Edit tour

Windows Analysis Report
http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg

Overview

General Information

Sample URL:	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg
Analysis ID:	1589892
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2000,i,2892010767107148487,16442813963007683388,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2804 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg

Avira URL Cloud: detection malicious, Label: phishing

Antivirus detection for URL or domain

Source: https://communication.investecprivatebank.co.za/favicon.ico

Avira URL Cloud: Label: phishing

Source: https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg

HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Marketing/DocFusion/Headers/PBHeaderBanner.jpg HTTP/1.1Host: communication.investecprivatebank.co.zaConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: communication.investecprivatebank.co.zaConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpgAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: communication.investecprivatebank.co.zaConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: communication.investecprivatebank.co.za

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: classification engine

Classification label: mal56.win@17/8@8/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2000,i,2892010767107148487,16442813963007683388,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2000,i,2892010767107148487,16442813963007683388,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	100%	Avira URL Cloud	phishing

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://communication.investecprivatebank.co.za/favicon.ico	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
communication.investecprivatebank.co.za	104.21.48.1	true	false		unknown
www.google.com	172.217.18.4	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	false		unknown
https://communication.investecprivatebank.co.za/favicon.ico	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.96.1	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589892
Start date and time:	2025-01-13 09:48:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.win@17/8@8/4

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 172.217.18.110, 74.125.71.84, 142.250.186.78, 217.20.57.18, 192.229.221.95, 142.250.185.110, 216.58.206.78, 142.250.184.238, 142.250.185.206, 142.250.184.206, 172.217.16.195, 216.58.212.174, 216.58.206.46, 184.28.90.27, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg

Simulations

Behavior and APIs

⊘No simulations

Input	Output
URL: http://communication.investecprivatebank.co.za Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: http://communication.investecprivatebank.co.za
URL: https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg Model: Joe Sandbox AI	{ "brands": [ "Investec" ] }

