5B21E7BD203E5ED5EF0BF6FB360B15508838342D6BE4BED7B563AEE8EBF4FF3F5FAF8A4B1963FA3061A4DD4F9413A50BDD4D7E8C6D458B91
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.........f..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.ZM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZM.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZM.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZM............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.ZO............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'.l}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 22:50:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9878280633899874
Encrypted:	false
SSDEEP:	48:8DdWTSmiKWHqidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbKy+yT+:8QTiKgT/TbxWOvTbKy7T
MD5:	66416035684150000C8F1DB941599BDC
SHA1:	49C3AA6E460A80A2B59CEBAC649F2A3A61C8081C
SHA-256:	B0357E015EC690629D25CAAB401F6B965B892B4D94AE8DCE8D6BE92415E010F3
SHA-512:	BC3CAA1ABDBF03C58925F0901ED9F2FF266ADA03B2148DDE6BF516F75FC539EABC450620274D03FCFF6D152FEA5DF297569B1B24751F2C5C494EACF059BBBD9D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....y....f..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.ZM.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.ZM.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.ZM.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.ZM............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.ZO............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........'.l}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 00:50:22.653100014 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:22.653186083 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:22.762505054 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:32.173175097 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.173218966 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.173417091 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.173686981 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.173702955 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.256661892 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:32.256772995 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:32.366048098 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:32.809216022 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.809633970 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.809669971 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.811115026 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.811173916 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.817104101 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.817289114 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.866061926 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:32.866096973 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:32.912913084 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:34.031260967 CET	443	49703	23.1.237.91	192.168.2.5
Jan 15, 2025 00:50:34.031354904 CET	49703	443	192.168.2.5	23.1.237.91
Jan 15, 2025 00:50:42.710645914 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:42.710716963 CET	443	49713	216.58.206.36	192.168.2.5
Jan 15, 2025 00:50:42.710797071 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:43.868448019 CET	49713	443	192.168.2.5	216.58.206.36
Jan 15, 2025 00:50:43.868479967 CET	443	49713	216.58.206.36	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 00:50:27.732144117 CET	53	52226	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:27.733686924 CET	53	57750	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:28.714818001 CET	53	54057	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:32.164247036 CET	60406	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:32.164552927 CET	55026	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:32.171977043 CET	53	55026	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:32.172151089 CET	53	60406	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:32.989736080 CET	58554	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:32.989842892 CET	58332	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:33.492927074 CET	53	58332	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:33.757316113 CET	53	58554	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:33.766426086 CET	50561	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:33.780699968 CET	53	50561	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:33.807960987 CET	53425	53	192.168.2.5	8.8.8.8
Jan 15, 2025 00:50:33.808271885 CET	65460	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:33.815228939 CET	53	53425	8.8.8.8	192.168.2.5
Jan 15, 2025 00:50:33.815274000 CET	53	65460	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:34.809833050 CET	61393	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:34.810199976 CET	59543	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:34.816809893 CET	53	61393	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:35.328754902 CET	53	59543	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:39.847904921 CET	49460	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:39.848025084 CET	64448	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:39.865741968 CET	53	64448	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:39.879504919 CET	53	49460	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:39.880126953 CET	61477	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:39.891161919 CET	53	61477	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:45.688878059 CET	53	63048	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:48.935658932 CET	54327	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:48.935919046 CET	56609	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:48.952320099 CET	53	56609	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:48.964463949 CET	53	54327	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:48.980792999 CET	56845	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:49.010600090 CET	53	56845	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:49.030807972 CET	51393	53	192.168.2.5	1.1.1.1
