Edit tour

Windows Analysis Report
https://ez-drivemzq.top/j

Overview

General Information

Sample URL:	https://ez-drivemzq.top/j
Analysis ID:	1591748
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 1552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6724 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1952,i,17620846321371725988,6570727933851704785,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ez-drivemzq.top/j" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://ez-drivemzq.top/j

Avira URL Cloud: detection malicious, Label: phishing

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: ez-drivemzq.top
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: classification engine

Classification label: mal48.win@20/6@4/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1952,i,17620846321371725988,6570727933851704785,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ez-drivemzq.top/j"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1952,i,17620846321371725988,6570727933851704785,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://ez-drivemzq.top/j	100%	Avira URL Cloud	phishing

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ez-drivemzq.top	156.244.41.57	true	false		unknown
www.google.com	216.58.206.36	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
156.244.41.57	ez-drivemzq.top	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.4

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591748
Start date and time:	2025-01-15 11:57:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://ez-drivemzq.top/j
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@20/6@4/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.186.174, 173.194.76.84, 142.250.186.46, 142.250.185.206, 199.232.214.172, 216.58.206.46, 142.250.184.195, 216.58.206.78, 172.217.16.206, 142.250.185.110, 216.58.212.163, 172.217.18.14, 2.23.242.162, 4.245.163.56, 20.12.23.50
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://ez-drivemzq.top/j

Simulations

Behavior and APIs

⊘No simulations

Input	Output
URL: https://ez-drivemzq.top Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true, "reasoning": "The URL uses a suspicious TLD (.top) which is often associated with malicious activities. The domain name 'ez-drivemzq' appears to be randomly generated or suspicious, and the .top TLD is commonly used in malicious campaigns due to its low cost and loose registration requirements." }
URL: https://ez-drivemzq.top