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 13 07:49:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9712568726849646
Encrypted:	false
SSDEEP:	48:8EdVT9dgHaidAKZdA19ehwiZUklqehHy+3:8eH9oy
MD5:	2D0D19429A96D276B6919A6994C48621
SHA1:	4F7D5E1599AD62E99DB4C5CF0FD2FAE90D126705
SHA-256:	4DA46369D8E99ABF3EA74A030CC2F84F0E5BDEFE494982366133D14E333A765E
SHA-512:	B60FAC4261CDD516EFD078D2B65212EE64621ED445909CBA8A93721062C962E373E01167EADFAD03515811514E08ECD47AF704CA7CBF9D7D8F20F03EADF4CEF9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.........e..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I-Z'F....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V-Z'F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V-Z'F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V-Z'F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V-ZF...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........K.rT.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 13 07:49:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.988690401972797
Encrypted:	false
SSDEEP:	48:8nxdVT9dgHaidAKZdA1weh/iZUkAQkqehYy+2:8nhH39QBy
MD5:	FEBEE3314CBDE0C5968EF4A7F6F7A16C
SHA1:	06A994E2D9C032EC0A7956B41F8875C224371F31
SHA-256:	5C0FB7089B79F1B17130E7FB6ED7C5C768A5EAF2CB82068E7C6F48BFD232C99F
SHA-512:	66A750528C1F03F46DD47949B391305E3E0B5A919A81BD97864778129F68C84BB9F6C89E0CD077F60FD3485D0BB3630A0D5AD8A07B7406C3C6F24AF83FFE469C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........e..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I-Z'F....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V-Z'F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V-Z'F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V-Z'F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V-ZF...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........K.rT.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.001394280191446
Encrypted:	false
SSDEEP:	48:8xOdVT9dsHaidAKZdA14tseh7sFiZUkmgqeh7sqy+BX:8x8Hbn0y
MD5:	D04AB02A3CF0562746DEEDFC1E63D6D6
SHA1:	778501E8A33C3B68085BB014461B6AFA7E5EAA34
SHA-256:	C99F77A0E9D785CE17A19E7848A9E8AFF815B8420561E2D812EF4232A00B6433
SHA-512:	B333CF418BAD9E415F7F92DA605C5F5A4B404399145B6FF2D4AEA74C9EFCF299B4FAB8F870065C6F01A4EE4BA415C628B3D5E530102D1E271E9B2BB92CE9F23C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I-Z'F....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V-Z'F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V-Z'F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V-Z'F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........K.rT.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 13 07:49:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9869909764653086
Encrypted:	false
SSDEEP:	48:8edVT9dgHaidAKZdA1vehDiZUkwqeh8y+R:8sH0yy
MD5:	6BD0F76FAFE6F72B5E13F49C18A32706
SHA1:	4FBBD1A5C07ACA8F9AA7B99A1518EBE54C7E1105
SHA-256:	6F57BE91D7777F5C4CD079CD4E7D81205DF7C36373C63DEE3CDB10F913562B93
SHA-512:	4CE7A0D3D7A96838825EF226CA01887AD22BA48A7AA78CA2C34F41727F0AFA13AB7578DFC464EDF360472E59528DDF16207734E7B5E6B9F4A1B85A743460713D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Z...e..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I-Z'F....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V-Z'F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V-Z'F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V-Z'F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V-ZF...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........K.rT.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 13 07:49:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.972820897764147
Encrypted:	false
SSDEEP:	48:80dVT9dgHaidAKZdA1hehBiZUk1W1qehWy+C:8uHU92y
MD5:	0A83BFE2C6F4739E9A60886C0351B78E
SHA1:	320DDC8E10C45CE0A114A490CD32C4C8E074B34A
SHA-256:	C9EA10E1AB1F303C72DB3893A5611B763BEF88B710FEE8D4AF00ED8A02C15974
SHA-512:	C498DCEBE99EE7063D2C8D4F0E73655C67A9992D01191ED5428DF575D980CED9CE1BDFADB8EA57A18599633B864B6A9E89B9B4D1E122D2FF836B2EF7AF6AFF96
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.........e..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I-Z'F....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V-Z'F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V-Z'F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V-Z'F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V-ZF...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........K.rT.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jan 13 07:49:18 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.987616355260943
Encrypted:	false
SSDEEP:	48:8TdVT9dgHaidAKZdA1duT+ehOuTbbiZUk5OjqehOuTb0y+yT+:8XH6T/TbxWOvTb0y7T
MD5:	51F81DC8C0C0F740F9803294A4E4C86F
SHA1:	2A93FDA72A7958D1B838BC1E9219571A4EED9A86
SHA-256:	4751E554BEE4B63E74E37B79811978752E4A1E713E50FB9A4BD94139DFC5482C
SHA-512:	B6DE91B83670831824B45260A3D5250E85C39641303563BD961C447BD35A145E0BCF0ED50C2694D2F9727E97DC42876CCDDBCBD97307FED5826D8017E2C533A9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......\|..e..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I-Z'F....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V-Z'F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V-Z'F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V-Z'F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V-ZF...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........K.rT.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=12, height=85, bps=158, PhotometricIntepretation=RGB, orientation=upper-left, width=567], progressive, precision 8, 600x85, components 3
Category:	downloaded
Size (bytes):	13985
Entropy (8bit):	6.666436217274576
Encrypted:	false
SSDEEP:	192:1jHe3rmXrQy4lmdBzrmmknvp/gr8gcPIgjHgty+sOhfJ6BIzyWQU8F:V+7m77imzmNnvp/NgcPIS5Oh6gF8F
MD5:	E99326BA1013ACD2C1ED53F477D9E7A6
SHA1:	88A3977301367F477C6CCAE23364809967C298E1
SHA-256:	4DFB3950FDB3E1E121430D46BF2D5C7A3F7304B51A5B972D531C66803EF9EB07
SHA-512:	8047CB2F68CA6CE5A94E104F9D72170B5A92853750BF387E48B9D16D862A4308ED8FF23E3FEF1F104467FD0C115646ECEE50A56A5E03D1FA1BF7129682950CE0
Malicious:	false
Reputation:	low
URL:	https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg
Preview:	.....[Exif..II...............7...........U...........................................................................(...........1...........2...........i........... ..............'.......'..Adobe Photoshop 24.0 (Windows).2022:11:22 16:37:16............0231....................X...........U...............................n...........v...(...................~...................H.......H.............Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..U......+........p....[.m~....=V{.jx.'..\....f.L.8.....}....c....ei).M..X...m

