Edit tour

Windows Analysis Report
https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=

Overview

General Information

Sample URL:	https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=
Analysis ID:	1305960
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1792 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 6028 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1856,i,6201569344014229303,17451047210727473039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 5284 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU= MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\chrome_BITS_1792_913964433

Jump to behavior

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz& HTTP/1.1Host: app.getresponse.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /error404.html HTTP/1.1Host: app.getresponse.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: no-cachecontent-type: text/htmlconnection: close

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g

Source: classification engine

Classification label: mal48.win@23/7@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1856,i,6201569344014229303,17451047210727473039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1856,i,6201569344014229303,17451047210727473039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_BITS_1792_913964433

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\chrome_BITS_1792_913964433

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=	0%	Avira URL Cloud	safe
https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.251.2.84	true	false	high
www.google.com	142.251.2.147	true	false	high
app.getresponse.com	104.160.64.9	true	false	high
clients.l.google.com	142.251.2.139	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&	false	high
https://app.getresponse.com/error404.html	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false	high
https://app.getresponse.com/error404.html#Yi5raGFuQGVjdS5lZHUuYXU=	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.2.147	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.2.139	clients.l.google.com	United States	15169	GOOGLEUS	false
104.160.64.9	app.getresponse.com	United States	46469	GETRESPONSE-IMPLIXUS	false
142.251.2.84	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1305960
Start date and time:	2023-09-08 09:13:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@23/7@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.206.188.204, 23.206.188.212, 23.36.117.247, 142.251.2.94, 34.104.35.123, 142.250.101.94
Excluded domains from analysis (whitelisted): geover.prod.do.dsp.mp.microsoft.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, tse1.mm.bing.net, store-images.s-microsoft.com-c.edgekey.net, clientservices.googleapis.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, kv601.prod.do.dsp.mp.microsoft.com, e12564.dspb.akamaiedge.net, edgedl.me.gvt1.com, store-images.s-microsoft.com, update.googleapis.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.01641303245589
Encrypted:	false
SSDEEP:	48:8Jicd+yRmHvidAKZdA1o9ehwiZUklqeh4BA3:8JiGRTP
MD5:	23E0A11A275C7DC49649CDA31A883615
SHA1:	321AFEEB34ACD38CA3B0DD908DC7D73F81507147
SHA-256:	B1FAEF674F17B4BA66EAF22655A3FE14443B24BDBE6A5E8D3E7D13D3F3340679
SHA-512:	873DF0D9A7D25F116A4D489DE9B22541CB6FD17BE7B2E8C4F9C7633B1557B17432BD11D68284F3EE5469D633DBB33D556FE65E4C60042BA17451E4CFF1F5AF9F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L.(W.9....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;(W.9..............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;(W.9..........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;(W.9...........................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............V......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.034174402761696
Encrypted:	false
SSDEEP:	48:8Jicd+yRmHvidAKZdA1t9eh/iZUkAQkqehfBA2:8JiGRX9QS
MD5:	390829C58BFECA4B07167E6CB8280092
SHA1:	E02602C47568C4C06B7BFB82E7F212B92A8C5C86
SHA-256:	FCB697B6CFCE70A9D388DA046B12AA9984FD1209C78B6956866BCD8D1A9571A4
SHA-512:	49154C94EC69AF463BE5AF074491CDB6CB9293C280B890F92A6B37CF285D7C4402601FC68F4CF3790A2CD9674B6C3B6352955BE43F9A123BA632FD5CAAB1B3A4
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L.(W.9....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;(W.9..............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;(W.9..........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;(W.9...........................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............V......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2691
Entropy (8bit):	4.046314995946268
Encrypted:	false
SSDEEP:	48:8Jicd+yRmHvidAKZdA14J9eh7sFiZUkmgqeh7s5BABX:8JiGRBnj
MD5:	A6E6FA54CF7D6D56E8C44A256AE5FD6A
SHA1:	BBC6E7E7026C03D95C37DA7EDC3B949CEA80F783
SHA-256:	43CE6E9309D6CFFBA2EFFC3F5258D19C7C6ABB66C9F01D278273D60F2AFE90AE
SHA-512:	0599CFB3C82D55D53D43CA04BDCB5C54E4E2F39F0628D3B7836A9194F613D4063BF46F9A292E47B47EA6765F7C07AFFF7E271587E2BAFC0A9FE66CB9AC8F8409
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L.(W.9....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;(W.9..............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;(W.9..........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;(W.9...........................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............V......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.03170943545513
Encrypted:	false
SSDEEP:	48:8Jicd+yRmHvidAKZdA1u9ehDiZUkwqeh7BAR:8JiGRCx
MD5:	2503B718D701316589666AE39F0070EF
SHA1:	47DF3E9813C85CC1E6FB23418407C48696D0921F
SHA-256:	9398932DB5F480B69E40D3F23E6724E1DD13C14B3985F30C54DE9FAB18C7B513
SHA-512:	1C536683A33A1119D1F0570E8DBF2FBCBAC23298D782D17054C29085CE43CA1972AFF076F95053B4F0A23101EB67F0163ED0D71B96A83B215F1B235DEFE5DB0C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L.(W.9....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;(W.9..............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;(W.9..........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;(W.9...........................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............V......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.0199469193616375
Encrypted:	false
SSDEEP:	48:8Jicd+yRmHvidAKZdA1c9ehBiZUk1W1qehtBAC:8JiGRS9N
MD5:	6753BF44F3FBFD8A39827B63FDA2D7F4
SHA1:	C26F829B6B4D4C370AD28A67562F7EC44AF0145C
SHA-256:	6D338093FD51ED8289442EB29F3EB36FB572FD28FE4CFCF012BD8B1246F0B9A3
SHA-512:	58CF71C4FFDFC617F5BD9D322806CAB3C6B64205A1ED5FCF4D2573D6FC83F7D6BCC5C119A9BE708D812BFA09C228F53B28BF865C20CE04DC3EDCB21FE65D4D59
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L.(W.9....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;(W.9..............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;(W.9..........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;(W.9...........................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............V......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Sep 30 06:28:28 2020, mtime=Thu Aug 10 09:45:23 2023, atime=Tue Aug 1 18:57:01 2023, length=1158936, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.035128922992682
Encrypted:	false
SSDEEP:	48:8Jicd+yRmHvidAKZdA1duTn9ehOuTbbiZUk5OjqehOuTbjBAyT+:8JiGRbTqTbxWOvTbjPT
MD5:	50CA53EA7AF9C0B55C512356557AE972
SHA1:	82C20E4C8E73E617DA2C9FDB9020F0706B1C268D
SHA-256:	E277AF10A071A92DBE124891F3B38F4F1E705BB6232FF34A16EE52589E1FBA23
SHA-512:	80620DCAD310DC8405E688C6D2023438DBEDF901D5C35C924756DDC3BF9DB7D65F879E46F8529FE7B1DBB4AC031B1EB3857EAAE28AADA945F45EA6C3E0621684
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....b.J........w.....,V............................1....P.O. .:i.....+00.../C:\.....................1......W.U..PROGRA~1..t......L.(W.9....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....>Q.;..Google..>......>Q.;(W.9..............................G.o.o.g.l.e.....T.1......W.U..Chrome..>......>Q.;(W.9..........................c.>.C.h.r.o.m.e.....`.1......W.U..APPLIC~1..H......>Q.;(W.9...........................A.A.p.p.l.i.c.a.t.i.o.n.....n.2......W!. .CHROME~1.EXE..R......>Q.;.W.U.....}......................h.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............V......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 247