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 09:57:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.980970040048298
Encrypted:	false
SSDEEP:	48:8X/deTaK9HNidAKZdA1FehwiZUklqehny+3:8AP9Uy
MD5:	51B998096A2CE6A61744A2F95FAA37CD
SHA1:	7BB50EAD537F5CC65E30D05FD01BBE5FF0DB050C
SHA-256:	A45E38193DE8C44684C9108CC1A949C42AFE5C0544ACD161553B158CD6BE033E
SHA-512:	D8C39A72BD7A71D7044FDE8CB7DDEB30FD35EDFF564D8713595315127335D18AE3BA931A0265DA99923A006178714843ECE16F28D9123BCA5E8F9D49D32C0679
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....?.1P<g..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z/W....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z7W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z7W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z7W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z8W...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........hSqN.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 09:57:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.99780283231592
Encrypted:	false
SSDEEP:	48:8sdeTaK9HNidAKZdA1seh/iZUkAQkqehEy+2:8pPz9QVy
MD5:	2EA6984A91482B138967C5966F380B4B
SHA1:	CA9869F782E9178FF97B1952EAA878C514BDCC04
SHA-256:	1767D905EC4E38941254C889D537AE94F15F2BCB94C13C351B5E8485A11FDE01
SHA-512:	9EA67E32F0A92FE6F9A306E2939C4D322D51A9F181CDD8CDC8BEA4D5E0332C921ABEBCA9F1F9ADC1BEB1A30CAC23F0A283EB364408FA21130A444007D3E12D44
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....^.'P<g..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z/W....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z7W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z7W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z7W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z8W...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........hSqN.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.00707127456735
Encrypted:	false
SSDEEP:	48:87deTaKAHNidAKZdA14meh7sFiZUkmgqeh7sqy+BX:8kPsnwy
MD5:	8BDC6CE3ACACF11AB6A6FCB8D171A883
SHA1:	888BAACC938D4B296BE0974F1BD779C1D7F95E63
SHA-256:	EEC8E0AAD8991941BF6B15252858B4D0F201CA005DF4EEFD85A56F76C88C3D35
SHA-512:	C106B9E33F79FAC6CC89E86749F6E95078FB470304A087E72D01274604F786EACCD5FF914B90296BB22E6884E9C49DF89AD6DD161C263B059061096D5F680539
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z/W....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z7W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z7W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z7W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........hSqN.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 09:57:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.993638170287908
Encrypted:	false
SSDEEP:	48:8CdeTaK9HNidAKZdA1TehDiZUkwqehIy+R:8nPAiy
MD5:	93622491C776AB06C9AC7153C27186D6
SHA1:	AD05DC2E2CACBC00B46044E69E4F391EF4F92380
SHA-256:	FFD530037A6DEB420CC6E3EF05AAA4B7AF06CA7A87CAE9B777154333072B3D13
SHA-512:	BCD5EF626B51C71D167567ED0BCCDB0E55758763D50C7E92AE0293ADD61A77D44F109FEE549C01E7DB278F17179340166DA462A08FC5EC1C4C5B5BB28E2B230C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....A"P<g..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z/W....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z7W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z7W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z7W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z8W...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........hSqN.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 09:57:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.984528118909265
Encrypted:	false
SSDEEP:	48:8qdeTaK9HNidAKZdA1dehBiZUk1W1qehGy+C:8fPA9my
MD5:	03BE12473D55D32AACC57F79ADAD6CA6
SHA1:	16731B38FC45113D4871A173BCFD3FF25E63A72D
SHA-256:	AD832D1761CBB626868E174B1FB2EA88A0091390983C3B27005803C619448EFA
SHA-512:	72631F6597AD461E55CD341714259F1C38037343D978F60252CEF9FB193F625E0A97A816CD0B19DAD176E8749EA726ABE8CFC11C24053CAD9753A35EAA0587CF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....#.,P<g..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z/W....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z7W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z7W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z7W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z8W...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........hSqN.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 09:57:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.995076704977901
Encrypted:	false
SSDEEP:	48:8VdeTaK9HNidAKZdA1duTeehOuTbbiZUk5OjqehOuTbwy+yT+:82PSTfTbxWOvTbwy7T
MD5:	564F135890818A2D8236BBD62213E21A
SHA1:	DF4BE4B48D129711B06A55A3D5E251E469453A76
SHA-256:	21B6348B747442F0975EB42E1B7F9EF0EBF45EE3E5FC106A5C51BEC6C55B5446
SHA-512:	AA9CEA69B607AEAC526DCD0B504356CE7B252ABF34A98383E979C3F84DD7929243E0E29BE3F0846D0F4E2350856C2E49187319875082614298FF331DAFB65602
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....}..P<g..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z/W....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z7W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z7W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z7W..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z8W...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........hSqN.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 11:57:48.051511049 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:57:48.081003904 CET	49701	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:57:48.081057072 CET	443	49701	156.244.41.57	192.168.2.16
Jan 15, 2025 11:57:48.081151009 CET	49701	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:57:48.081563950 CET	49702	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:57:48.081648111 CET	443	49702	156.244.41.57	192.168.2.16
Jan 15, 2025 11:57:48.081762075 CET	49701	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:57:48.081784010 CET	443	49701	156.244.41.57	192.168.2.16
Jan 15, 2025 11:57:48.081798077 CET	49702	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:57:48.081968069 CET	49702	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:57:48.082003117 CET	443	49702	156.244.41.57	192.168.2.16
Jan 15, 2025 11:57:48.366378069 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:57:48.971379042 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:57:50.179380894 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:57:50.695621967 CET	49689	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:57:51.139584064 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.139672041 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.139766932 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.140032053 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.140067101 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.776279926 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.776694059 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.776761055 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.778253078 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.778331041 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.779474020 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.779568911 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.819535017 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:51.819598913 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:57:51.866386890 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:57:52.585397005 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:57:56.229727983 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:57:56.531068087 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:57:57.133470058 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:57:57.386611938 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:57:58.341455936 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:58:00.696971893 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:00.743417978 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:58:01.012568951 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:01.619424105 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:01.673114061 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:01.673188925 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:01.673250914 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:02.562937975 CET	49707	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:02.562972069 CET	443	49707	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:02.832441092 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:05.234492064 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:05.552478075 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:58:07.002552032 CET	49673	443	192.168.2.16	204.79.197.203
Jan 15, 2025 11:58:10.036515951 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:15.166487932 CET	49678	443	192.168.2.16	20.189.173.10
Jan 15, 2025 11:58:18.085726976 CET	49701	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:18.085854053 CET	49702	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:18.086003065 CET	443	49702	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:18.086067915 CET	443	49701	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:18.086082935 CET	49702	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:18.086136103 CET	49701	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.114864111 CET	49713	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.114964962 CET	443	49713	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:19.115072966 CET	49713	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.115257025 CET	49713	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.115298986 CET	443	49713	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:19.145570040 CET	49714	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.145616055 CET	443	49714	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:19.145801067 CET	49714	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.145941019 CET	49714	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:19.145953894 CET	443	49714	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:19.649513006 CET	49680	80	192.168.2.16	192.229.211.108
Jan 15, 2025 11:58:49.116462946 CET	49713	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:49.116830111 CET	443	49713	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:49.116938114 CET	49713	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:49.155649900 CET	49714	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:49.155790091 CET	443	49714	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:49.155880928 CET	49714	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:51.197004080 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:51.197057009 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:51.197321892 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:51.197671890 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:51.197710037 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:51.828836918 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:51.829247952 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:51.829284906 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:51.829752922 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:51.830065966 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:51.830157042 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:58:51.880559921 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:58:54.144244909 CET	49718	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:54.144287109 CET	443	49718	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:54.144395113 CET	49718	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:54.144602060 CET	49718	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:54.144614935 CET	443	49718	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:54.145297050 CET	49719	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:54.145347118 CET	443	49719	156.244.41.57	192.168.2.16
Jan 15, 2025 11:58:54.145415068 CET	49719	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:54.145572901 CET	49719	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:58:54.145582914 CET	443	49719	156.244.41.57	192.168.2.16
Jan 15, 2025 11:59:01.737848997 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:59:01.737929106 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:59:01.737996101 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:59:02.564347029 CET	49717	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:59:02.564377069 CET	443	49717	216.58.206.36	192.168.2.16
Jan 15, 2025 11:59:24.152721882 CET	49718	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:59:24.152817011 CET	49719	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:59:24.152888060 CET	443	49718	156.244.41.57	192.168.2.16
Jan 15, 2025 11:59:24.152985096 CET	49718	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:59:24.153182983 CET	443	49719	156.244.41.57	192.168.2.16
Jan 15, 2025 11:59:24.153260946 CET	49719	443	192.168.2.16	156.244.41.57
Jan 15, 2025 11:59:51.248908043 CET	49721	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:59:51.248954058 CET	443	49721	216.58.206.36	192.168.2.16
Jan 15, 2025 11:59:51.249063015 CET	49721	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:59:51.249409914 CET	49721	443	192.168.2.16	216.58.206.36
Jan 15, 2025 11:59:51.249432087 CET	443	49721	216.58.206.36	192.168.2.16
Jan 15, 2025 11:59:51.892592907 CET	443	49721	216.58.206.36	192.168.2.16
Jan 15, 2025 11:59:51.932744980 CET	49721	443	192.168.2.16	216.58.206.36