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 09:49:08.294989109 CET	49674	443	192.168.2.5	23.1.237.91
Jan 13, 2025 09:49:08.982556105 CET	49675	443	192.168.2.5	23.1.237.91
Jan 13, 2025 09:49:09.076172113 CET	49673	443	192.168.2.5	23.1.237.91
Jan 13, 2025 09:49:18.591662884 CET	49675	443	192.168.2.5	23.1.237.91
Jan 13, 2025 09:49:18.683049917 CET	49673	443	192.168.2.5	23.1.237.91
Jan 13, 2025 09:49:20.322046041 CET	443	49703	23.1.237.91	192.168.2.5
Jan 13, 2025 09:49:20.322190046 CET	49703	443	192.168.2.5	23.1.237.91
Jan 13, 2025 09:49:21.149401903 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.149430037 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.149661064 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.149806976 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.149821997 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.782272100 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.782809019 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.782841921 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.783898115 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.784018040 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.785286903 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.785361052 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.831027031 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:21.831042051 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:21.878053904 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:23.511617899 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:23.511683941 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:23.511759996 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:23.512087107 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:23.512104034 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.095792055 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.101277113 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.101341009 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.102494955 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.102577925 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.116938114 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.117182016 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.117183924 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.159352064 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.161326885 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.161350965 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.207958937 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.229439974 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.229579926 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.229692936 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.229737043 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.229784966 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.229855061 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.229857922 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.229887962 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.229948044 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.229990959 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.230156898 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.230211973 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.230221033 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.234067917 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.234134912 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.234152079 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.234328032 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.234405041 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.317261934 CET	49714	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.317312956 CET	443	49714	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.342576981 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.342638016 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.342731953 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.343107939 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.343125105 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.917032957 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.918196917 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.918225050 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.918606997 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.921140909 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.921215057 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:24.921333075 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:24.963339090 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:27.102992058 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:27.103080988 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:27.107330084 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:27.107387066 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:27.110754967 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:27.110754967 CET	49716	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:27.110774994 CET	443	49716	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:27.485151052 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:27.485207081 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:27.485292912 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:27.485522032 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:27.485538960 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.058715105 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.059246063 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.059272051 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.060726881 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.060822010 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.061283112 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.061352968 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.061445951 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.061451912 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.114125967 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.170299053 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.170393944 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:28.170476913 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.171276093 CET	49717	443	192.168.2.5	104.21.96.1