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (3460)
Category:	downloaded
Size (bytes):	6396
Entropy (8bit):	5.905111963532518
Encrypted:	false
SSDEEP:	96:lVmMSEIjnDvVTzln4/Qz5tfsMSUcp1hmZbuHrr9fQA0xs+9g2Ts8O:lVmRDlzln4/Q7UM4hmZ89CxsYTsR
MD5:	1026A33872A4D10B19DB1278F52B8971
SHA1:	6CAEE057B98B4875189E8A76103039FC7A643BB9
SHA-256:	91DB17F0AD927A17C418BD62621400AFB159F2651D7D37A5D8FEBD2B4C909898
SHA-512:	97C46E69818D57AED872065B52AC69850D838AFBC585E25F1520E0B83698806B14FF4FBA23BE06C118388D4440BCBA3883CEB76744AB8B463A39A942425C94B2
Malicious:	false
Reputation:	low
URL:	https://app.getresponse.com/error404.html
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />. <title>Error 404 - not found</title>. <link href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyhpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMDE0IDc5LjE1Njc5NywgMjAxNC8wOC8yMC0wOTo1MzowMiAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIDIwMTQgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6RkY5Qjc2RkRGMTZGMTFFNEF

Total Packets: 73
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 8, 2023 09:14:05.228044033 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.228115082 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.228216887 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.229878902 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.229902029 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.236346960 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.236490965 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.236608982 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.237145901 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.237220049 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.675623894 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.676265955 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.676301003 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.677083969 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.677347898 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.677411079 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.677598000 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.677700996 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.677922010 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.678020954 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.678756952 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.678852081 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.683196068 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.683324099 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.684101105 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.684223890 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.684355974 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.684365988 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.684581041 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:05.684608936 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.891477108 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:05.891482115 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:05.891643047 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:05.891644955 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:06.129817009 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:06.129976988 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:06.130040884 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:06.131570101 CEST	49722	443	192.168.2.4	142.251.2.139
Sep 8, 2023 09:14:06.131609917 CEST	443	49722	142.251.2.139	192.168.2.4
Sep 8, 2023 09:14:06.161348104 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:06.161623955 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:06.161691904 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:06.174110889 CEST	49720	443	192.168.2.4	142.251.2.84
Sep 8, 2023 09:14:06.174145937 CEST	443	49720	142.251.2.84	192.168.2.4
Sep 8, 2023 09:14:07.367460966 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.367526054 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.367635012 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.368472099 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.368524075 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.368586063 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.372615099 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.372644901 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.372891903 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.372911930 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.896985054 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.897353888 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.897393942 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.898792028 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.898889065 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.899825096 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.900223017 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.900253057 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.901680946 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.901750088 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.920450926 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.920697927 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.924779892 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.924967051 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:07.925399065 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:07.925424099 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.006143093 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.006191015 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.006234884 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.207844973 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.400221109 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.400427103 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.400563955 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.401293039 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.401313066 CEST	443	49725	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.401365042 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.401386023 CEST	49725	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.414413929 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.455481052 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.609806061 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:08.609878063 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:08.609963894 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:08.611078024 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:08.611114979 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:08.648745060 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.648840904 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.648859978 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.648933887 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.648960114 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.648974895 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.649019957 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.649039030 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.649178028 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:08.649260998 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.653805017 CEST	49726	443	192.168.2.4	104.160.64.9