Jan 15, 2025 00:50:49.031579971 CET	65505	53	192.168.2.5	8.8.8.8
Jan 15, 2025 00:50:49.039200068 CET	53	51393	1.1.1.1	192.168.2.5
Jan 15, 2025 00:50:49.043530941 CET	53	65505	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 15, 2025 00:50:35.329214096 CET	192.168.2.5	1.1.1.1	c239	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 00:50:32.164247036 CET	192.168.2.5	1.1.1.1	0xfc9e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:32.164552927 CET	192.168.2.5	1.1.1.1	0x3040	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 15, 2025 00:50:32.989736080 CET	192.168.2.5	1.1.1.1	0x2205	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:32.989842892 CET	192.168.2.5	1.1.1.1	0x7863	Standard query (0)	telegrams-az.org	65	IN (0x0001)	false
Jan 15, 2025 00:50:33.766426086 CET	192.168.2.5	1.1.1.1	0x5125	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:33.807960987 CET	192.168.2.5	8.8.8.8	0x303	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:33.808271885 CET	192.168.2.5	1.1.1.1	0x2fcc	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:34.809833050 CET	192.168.2.5	1.1.1.1	0x3e5a	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:34.810199976 CET	192.168.2.5	1.1.1.1	0xed4b	Standard query (0)	telegrams-az.org	65	IN (0x0001)	false
Jan 15, 2025 00:50:39.847904921 CET	192.168.2.5	1.1.1.1	0x855	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:39.848025084 CET	192.168.2.5	1.1.1.1	0x9b88	Standard query (0)	telegrams-az.org	65	IN (0x0001)	false
Jan 15, 2025 00:50:39.880126953 CET	192.168.2.5	1.1.1.1	0x980e	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:48.935658932 CET	192.168.2.5	1.1.1.1	0xc958	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:48.935919046 CET	192.168.2.5	1.1.1.1	0xfc7b	Standard query (0)	telegrams-az.org	65	IN (0x0001)	false
Jan 15, 2025 00:50:48.980792999 CET	192.168.2.5	1.1.1.1	0xf97	Standard query (0)	telegrams-az.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:49.030807972 CET	192.168.2.5	1.1.1.1	0xfeaf	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:49.031579971 CET	192.168.2.5	8.8.8.8	0xaea2	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 00:50:32.171977043 CET	1.1.1.1	192.168.2.5	0x3040	No error (0)	www.google.com			65	IN (0x0001)	false
Jan 15, 2025 00:50:32.172151089 CET	1.1.1.1	192.168.2.5	0xfc9e	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:33.492927074 CET	1.1.1.1	192.168.2.5	0x7863	Name error (3)	telegrams-az.org	none	none	65	IN (0x0001)	false
Jan 15, 2025 00:50:33.757316113 CET	1.1.1.1	192.168.2.5	0x2205	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:33.780699968 CET	1.1.1.1	192.168.2.5	0x5125	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:33.815228939 CET	8.8.8.8	192.168.2.5	0x303	No error (0)	google.com		142.250.75.238	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:33.815274000 CET	1.1.1.1	192.168.2.5	0x2fcc	No error (0)	google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:34.816809893 CET	1.1.1.1	192.168.2.5	0x3e5a	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:35.328754902 CET	1.1.1.1	192.168.2.5	0xed4b	Name error (3)	telegrams-az.org	none	none	65	IN (0x0001)	false
Jan 15, 2025 00:50:39.865741968 CET	1.1.1.1	192.168.2.5	0x9b88	Name error (3)	telegrams-az.org	none	none	65	IN (0x0001)	false
Jan 15, 2025 00:50:39.879504919 CET	1.1.1.1	192.168.2.5	0x855	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:39.891161919 CET	1.1.1.1	192.168.2.5	0x980e	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:48.952320099 CET	1.1.1.1	192.168.2.5	0xfc7b	Name error (3)	telegrams-az.org	none	none	65	IN (0x0001)	false
Jan 15, 2025 00:50:48.964463949 CET	1.1.1.1	192.168.2.5	0xc958	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:49.010600090 CET	1.1.1.1	192.168.2.5	0xf97	Name error (3)	telegrams-az.org	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:49.039200068 CET	1.1.1.1	192.168.2.5	0xfeaf	No error (0)	google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jan 15, 2025 00:50:49.043530941 CET	8.8.8.8	192.168.2.5	0xaea2	No error (0)	google.com		142.250.75.238	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 3012, Parent PID: 5472

General

Target ID:	0
Start time:	18:50:24
Start date:	14/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3436, Parent PID: 3012

General

Target ID:	2
Start time:	18:50:25
Start date:	14/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1972,i,8036542976446090997,406102996211981079,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3348, Parent PID: 5472

General

Target ID:	3
Start time:	18:50:31
Start date:	14/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://telegrams-az.org/"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://telegrams-az.org/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3012, Parent PID: 5472

General

Chronological Activities

Analysis Process: chrome.exePID: 3436, Parent PID: 3012

General

Chronological Activities

Analysis Process: chrome.exePID: 3348, Parent PID: 5472

General

Chronological Activities

Windows Analysis Report
https://telegrams-az.org/