Jan 13, 2025 09:49:28.171297073 CET	443	49717	104.21.96.1	192.168.2.5
Jan 13, 2025 09:49:31.707236052 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:31.707304955 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:49:31.707370996 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:31.738189936 CET	49712	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:49:31.738254070 CET	443	49712	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.206387043 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:21.206425905 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.206597090 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:21.206845999 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:21.206859112 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.854733944 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.855196953 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:21.855222940 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.855577946 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.855916023 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:21.855984926 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:21.908021927 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:31.776424885 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:31.776582003 CET	443	49991	172.217.18.4	192.168.2.5
Jan 13, 2025 09:50:31.776669025 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:33.738290071 CET	49991	443	192.168.2.5	172.217.18.4
Jan 13, 2025 09:50:33.738312960 CET	443	49991	172.217.18.4	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 09:49:16.798209906 CET	53	64249	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:16.856873035 CET	53	55174	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:17.980607986 CET	53	54204	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:21.140223980 CET	49446	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:21.140358925 CET	62288	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:21.147396088 CET	53	49446	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:21.147420883 CET	53	62288	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:22.759242058 CET	60730	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:22.759438038 CET	52378	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:23.114564896 CET	53	52378	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:23.117997885 CET	58540	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:23.118078947 CET	63961	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:23.125801086 CET	53	60730	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:23.475620985 CET	53	58540	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:23.510732889 CET	53	63961	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:27.117026091 CET	59523	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:27.117026091 CET	61616	53	192.168.2.5	1.1.1.1
Jan 13, 2025 09:49:27.459444046 CET	53	61616	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:27.484200001 CET	53	59523	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:35.057822943 CET	53	64579	1.1.1.1	192.168.2.5
Jan 13, 2025 09:49:53.893201113 CET	53	57594	1.1.1.1	192.168.2.5
Jan 13, 2025 09:50:16.761403084 CET	53	50211	1.1.1.1	192.168.2.5
Jan 13, 2025 09:50:16.978193045 CET	53	61869	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 13, 2025 09:49:23.125924110 CET	192.168.2.5	1.1.1.1	c26e	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 09:49:21.140223980 CET	192.168.2.5	1.1.1.1	0x16ee	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:21.140358925 CET	192.168.2.5	1.1.1.1	0x4e45	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 13, 2025 09:49:22.759242058 CET	192.168.2.5	1.1.1.1	0x56ae	Standard query (0)	communication.investecprivatebank.co.za	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:22.759438038 CET	192.168.2.5	1.1.1.1	0x89c0	Standard query (0)	communication.investecprivatebank.co.za	65	IN (0x0001)	false
Jan 13, 2025 09:49:23.117997885 CET	192.168.2.5	1.1.1.1	0xff35	Standard query (0)	communication.investecprivatebank.co.za	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.118078947 CET	192.168.2.5	1.1.1.1	0xfaa7	Standard query (0)	communication.investecprivatebank.co.za	65	IN (0x0001)	false
Jan 13, 2025 09:49:27.117026091 CET	192.168.2.5	1.1.1.1	0xb032	Standard query (0)	communication.investecprivatebank.co.za	65	IN (0x0001)	false
Jan 13, 2025 09:49:27.117026091 CET	192.168.2.5	1.1.1.1	0xec42	Standard query (0)	communication.investecprivatebank.co.za	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 09:49:21.147396088 CET	1.1.1.1	192.168.2.5	0x16ee	No error (0)	www.google.com	172.217.18.4	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:21.147420883 CET	1.1.1.1	192.168.2.5	0x4e45	No error (0)	www.google.com		65	IN (0x0001)	false
Jan 13, 2025 09:49:23.114564896 CET	1.1.1.1	192.168.2.5	0x89c0	No error (0)	communication.investecprivatebank.co.za		65	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.125801086 CET	1.1.1.1	192.168.2.5	0x56ae	No error (0)	communication.investecprivatebank.co.za	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.475620985 CET	1.1.1.1	192.168.2.5	0xff35	No error (0)	communication.investecprivatebank.co.za	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:23.510732889 CET	1.1.1.1	192.168.2.5	0xfaa7	No error (0)	communication.investecprivatebank.co.za		65	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.459444046 CET	1.1.1.1	192.168.2.5	0xec42	No error (0)	communication.investecprivatebank.co.za	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 09:49:27.484200001 CET	1.1.1.1	192.168.2.5	0xb032	No error (0)	communication.investecprivatebank.co.za		65	IN (0x0001)	false