Sep 8, 2023 09:14:08.653831959 CEST	443	49726	104.160.64.9	192.168.2.4
Sep 8, 2023 09:14:09.054040909 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:09.054454088 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:09.054516077 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:09.055818081 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:09.055936098 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:09.266961098 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:09.267411947 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:09.391731977 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:09.391788960 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:09.501075983 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:19.091378927 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:19.091567993 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:14:19.091694117 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:20.359342098 CEST	49728	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:14:20.359414101 CEST	443	49728	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.477193117 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:08.477251053 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.477442980 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:08.478847027 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:08.478876114 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.917926073 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.918780088 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:08.918828964 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.920121908 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.921478987 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:08.921785116 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:08.974025965 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:18.966661930 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:18.966804981 CEST	443	49757	142.251.2.147	192.168.2.4
Sep 8, 2023 09:15:18.967070103 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:19.616621971 CEST	49757	443	192.168.2.4	142.251.2.147
Sep 8, 2023 09:15:19.616691113 CEST	443	49757	142.251.2.147	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 8, 2023 09:14:05.025688887 CEST	51816	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:05.026082039 CEST	51391	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:05.026679993 CEST	49785	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:05.026941061 CEST	63872	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:05.224482059 CEST	53	51816	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:05.225260973 CEST	53	51391	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:05.227535963 CEST	53	49817	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:05.232702017 CEST	53	49785	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:05.234257936 CEST	53	63872	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:06.751760960 CEST	53	64803	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:07.130135059 CEST	64829	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:07.133250952 CEST	54388	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:07.330931902 CEST	53	64829	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:07.335298061 CEST	53	54388	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:08.408518076 CEST	53653	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:08.409308910 CEST	52086	53	192.168.2.4	8.8.8.8
Sep 8, 2023 09:14:08.607076883 CEST	53	53653	8.8.8.8	192.168.2.4
Sep 8, 2023 09:14:08.607654095 CEST	53	52086	8.8.8.8	192.168.2.4
Sep 8, 2023 09:15:04.216015100 CEST	53	57676	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 8, 2023 09:14:05.025688887 CEST	192.168.2.4	8.8.8.8	0x55dc	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.026082039 CEST	192.168.2.4	8.8.8.8	0x5987	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Sep 8, 2023 09:14:05.026679993 CEST	192.168.2.4	8.8.8.8	0xfb87	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.026941061 CEST	192.168.2.4	8.8.8.8	0x170	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Sep 8, 2023 09:14:07.130135059 CEST	192.168.2.4	8.8.8.8	0xde27	Standard query (0)	app.getresponse.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:07.133250952 CEST	192.168.2.4	8.8.8.8	0x8108	Standard query (0)	app.getresponse.com	65	IN (0x0001)	false
Sep 8, 2023 09:14:08.408518076 CEST	192.168.2.4	8.8.8.8	0x71fb	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.409308910 CEST	192.168.2.4	8.8.8.8	0xd776	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 8, 2023 09:14:05.224482059 CEST	8.8.8.8	192.168.2.4	0x55dc	No error (0)	accounts.google.com		142.251.2.84	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients.l.google.com		142.251.2.139	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients.l.google.com		142.251.2.113	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients.l.google.com		142.251.2.101	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients.l.google.com		142.251.2.138	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients.l.google.com		142.251.2.102	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.232702017 CEST	8.8.8.8	192.168.2.4	0xfb87	No error (0)	clients.l.google.com		142.251.2.100	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:05.234257936 CEST	8.8.8.8	192.168.2.4	0x170	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 8, 2023 09:14:07.330931902 CEST	8.8.8.8	192.168.2.4	0xde27	No error (0)	app.getresponse.com		104.160.64.9	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607076883 CEST	8.8.8.8	192.168.2.4	0x71fb	No error (0)	www.google.com		142.251.2.147	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607076883 CEST	8.8.8.8	192.168.2.4	0x71fb	No error (0)	www.google.com		142.251.2.99	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607076883 CEST	8.8.8.8	192.168.2.4	0x71fb	No error (0)	www.google.com		142.251.2.103	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607076883 CEST	8.8.8.8	192.168.2.4	0x71fb	No error (0)	www.google.com		142.251.2.106	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607076883 CEST	8.8.8.8	192.168.2.4	0x71fb	No error (0)	www.google.com		142.251.2.105	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607076883 CEST	8.8.8.8	192.168.2.4	0x71fb	No error (0)	www.google.com		142.251.2.104	A (IP address)	IN (0x0001)	false
Sep 8, 2023 09:14:08.607654095 CEST	8.8.8.8	192.168.2.4	0xd776	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