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 11:57:46.341767073 CET	53	60060	1.1.1.1	192.168.2.16
Jan 15, 2025 11:57:46.430989027 CET	53	62814	1.1.1.1	192.168.2.16
Jan 15, 2025 11:57:47.198817015 CET	51884	53	192.168.2.16	1.1.1.1
Jan 15, 2025 11:57:47.198960066 CET	53412	53	192.168.2.16	1.1.1.1
Jan 15, 2025 11:57:47.406148911 CET	53	59411	1.1.1.1	192.168.2.16
Jan 15, 2025 11:57:48.028300047 CET	53	51884	1.1.1.1	192.168.2.16
Jan 15, 2025 11:57:48.090923071 CET	53	53412	1.1.1.1	192.168.2.16
Jan 15, 2025 11:57:51.131351948 CET	62759	53	192.168.2.16	1.1.1.1
Jan 15, 2025 11:57:51.131475925 CET	54994	53	192.168.2.16	1.1.1.1
Jan 15, 2025 11:57:51.138372898 CET	53	54994	1.1.1.1	192.168.2.16
Jan 15, 2025 11:57:51.138396025 CET	53	62759	1.1.1.1	192.168.2.16
Jan 15, 2025 11:58:04.425045013 CET	53	58335	1.1.1.1	192.168.2.16
Jan 15, 2025 11:58:17.201361895 CET	53	58612	1.1.1.1	192.168.2.16
Jan 15, 2025 11:58:23.421247005 CET	53	57866	1.1.1.1	192.168.2.16
Jan 15, 2025 11:58:46.329076052 CET	53	56028	1.1.1.1	192.168.2.16
Jan 15, 2025 11:58:46.468667030 CET	53	63465	1.1.1.1	192.168.2.16
Jan 15, 2025 11:58:52.404268980 CET	138	138	192.168.2.16	192.168.2.255
Jan 15, 2025 11:59:16.952111959 CET	53	55971	1.1.1.1	192.168.2.16

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 15, 2025 11:57:48.093004942 CET	192.168.2.16	1.1.1.1	c236	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 11:57:47.198817015 CET	192.168.2.16	1.1.1.1	0xa91b	Standard query (0)	ez-drivemzq.top	A (IP address)	IN (0x0001)	false
Jan 15, 2025 11:57:47.198960066 CET	192.168.2.16	1.1.1.1	0xe194	Standard query (0)	ez-drivemzq.top	65	IN (0x0001)	false
Jan 15, 2025 11:57:51.131351948 CET	192.168.2.16	1.1.1.1	0xb3ae	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 11:57:51.131475925 CET	192.168.2.16	1.1.1.1	0x1f3	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 11:57:48.028300047 CET	1.1.1.1	192.168.2.16	0xa91b	No error (0)	ez-drivemzq.top	156.244.41.57	A (IP address)	IN (0x0001)	false
Jan 15, 2025 11:57:51.138372898 CET	1.1.1.1	192.168.2.16	0x1f3	No error (0)	www.google.com		65	IN (0x0001)	false
Jan 15, 2025 11:57:51.138396025 CET	1.1.1.1	192.168.2.16	0xb3ae	No error (0)	www.google.com	216.58.206.36	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 1552, Parent PID: 3740

General

Target ID:	0
Start time:	05:57:44
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6724, Parent PID: 1552

General

Target ID:	1
Start time:	05:57:45
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1952,i,17620846321371725988,6570727933851704785,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6396, Parent PID: 3740

General

Target ID:	2
Start time:	05:57:46
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ez-drivemzq.top/j"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://ez-drivemzq.top/j

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 1552, Parent PID: 3740

General

Chronological Activities

Analysis Process: chrome.exePID: 6724, Parent PID: 1552

General

Chronological Activities

Analysis Process: chrome.exePID: 6396, Parent PID: 3740

General

Chronological Activities

Disassembly

Windows Analysis Report
https://ez-drivemzq.top/j