HTTP Request Dependency Graph

communication.investecprivatebank.co.za

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	104.21.96.1	443	4524	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 08:49:24 UTC	728	OUT	GET /Marketing/DocFusion/Headers/PBHeaderBanner.jpg HTTP/1.1 Host: communication.investecprivatebank.co.za Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-13 08:49:24 UTC	939	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 08:49:24 GMT Content-Type: image/jpeg Content-Length: 13985 Connection: close Last-Modified: Fri, 27 Jan 2023 11:18:50 GMT ETag: "36a1-5f33d07a86edc" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 7035 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJoXZ3JbgHJCudhnolNXF40pURM1BwYo45BoOxFBT%2FuA%2BG%2BARP%2BoXQJjzCOAbWofk1s0ciC0E1iIIpAfUdYdxPL%2Bm8qwhPR1eBGdRRBGd46sXVklqQaxVOVx1AqqqeBBBoUhM2u0uT5bwrcMKuBdkRdNJLGuLcn3qkI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901421fe0b89de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2970&min_rtt=1671&rtt_var=3066&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1310&delivery_rate=1695702&cwnd=195&unsent_bytes=0&cid=73292309df72ea1f&ts=239&x=0"
2025-01-13 08:49:24 UTC	430	IN	Data Raw: ff d8 ff e1 05 5b 45 78 69 66 00 00 49 49 2a 00 08 00 00 00 0c 00 00 01 03 00 01 00 00 00 37 02 00 00 01 01 03 00 01 00 00 00 55 00 00 00 02 01 03 00 03 00 00 00 9e 00 00 00 06 01 03 00 01 00 00 00 02 00 00 00 12 01 03 00 01 00 00 00 01 00 00 00 15 01 03 00 01 00 00 00 03 00 00 00 1a 01 05 00 01 00 00 00 a4 00 00 00 1b 01 05 00 01 00 00 00 ac 00 00 00 28 01 03 00 01 00 00 00 02 00 00 00 31 01 02 00 1f 00 00 00 b4 00 00 00 32 01 02 00 14 00 00 00 d3 00 00 00 69 87 04 00 01 00 00 00 e8 00 00 00 20 01 00 00 08 00 08 00 08 00 80 fc 0a 00 10 27 00 00 80 fc 0a 00 10 27 00 00 41 64 6f 62 65 20 50 68 6f 74 6f 73 68 6f 70 20 32 34 2e 30 20 28 57 69 6e 64 6f 77 73 29 00 32 30 32 32 3a 31 31 3a 32 32 20 31 36 3a 33 37 3a 31 36 00 00 04 00 00 90 07 00 04 00 00 00 30 Data Ascii: [ExifII*7U(12i ''Adobe Photoshop 24.0 (Windows)2022:11:22 16:37:160
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 00 0c 08 08 08 09 08 0c 09 09 0c 11 0b 0a 0b 11 15 0f 0c 0c 0f 15 18 13 13 15 13 13 18 11 0c 0c 0c 0c 0c 0c 11 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 01 0d 0b 0b 0d 0e 0d 10 0e 0e 10 14 0e 0e 0e 14 14 0e 0e 0e 0e 14 11 0c 0c 0c 0c 0c 11 11 0c 0c 0c 0c 0c 0c 11 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 00 17 00 a0 03 01 22 00 02 11 01 03 11 01 ff dd 00 04 00 0a ff c4 01 3f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 03 00 01 02 04 05 06 07 08 09 0a 0b 01 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 01 00 02 03 04 05 06 07 08 09 0a 0b 10 00 01 04 01 03 02 04 02 05 07 06 08 05 03 0c 33 01 00 02 11 03 04 21 12 31 05 41 51 61 13 22 71 81 32 06 14 91 Data Ascii: "?3!1AQa"q2