app.getresponse.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49720	142.251.2.84	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 07:14:05 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g
2023-09-08 07:14:05 UTC	0	OUT	Data Raw: 20 Data Ascii:
2023-09-08 07:14:06 UTC	2	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 08 Sep 2023 07:14:06 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-x529eQQBKyHIt26cFnh2zA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-09-08 07:14:06 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-09-08 07:14:06 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49722	142.251.2.139	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 07:14:05 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-115.0.5790.171 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-08 07:14:06 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-fqdBxNH_DeWqETaREN7SEw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 08 Sep 2023 07:14:06 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6094 X-Daystart: 846 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-09-08 07:14:06 UTC	2	IN	Data Raw: 32 63 37 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 39 34 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 38 34 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 73 Data Ascii: 2c7<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6094" elapsed_seconds="846"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname="" s
2023-09-08 07:14:06 UTC	2	IN	Data Raw: 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-09-08 07:14:06 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49725	104.160.64.9	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 07:14:07 UTC	4	OUT	GET /click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz& HTTP/1.1 Host: app.getresponse.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-08 07:14:08 UTC	5	IN	HTTP/1.1 301 Moved Permanently date: Fri, 08 Sep 2023 07:14:08 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked strict-transport-security: max-age=31536000 x-xss-protection: 1; mode=block x-frame-options: sameorigin x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin feature-policy: accelerometer ; ambient-light-sensor ; autoplay ; camera ; encrypted-media ; fullscreen ; geolocation ; gyroscope ; magnetometer ; microphone ; midi ; payment ; picture-in-picture ; speaker ; sync-xhr ; usb ; vr * location: https://app.getresponse.com/error404.html content-security-policy-report-only: default-src https: wss: blob: 'unsafe-inline' 'unsafe-eval'; img-src https: data: blob:; frame-src https:; font-src https: data:; report-uri https://index-log.getresponse.com/index/marketing_csp?source=app-gr connection: close
2023-09-08 07:14:08 UTC	6	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49726	104.160.64.9	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 07:14:08 UTC	6	OUT	GET /error404.html HTTP/1.1 Host: app.getresponse.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-08 07:14:08 UTC	6	IN	HTTP/1.1 404 Not Found cache-control: no-cache content-type: text/html connection: close
2023-09-08 07:14:08 UTC	6	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 42 41 41 41 41 41 51 43 41 4d 41 41 41 41 6f 4c 51 39 54 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Error 404 - not found</title> <link href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAGXRFWHRTb2Z0d2

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	2
Start time:	09:14:01
Start date:	08/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:14:02
Start date:	08/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1856,i,6201569344014229303,17451047210727473039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:14:06
Start date:	08/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 247

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 1792, Parent PID: 1364

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Windows Analysis Report
https://app.getresponse.com/click.html?x=a62b&lc=S1yUj1&mc=Ju&s=BtBp5yX&u=tPdUS&z=EFZsBPz&#Yi5raGFuQGVjdS5lZHUuYXU=