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 62 6f 6f 6c 00 00 00 00 00 4c 62 6c 73 62 6f 6f 6c 00 00 00 00 00 4e 67 74 76 62 6f 6f 6c 00 00 00 00 00 45 6d 6c 44 62 6f 6f 6c 00 00 00 00 00 49 6e 74 72 62 6f 6f 6c 00 00 00 00 00 42 63 6b 67 4f 62 6a 63 00 00 00 01 00 00 00 00 00 00 52 47 42 43 00 00 00 03 00 00 00 00 52 64 20 20 64 6f 75 62 40 6f e0 00 00 00 00 00 00 00 00 00 47 72 6e 20 64 6f 75 62 40 6f e0 00 00 00 00 00 00 00 00 00 42 6c 20 20 64 6f 75 62 40 6f e0 00 00 00 00 00 00 00 00 00 42 72 64 54 55 6e 74 46 23 52 6c 74 00 00 00 00 00 00 00 00 00 00 00 00 42 6c 64 20 55 6e 74 46 23 52 6c 74 00 00 00 00 00 00 00 00 00 00 00 00 52 73 6c 74 55 6e 74 46 23 50 78 6c 40 52 00 00 00 00 00 00 00 00 00 0a 76 65 63 74 6f 72 44 61 74 61 62 6f 6f 6c 01 00 00 00 00 50 67 50 73 65 6e 75 6d 00 00 00 00 50 Data Ascii: boolLblsboolNgtvboolEmlDboolIntrboolBckgObjcRGBCRd doub@oGrn doub@oBl doub@oBrdTUntF#RltBld UntF#RltRsltUntF#Pxl@RvectorDataboolPgPsenumP
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 42 74 6f 6d 6c 6f 6e 67 00 00 00 55 00 00 00 00 52 67 68 74 6c 6f 6e 67 00 00 02 58 00 00 00 03 75 72 6c 54 45 58 54 00 00 00 01 00 00 00 00 00 00 6e 75 6c 6c 54 45 58 54 00 00 00 01 00 00 00 00 00 00 4d 73 67 65 54 45 58 54 00 00 00 01 00 00 00 00 00 06 61 6c 74 54 61 67 54 45 58 54 00 00 00 01 00 00 00 00 00 0e 63 65 6c 6c 54 65 78 74 49 73 48 54 4d 4c 62 6f 6f 6c 01 00 00 00 08 63 65 6c 6c 54 65 78 74 54 45 58 54 00 00 00 01 00 00 00 00 00 09 68 6f 72 7a 41 6c 69 67 6e 65 6e 75 6d 00 00 00 0f 45 53 6c 69 63 65 48 6f 72 7a 41 6c 69 67 6e 00 00 00 07 64 65 66 61 75 6c 74 00 00 00 09 76 65 72 74 41 6c 69 67 6e 65 6e 75 6d 00 00 00 0f 45 53 6c 69 63 65 56 65 72 74 41 6c 69 67 6e 00 00 00 07 64 65 66 61 75 6c 74 00 00 00 0b 62 67 43 Data Ascii: BtomlongURghtlongXurlTEXTnullTEXTMsgeTEXTaltTagTEXTcellTextIsHTMLboolcellTextTEXThorzAlignenumESliceHorzAligndefaultvertAlignenumESliceVertAligndefaultbgC
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 63 ad da e0 fd db 77 fa 6b e6 44 92 53 f4 d7 d8 fa 5b 84 32 c0 d2 5d b8 16 d8 7f 78 38 b5 bb 9c ef 6b 9d ed 5a 0b e5 54 92 53 f5 52 4b e5 54 92 53 f5 52 4b e5 54 92 53 f5 52 4b e5 54 92 53 f5 52 4b e5 54 92 53 f5 52 4b e5 54 92 53 f5 52 4b e5 54 92 53 f5 52 4b e5 54 92 53 ff d9 00 38 42 49 4d 04 21 00 00 00 00 00 57 00 00 00 01 01 00 00 00 0f 00 41 00 64 00 6f 00 62 00 65 00 20 00 50 00 68 00 6f 00 74 00 6f 00 73 00 68 00 6f 00 70 00 00 00 14 00 41 00 64 00 6f 00 62 00 65 00 20 00 50 00 68 00 6f 00 74 00 6f 00 73 00 68 00 6f 00 70 00 20 00 32 00 30 00 32 00 33 00 00 00 01 00 38 42 49 4d 04 06 00 00 00 00 00 07 00 08 01 01 00 01 01 00 ff e1 0e c3 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 Data Ascii: cwkDS[2]x8kZTSRKTSRKTSRKTSRKTSRKTSRKTSRKTS8BIM!WAdobe PhotoshopAdobe Photoshop 20238BIMhttp://ns.adobe.com/xap/1.0/<?xpacke
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 52 65 66 3a 64 6f 63 75 6d 65 6e 74 49 44 3d 22 33 41 39 38 30 35 33 36 34 41 39 44 42 46 36 41 36 39 37 39 46 44 44 32 31 45 45 45 33 37 32 32 22 2f 3e 20 3c 78 6d 70 4d 4d 3a 48 69 73 74 6f 72 79 3e 20 3c 72 64 66 3a 53 65 71 3e 20 3c 72 64 66 3a 6c 69 20 73 74 45 76 74 3a 61 63 74 69 6f 6e 3d 22 73 61 76 65 64 22 20 73 74 45 76 74 3a 69 6e 73 74 61 6e 63 65 49 44 3d 22 78 6d 70 2e 69 69 64 3a 38 66 63 61 30 63 32 36 2d 61 63 30 33 2d 30 38 34 38 2d 61 66 64 62 2d 63 64 35 39 66 61 34 66 66 38 66 37 22 20 73 74 45 76 74 3a 77 68 65 6e 3d 22 32 30 32 32 2d 31 31 2d 30 34 54 30 36 3a 35 33 3a 34 34 2b 30 32 3a 30 30 22 20 73 74 45 76 74 3a 73 6f 66 74 77 61 72 65 41 67 65 6e 74 3d 22 41 64 6f 62 65 20 50 68 6f 74 6f 73 68 6f 70 20 32 34 2e 30 20 28 57 69 Data Ascii: Ref:documentID="3A9805364A9DBF6A6979FDD21EEE3722"/> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:8fca0c26-ac03-0848-afdb-cd59fa4ff8f7" stEvt:when="2022-11-04T06:53:44+02:00" stEvt:softwareAgent="Adobe Photoshop 24.0 (Wi
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii:
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 01 01 01 02 02 01 02 02 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 ff c2 00 11 08 00 55 02 58 03 01 11 00 02 11 01 03 11 01 ff c4 00 a3 00 01 00 02 03 01 00 03 01 00 00 00 00 00 00 00 00 00 07 09 01 06 08 05 02 04 0a 03 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 01 03 03 02 06 02 02 03 00 00 00 00 00 00 00 08 06 07 09 01 11 05 00 04 10 50 21 02 03 0a 20 60 70 90 31 12 16 11 00 01 04 03 00 00 03 03 08 07 07 05 00 00 00 00 05 03 04 06 07 01 02 08 00 11 09 21 31 13 f0 41 51 81 12 14 15 16 10 50 71 91 a1 b1 c1 20 70 61 d1 e1 22 24 60 17 57 b7 18 12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ff da 00 0c 03 01 01 02 11 03 11 00 00 00 Data Ascii: UXP! `p1!1AQPq pa"$`W
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 1e c5 2d 18 ec 2e 8c 7b 3a b5 f9 f2 c2 07 23 90 c2 b5 3e 4c 32 a8 a8 94 18 94 7d 7d 76 c0 fd d3 1e f9 57 4e 91 6d 8a cf a9 79 ec fa e7 ab 4b 34 4a af 19 24 49 ba 6c 24 71 93 63 9d 2c 32 49 0c 97 0a 49 c3 bd 04 ca a2 a6 9a ac cd e2 3a 2a b2 1b 6e 9e 15 6e aa ed 94 45 65 3f e8 7b 2d af 2d c9 a0 c1 ad 76 50 e9 b1 21 31 cb 0e b4 56 cd 8d da 39 42 0b 27 48 75 58 e4 7b 79 d4 05 78 f6 b3 39 22 ec 10 54 b6 ae 1d 65 ab 7c 29 ae 1b 29 95 3e d6 95 3d 83 43 f4 4f 2a f3 20 b0 12 6b 3a 0d 3d e6 aa fb 85 32 98 aa 3a cc 09 3f 90 bb 94 45 9e b6 ff 00 e9 20 0e 1b 14 3e 99 46 d2 1d fe 3b 34 17 dd 33 3a 6e a6 bf 6f 6c e3 c0 f9 5b 3e ea a3 eb c8 0c 76 c5 eb 52 65 94 94 f1 fa 65 5b 01 67 1e e9 fb c3 79 6c 88 b4 9d d7 4b 80 6a d8 4a ef 58 3b 23 9f 8a 8a 69 8f 6c a6 12 d9 45 30 Data Ascii: -.{:#>L2}}vWNmyK4J$Il$qc,2II:nnEe?{--vP!1V9B'HuX{yx9"Te\|))>=CO k:=2:?E >F;43:nol[>vRee[gylKjJX;#ilE0
2025-01-13 08:49:24 UTC	1369	IN	Data Raw: 95 e9 42 3a 54 d3 db af 32 2a 59 be 92 6a 46 3c db 41 6d e0 bf 96 99 fc 30 f1 ad 09 e3 61 28 fd eb fe 1e ed 90 cf 9e ff 00 0f db d7 b5 37 e6 ce d1 ab f8 0f 8a 64 1a d6 03 e3 3c 1b 45 5f 53 fb 6f a1 ad 0c c9 25 31 85 e5 f6 cd d7 cf f5 dc de c1 a8 6b ad b7 83 17 5c 28 a1 4f a3 0f 0a 37 51 b6 fb 38 59 46 cf 34 4f 97 a7 9e 9d 90 1f 56 ee a4 e5 f9 b4 b9 78 a7 62 73 2f 58 f3 67 6b d8 8d 61 91 25 49 c7 51 1b 65 53 f7 27 4a d7 2b 5a c0 a4 08 0d 26 55 4d d9 66 44 f8 7e 5c b1 6d 95 db e5 05 54 d7 1c 8b e8 af c4 36 0a 34 55 97 d0 82 b6 b1 3a 23 a6 90 02 1a 4f 2f ab 6a 46 41 26 d3 12 b1 8a ac 54 99 a3 f8 eb 39 f3 ea fa b9 2a fb 24 5d b6 71 f0 77 76 39 36 bb 22 ae eb 2a 93 86 d4 bf 7c 7a 92 d4 97 8b 21 aa a9 1e bb 8d f6 a5 ed 74 31 75 29 49 2c ec c0 94 ea 8b b6 26 32 Data Ascii: B:T2YjF<Am0a(7d<E_So%1k\(O7Q8YF4OVxbs/Xgka%IQeS'J+Z&UMfD~\mT64U:#O/jFA&T9$]qwv96"*\|z!t1u)I,&2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	104.21.96.1	443	4524	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 08:49:24 UTC	680	OUT	GET /favicon.ico HTTP/1.1 Host: communication.investecprivatebank.co.za Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-13 08:49:27 UTC	942	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 08:49:27 GMT Content-Type: image/vnd.microsoft.icon Content-Length: 0 Connection: close Last-Modified: Tue, 19 Apr 2016 09:08:23 GMT ETag: "0-530d2d1b81a17" Cache-Control: max-age=14400 CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZTuu2OTu9SnG%2FNJDpNBLQcsmfaQwOnOAKHwETY%2F4BSg4lOsbfmozBld5h2brHmpVDPzr4DYsM8JJKrKKQxy5z1SL99rvaDriALfmX9r7%2FCCEp2IIPmlf6a%2FtrZhlLfMAWLa5aez4DCtl5N4to0Kdg0oSfJChCagyhjw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901422031cc2c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2948&min_rtt=1591&rtt_var=3103&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1262&delivery_rate=1835323&cwnd=179&unsent_bytes=0&cid=825ec9bf6d9f6fdb&ts=2288&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49717	104.21.96.1	443	4524	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 08:49:28 UTC	374	OUT	GET /favicon.ico HTTP/1.1 Host: communication.investecprivatebank.co.za Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-13 08:49:28 UTC	942	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 08:49:28 GMT Content-Type: image/vnd.microsoft.icon Content-Length: 0 Connection: close Last-Modified: Tue, 19 Apr 2016 09:08:23 GMT ETag: "0-530d2d1b81a17" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 1 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4BEfbs5l3rWVYCnJi6EmbAlO6LHk%2Fk6V8DfCE0j%2B3Pipw26o5af4UI08%2FA6RKtg8q%2BFLfJGuZ8rYCnvJgBi0%2BOkACNZkLNp3BKDFIjHvOODQYsT70xMwxEBEa0ifr4VPQoTQPcjI7G6K3riEV7a1Mgp3GqR8obMnldU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90142216bf221a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3353&min_rtt=2033&rtt_var=3212&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=956&delivery_rate=1429970&cwnd=158&unsent_bytes=0&cid=5b6def490db20f44&ts=215&x=0"

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 2992, Parent PID: 5760

General

Target ID:	0
Start time:	03:49:11
Start date:	13/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4524, Parent PID: 2992

General

Target ID:	2
Start time:	03:49:15
Start date:	13/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2000,i,2892010767107148487,16442813963007683388,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 2804, Parent PID: 5760

General

Target ID:	3
Start time:	03:49:21
Start date:	13/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 58

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2992, Parent PID: 5760

General

Chronological Activities

Analysis Process: chrome.exePID: 4524, Parent PID: 2992

General

Chronological Activities

Windows Analysis Report
http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg