Edit tour

Windows Analysis Report
https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238

Overview

General Information

Sample URL:	https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238
Analysis ID:	1541367
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6856 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7084 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1952,i,1658265727779771746,17902262811640550139,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 16:29:06 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: closex-amz-request-id: SRSZPC1J2KWNS4Q9x-amz-id-2: hLtVw7El38g4tocZ90QGBtBBF3IUYnlCCsRUxQfIKZzRAkmC+vfHJzKLS3IFZCBNiYuuMACfTY4=CF-Cache-Status: MISSServer: cloudflareCF-RAY: 8d7b58028845e552-DFW

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49712 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@17/10@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1952,i,1658265727779771746,17902262811640550139,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1952,i,1658265727779771746,17902262811640550139,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
braze-images.com	104.19.152.69	true	false		unknown
www.google.com	142.250.186.164	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://braze-images.com/favicon.ico	false		unknown
https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.19.152.69	braze-images.com	United States	13335	CLOUDFLARENETUS	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541367
Start date and time:	2024-10-24 18:28:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@17/10@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.185.78, 66.102.1.84, 34.104.35.123, 199.232.214.172, 172.217.16.142
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 15:29:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9895917777543106
Encrypted:	false
SSDEEP:	48:8LdvTHz6HvidAKZdA1FehwiZUklqeh7y+3:81/ecy
MD5:	E453EB4E4BBDF89175E0068E03733AA4
SHA1:	E8A75983C565F782C1B6889F61F34A69A88DB761
SHA-256:	4FE39D5BB51CF19D67C6C89F5F238FD9E75965FFDB3C74249788BF4CC8F371C0
SHA-512:	CFC750E99071C64B97F3B7CB4DC53A86FE03C1080394E5C4063F08ED8C55CCD217D8B054AEE63279EE5B42AC852BC72C967AA9DC93CA16275971BFD55E9DB988
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......).1&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............H.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 15:29:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.002881476134613
Encrypted:	false
SSDEEP:	48:8cdvTHz6HvidAKZdA1seh/iZUkAQkqehMy+2:8U/Y9Q9y
MD5:	635D087A4C6283CE69D9E8363BCE091E
SHA1:	7ACFD3C0BEFF78345EB6C0730D8E4722AFA50D01
SHA-256:	515E8249915F97A89B67BBBFEFC52BA4A4FF0ABAD1CDA8DD61E064B0D1220288
SHA-512:	6C0539850CB4D715E6E891C007768AF0B29323A5816497E9A7357A0FAA630EF7FC734C76C998B031B4B5ABA5D387344D8D288B5DFC32DEE778C8898D88A7714A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....HX..1&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............H.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.012150990779085
Encrypted:	false
SSDEEP:	48:8advTHzAHvidAKZdA14meh7sFiZUkmgqeh7suy+BX:8q/anAy
MD5:	FB72EE718DC9218CCA81E66668A03FCC
SHA1:	13E192C45DACC9B7DDA5F1AF6B173DB57D88F90F
SHA-256:	56CEAAB015B0774E72B237C69CE791A9B4140BDF55277B70400A6A9D74256564
SHA-512:	9EF430DDCDABFAAA83EE16DB7C374B5241949A479AFFE73A6E7C27DE0BA14AB6977CD9DF9DAF6CE8EF85E58837870F7A6C1C9BFCBDC4692963402BF3AB3B769C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............H.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 15:29:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.0023011098489985
Encrypted:	false
SSDEEP:	48:8HdvTHz6HvidAKZdA1TehDiZUkwqehYy+R:8h/Tmy
MD5:	11A742C2B10E59B443EC2B79EE9B7330
SHA1:	D9AE9D4D981E9576CD134E13EE00E9A5F5251C87
SHA-256:	BBB64CD82D80C7B33C060C1E0BB4E1E3D3961E764F835467A965907CE75B33FA
SHA-512:	08C2DA997B8B6F7B74228C79E987A02C50A8F1C8F94D0FA289A71FA298AD5B5B8914E32674A2BD4614C9429932D66F582261A2BFE48B4C0F2FC781FDE66ADC33
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........1&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............H.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 15:29:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.992586575352082
Encrypted:	false
SSDEEP:	48:8ZdvTHz6HvidAKZdA1dehBiZUk1W1qehyy+C:87/j9Sy
MD5:	D9DDB09C6AD7277507DAE21CC646B390
SHA1:	651F8646B0E391AFD10BBFB734ABE69EAE48438B
SHA-256:	5FFA6EC36DFB449840EEB04A68D812E60F519A284D18F36AAA1CB26911AC9D1C
SHA-512:	BEDC620E78F9AD9CF0ED190AD848AD25A13575958AC74FD5092C0EC1FBA0DD918B127FACFF8C02AC8B6A5EBDED3157BB3B73ADDB1B6B015882BC8D05F9FB315C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......".1&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............H.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 15:29:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.001150536096679
Encrypted:	false
SSDEEP:	48:8AdvTHz6HvidAKZdA1duTeehOuTbbiZUk5OjqehOuTbAy+yT+:8Y/nTfTbxWOvTbAy7T
MD5:	42A4D55B6089CE80CC22832A2CDA6B01
SHA1:	A63130C1810D6239A78736471056E8F401649214
SHA-256:	AB10E3C2BFB0233EB302070D279BD81FDE99192702E8E573E4815410E84D36BB
SHA-512:	5EEAA908E54DA820F8395F4CEB4953795FDF460DC7B31378CAA4AD58373F9CD4BBD64EB08803C61C93B58AD4CC53FF2348BA593FED5FE8C1E83FE5CA4EAB8367
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........1&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............H.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 56

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, ASCII text
Category:	downloaded
Size (bytes):	243
Entropy (8bit):	5.60012479004112
Encrypted:	false
SSDEEP:	6:TMVBd/ZbZjZvKtWRVzj26RpHm6HPONban:TMHd9BZKtWRJ/G0Aba
MD5:	D0A6D42EB6CD9AD54C15ADD1B44209BF
SHA1:	C894BB54617368C0B5DB7E072AECE5F858ABC4D3
SHA-256:	65A5A1E68F47B0F25214DD36CF59CB7405AFC59AC05B0AA3C24ED9639AAD0D90
SHA-512:	B65F58856BAA4FEB221C65B1B9B2A8D7E1B821184F95D44263ECF133377010A488F3238BE56FC97E7690236DD792C5F8845047E878F284AEBE9E2BDA910C35A8
Malicious:	false
Reputation:	low
URL:	https://braze-images.com/favicon.ico
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>SRSZPC1J2KWNS4Q9</RequestId><HostId>hLtVw7El38g4tocZ90QGBtBBF3IUYnlCCsRUxQfIKZzRAkmC+vfHJzKLS3IFZCBNiYuuMACfTY4=</HostId></Error>

Chrome Cache Entry: 57

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	RIFF (little-endian) data, Web/P image
Category:	downloaded
Size (bytes):	6030
Entropy (8bit):	7.950025939811266
Encrypted:	false
SSDEEP:	96:QaDVkFCUpUt7oKYJ6wXGzV1PFEoDhsx7TGs+s+zehl7Iq8tZVlMMwqimghSI2:QaDDV9Wxa1zDKJGs+he7Iq8XLueMz2
MD5:	E2A28CE1645B5D2802984B21DF22700A
SHA1:	22B2143B108C38E289B5154A1B15AB3B8A8A913B
SHA-256:	E8722D88D26D112ED6B1776067E428CE3E5F09BBCD7A78E051B5D3C8AE161B79
SHA-512:	9A156BEBF4DF30E496F5EE6CE7B7752538DD5E30DC4F654F49F86DD36CD5FB9AEB711363B9F05BEFF9EDF490E852BF5AA7193E187BFF037ABC44A0D57370AD1A
Malicious:	false
Reputation:	low
URL:	https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238
Preview:	RIFF....WEBPVP8Lz.../......m.F..............."p...'.p...b..v......<.. .8..:...-.....TK.U....nc.V.....!"..+ ...._H...7.m+...f.....xRe1j#.q.V..;......B6c.kH\|b....c..@..MLe.$;..8.8'..]...a..S...B.!}pe.....@..m....e...7....`....2......D.....~?..=8~..}...(..z....K.......k).@s.......=..1...4....H..$....$.uK.......Gi.c...+.8:0.......A.n.o.+.....m..m.r.c./[G.u.)FW.....m.\s.V..m..m..>..s.}.e...v.. \....+$..m.9G...m[.6..K...C....2w.%u.=]A.L#fff.. ...'...mr...._..Q.?.1J.....7F-..pn... .oA$..8j..m.lmk}.%2....q....g@...)'K......13o.3..%. .-i.9b. .9..#R.....A(..B.Q..Z1v"vb.(I-b..(..#.h........,.?._..\.8..6......8....^..9...Y.[..6..2.Ik....b1......"..I.L......`.Cu..a.....#=.Kn.o..ZU..............Sw.fot....]...N.j....)"DE.P.E.......5QG..W..qrT.O....2.u.......+U..d7_.qGl...XH..TIBa.Q.T.JP..."A,!...P ..Ah..n...K2n...6.........E...+jK#-......R.0..e.C.D%.R.u.F..J....?...... ........,i.8.........;.....?.ap...s-...C...(.\......t.)L...@......3.&.Y.h..@..^...T[.M..+.

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 18:29:05.239902973 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:05.348143101 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.348216057 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.348314047 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.348372936 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.348396063 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.348453045 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.348596096 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.348647118 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.348735094 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.348747969 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.542360067 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:05.968436956 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.970328093 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.970338106 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.970566988 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.971904039 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.971987963 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.972079992 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.972145081 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.973119974 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.973201990 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.973301888 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.973745108 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:05.973853111 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.974598885 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:05.974690914 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.015350103 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.021410942 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.021418095 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.021451950 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.021477938 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.066421986 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.067467928 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.119756937 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.119863987 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.119954109 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.119973898 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.119981050 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.120037079 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.120042086 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.120261908 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.120337963 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.146197081 CEST	49700	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.146208048 CEST	443	49700	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.148005009 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:06.261976004 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.303366899 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.545618057 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.545849085 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:06.546185017 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.546363115 CEST	49699	443	192.168.2.16	104.19.152.69
Oct 24, 2024 18:29:06.546397924 CEST	443	49699	104.19.152.69	192.168.2.16
Oct 24, 2024 18:29:07.349124908 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:08.620492935 CEST	49689	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:09.285937071 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:09.286024094 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:09.286128044 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:09.286329031 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:09.286356926 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:09.753387928 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:10.143285036 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:10.143728971 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:10.143790007 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:10.145461082 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:10.145598888 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:10.146883965 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:10.146970987 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:10.201534986 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:10.201596022 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:10.249481916 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:11.525082111 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:11.525170088 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:11.525320053 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:11.527327061 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:11.527357101 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.392735958 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.392857075 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.399614096 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.399658918 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.400034904 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.455398083 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.460369110 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.507359982 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.863423109 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.863667965 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.863692045 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.863692045 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.863740921 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.863759995 CEST	49709	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.863769054 CEST	443	49709	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.906383038 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.906512022 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:12.906625032 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.906918049 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:12.906955957 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:13.404786110 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:13.708408117 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:13.757791042 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:13.757888079 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:13.759097099 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:13.759125948 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:13.759490013 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:13.761363983 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:13.807338953 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:14.004774094 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:14.004909992 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:14.005636930 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:14.005737066 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:14.005737066 CEST	49710	443	192.168.2.16	184.28.90.27
Oct 24, 2024 18:29:14.005784035 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:14.005812883 CEST	443	49710	184.28.90.27	192.168.2.16
Oct 24, 2024 18:29:14.314388990 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:14.554526091 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:15.526547909 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:16.385719061 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:16.385776043 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:16.385891914 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:16.387228966 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:16.387254953 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.311198950 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.311343908 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.314716101 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.314744949 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.315306902 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.357988119 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.385211945 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.427362919 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688112020 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688170910 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688200951 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688241005 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688266993 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.688314915 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688383102 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688427925 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.688427925 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.688457012 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.688755989 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.688847065 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.688865900 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.697505951 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.697546005 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.697570086 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.697577953 CEST	49711	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:17.697693110 CEST	443	49711	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:17.874538898 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:17.937422037 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:18.177413940 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:18.783401012 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:19.997389078 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:20.128179073 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:20.128253937 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:20.128458977 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:20.815582991 CEST	49707	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:29:20.815644979 CEST	443	49707	142.250.186.164	192.168.2.16
Oct 24, 2024 18:29:22.410408020 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:22.745449066 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:24.165492058 CEST	49673	443	192.168.2.16	204.79.197.203
Oct 24, 2024 18:29:27.216484070 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:32.357522964 CEST	49678	443	192.168.2.16	20.189.173.10
Oct 24, 2024 18:29:36.817768097 CEST	49680	80	192.168.2.16	192.229.211.108
Oct 24, 2024 18:29:54.073055029 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:54.073144913 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:54.073604107 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:54.074350119 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:54.074429035 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.025998116 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.026355028 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.027506113 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.027585030 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.028106928 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.030033112 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.071367025 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.341253996 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.341314077 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.341356993 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.341761112 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.341825008 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.342163086 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.460375071 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.460494041 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.460653067 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:29:55.460704088 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.460704088 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.461009026 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.461009026 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.461009026 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.765599012 CEST	49712	443	192.168.2.16	52.149.20.212
Oct 24, 2024 18:29:55.765671015 CEST	443	49712	52.149.20.212	192.168.2.16
Oct 24, 2024 18:30:09.333971977 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:09.334032059 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:09.334269047 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:09.334460974 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:09.334477901 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:10.202287912 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:10.202672958 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:10.202708006 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:10.204181910 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:10.204653978 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:10.204802036 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:10.259762049 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:20.189049006 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:20.189198971 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:30:20.189424038 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:20.815502882 CEST	49714	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:30:20.815577984 CEST	443	49714	142.250.186.164	192.168.2.16
Oct 24, 2024 18:31:09.392752886 CEST	49716	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:31:09.392841101 CEST	443	49716	142.250.186.164	192.168.2.16
Oct 24, 2024 18:31:09.392956972 CEST	49716	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:31:09.393179893 CEST	49716	443	192.168.2.16	142.250.186.164
Oct 24, 2024 18:31:09.393213987 CEST	443	49716	142.250.186.164	192.168.2.16
Oct 24, 2024 18:31:10.253504992 CEST	443	49716	142.250.186.164	192.168.2.16
Oct 24, 2024 18:31:10.301769972 CEST	49716	443	192.168.2.16	142.250.186.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 18:29:04.528764963 CEST	53	58980	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:04.576843023 CEST	53	49600	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:05.336114883 CEST	57204	53	192.168.2.16	1.1.1.1
Oct 24, 2024 18:29:05.336357117 CEST	49522	53	192.168.2.16	1.1.1.1
Oct 24, 2024 18:29:05.344475031 CEST	53	49522	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:05.344845057 CEST	53	57204	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:05.838857889 CEST	53	53929	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:09.276426077 CEST	54720	53	192.168.2.16	1.1.1.1
Oct 24, 2024 18:29:09.276655912 CEST	59106	53	192.168.2.16	1.1.1.1
Oct 24, 2024 18:29:09.284101009 CEST	53	54720	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:09.285094976 CEST	53	59106	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:22.787859917 CEST	53	54700	1.1.1.1	192.168.2.16
Oct 24, 2024 18:29:41.839981079 CEST	53	59075	1.1.1.1	192.168.2.16
Oct 24, 2024 18:30:04.463829994 CEST	53	61886	1.1.1.1	192.168.2.16
Oct 24, 2024 18:30:04.780560970 CEST	53	64138	1.1.1.1	192.168.2.16
Oct 24, 2024 18:30:09.579660892 CEST	138	138	192.168.2.16	192.168.2.255
Oct 24, 2024 18:30:33.281124115 CEST	53	60734	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 18:29:05.336114883 CEST	192.168.2.16	1.1.1.1	0x1263	Standard query (0)	braze-images.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 18:29:05.336357117 CEST	192.168.2.16	1.1.1.1	0x5a79	Standard query (0)	braze-images.com	65	IN (0x0001)	false
Oct 24, 2024 18:29:09.276426077 CEST	192.168.2.16	1.1.1.1	0xd796	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 18:29:09.276655912 CEST	192.168.2.16	1.1.1.1	0x59ba	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 18:29:05.344845057 CEST	1.1.1.1	192.168.2.16	0x1263	No error (0)	braze-images.com	104.19.152.69	A (IP address)	IN (0x0001)	false
Oct 24, 2024 18:29:05.344845057 CEST	1.1.1.1	192.168.2.16	0x1263	No error (0)	braze-images.com	104.19.153.69	A (IP address)	IN (0x0001)	false
Oct 24, 2024 18:29:09.284101009 CEST	1.1.1.1	192.168.2.16	0xd796	No error (0)	www.google.com	142.250.186.164	A (IP address)	IN (0x0001)	false
Oct 24, 2024 18:29:09.285094976 CEST	1.1.1.1	192.168.2.16	0x59ba	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

braze-images.com

https:

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49700	104.19.152.69	443	7084	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 16:29:05 UTC	755	OUT	GET /appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238 HTTP/1.1 Host: braze-images.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-24 16:29:06 UTC	690	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 16:29:06 GMT Content-Type: image/webp Content-Length: 6030 Connection: close Cf-Bgj: imgq:85,h2pri Cf-Polished: origFmt=png, origSize=9242 Content-Disposition: inline; filename="original.webp" ETag: "7c1674bda5a155dfb7b60a8565fbe3d6" Last-Modified: Tue, 25 Apr 2023 17:03:59 GMT Vary: Accept x-amz-id-2: ZgK1YIrk+xj7LmfcqlplqtJDHqo0+pRVZ3IewT3pPO/3db6nvUz5E6KODGc/brUIOVyolyMKdzo= x-amz-request-id: 0X3MY0N262PQ2CFM x-amz-server-side-encryption: AES256 CF-Cache-Status: HIT Age: 299 Expires: Thu, 24 Oct 2024 20:29:06 GMT Cache-Control: public, max-age=14400 Accept-Ranges: bytes Server: cloudflare CF-RAY: 8d7b5800bae82d3e-DFW
2024-10-24 16:29:06 UTC	679	IN	Data Raw: 52 49 46 46 86 17 00 00 57 45 42 50 56 50 38 4c 7a 17 00 00 2f 84 80 14 10 09 86 6d db 46 82 ec f6 be f8 f6 1f b8 df 0a 11 fd 9f 00 c6 22 70 e7 1b 01 27 09 70 b5 11 bc 62 e6 d7 76 1a f0 b4 f6 0c b1 df 3c af db 20 a1 38 c9 a3 fc 3a 0d 92 fe 2d 0d 92 18 b2 8a 54 4b 15 55 05 b5 cb b4 16 6e 63 db 56 95 85 bb bb df 21 22 fc f3 2b 20 a4 1c 86 ca 5f 48 fe ad 05 37 b6 6d 2b cd c6 dd a5 66 fe a3 a2 a4 82 78 52 65 31 6a 23 c9 71 d4 8f 56 ef e5 3b 00 b1 ff 13 00 00 42 36 63 b9 6b 48 7c 62 83 9a ed 7f 63 cd b3 0c 40 e2 d1 b8 4d 4c 65 dc 24 3b 8a f2 38 a7 38 27 b1 c2 5d 09 86 94 61 b9 2e 53 17 00 f9 42 81 21 7d 70 65 09 00 cc fb 0d 40 a6 14 6d ba 00 18 d3 65 08 b0 1c 37 c0 fe e7 0a 60 0e 10 1c e9 32 e6 0f 96 f5 a1 86 44 ae c0 92 ef 0f 7e 3f 01 80 3d 38 7e 16 00 7d 01 Data Ascii: RIFFWEBPVP8Lz/mF"p'pbv< 8:-TKUncV!"+ _H7m+fxRe1j#qV;B6ckH\|bc@MLe$;88']a.SB!}pe@me7`2D~?=8~}
2024-10-24 16:29:06 UTC	1369	IN	Data Raw: 0c 8d 82 09 ce 60 0c 43 75 a8 0c 61 1d fb ca 8a 83 be 23 3d 1b 4b 6e d8 b5 6f db cc 5a 55 83 eb f3 06 cc 16 dd f5 ef df 17 e5 f3 ec 94 53 77 96 66 6f 74 dd 17 cb dd 5d d8 de d5 4e c4 6a 84 85 c0 94 29 22 44 45 02 50 11 45 04 82 00 02 0a 15 00 2a 35 51 47 d8 13 57 1c eb 71 72 54 d9 4f b7 09 15 db 32 d7 75 0d 92 c5 f5 aa 9f bf 2b 55 9a cc 64 37 5f ea ae b4 71 47 6c b9 af f0 58 48 a9 c4 54 49 42 61 14 51 04 54 89 4a 50 82 12 e5 96 22 41 2c 21 a4 a0 10 50 20 c0 a0 41 68 a8 00 6e d7 1c c6 4b 32 6e b3 e5 1c 36 cc 98 e9 ba c1 e8 1b a6 ca 14 92 45 f4 da 9f be 2b 6a 4b 23 2d 0f 16 1e ef ca f1 52 8f 30 f6 94 65 bb 43 b6 44 25 ea 52 1d 75 d4 46 89 92 4a 10 04 04 e0 3f 15 00 00 05 10 b1 20 8c 90 06 82 a0 06 8c c4 2c 69 e9 38 ac e3 1c 9e a1 bf e3 d7 f4 3b fc 1b c6 0b Data Ascii: `Cua#=KnoZUSwfot]Nj)"DEPE*5QGWqrTO2u+Ud7_qGlXHTIBaQTJP"A,!P AhnK2n6E+jK#-R0eCD%RuFJ? ,i8;
2024-10-24 16:29:06 UTC	1369	IN	Data Raw: 7a 02 d6 c9 84 86 2e 74 60 e5 60 e6 7f cf 7a ae ae 6f 1c 11 18 96 63 fe d6 4c bf cf 98 37 22 51 4f f5 82 67 fe 61 9c 27 c0 62 6d e9 f1 c8 4c 66 d0 81 85 61 c6 f2 ab 5b 5e f5 9b 7b 5e b7 78 34 da ff 65 92 da 6a 46 23 21 95 4c 52 0d ec b8 ed a1 3f eb b2 5b 30 e0 69 6a 7b 60 97 2e cc c2 2c 34 4d 4d c7 3c 2f f8 f7 af c3 51 58 3b 5d 45 83 1b 6d e7 b0 35 6b 35 81 54 04 53 4f 6c cf 0d 53 cf 81 85 fb 84 1e 08 47 98 8d ae d4 1c ee 60 ee 32 0f 66 90 1c 1e 8c 9b 33 85 66 e3 48 e2 56 90 54 52 ad 69 33 ff d6 b9 02 16 6f 04 7f 36 dd 9b 92 23 39 50 18 cb b8 dd cd a7 92 77 f7 70 78 2b b7 3d 49 07 f2 58 49 31 64 53 32 e5 ec 56 2d 36 fc 17 a8 4d 9a 5b d3 e1 7a 41 11 d5 7e e5 e1 e9 46 75 34 1d ce a7 db 3b 90 67 86 a7 4e 4f 29 36 02 cf 8b df 55 bb 36 ba 51 a9 c4 92 75 6a f2 Data Ascii: z.t``zocL7"QOga'bmLfa[^{^x4ejF#!LR?[0ij{`.,4MM</QX;]Em5k5TSOlSG`2f3fHVTRi3o6#9Pwpx+=IXI1dS2V-6M[zA~Fu4;gNO)6U6Quj
2024-10-24 16:29:06 UTC	1369	IN	Data Raw: 5e dc 7a f7 a4 34 7b be bb 74 42 c8 30 fe f4 97 ed 11 c0 65 e3 72 bf 4c 6c 4a 55 c3 dc cb 1b 70 9f 60 e6 23 0b 12 f3 f1 c7 bf ce 67 8d 6e c2 c7 8a e1 1a cc 04 a0 a0 9c 30 6c af 93 b9 5d 3d 10 12 4a 54 0c 2b 70 25 1f 32 f5 4c a5 e9 70 6e 3e 69 50 05 f5 0b 79 a6 8e ef 41 54 c6 87 e5 2c 21 85 6f bd 0f bf be 1e c2 7a f5 e1 17 97 7b 81 64 0f ba c7 bb b9 3d 2a 4d 27 20 57 28 e9 bc 7e de 68 d4 8f de 1a 9c 8f 2c 29 b4 94 3a 3d e4 cb 6f 96 6a ac 6c cf 4a fd 75 de 97 b0 50 12 54 93 8b 63 c1 ea bc 12 a8 3c 6e cb 07 72 74 12 79 a9 9b 81 9d b2 b5 b3 76 6a 8e 14 0b e7 07 d3 3e bc ee bc ff f5 d4 0e 03 33 94 87 e7 ec 3b 44 9a 99 0e c0 c2 c4 72 f6 ed 7e 19 b6 01 d7 82 6b 60 ad 28 9d 68 05 4e d9 d8 54 23 9d 67 1d f6 40 31 28 a2 46 1d ef 90 82 4a 75 3c 1d e6 f9 01 82 93 e8 Data Ascii: ^z4{tB0erLlJUp`#gn0l]=JT+p%2Lpn>iPyAT,!oz{d=*M' W(~h,):=ojlJuPTc<nrtyvj>3;Dr~k`(hNT#g@1(FJu<
2024-10-24 16:29:06 UTC	1244	IN	Data Raw: 4c c7 14 48 30 55 6d 50 a7 0c b6 91 05 00 40 39 84 8e 0d a4 82 84 03 8e e3 f6 28 75 73 8a 0d 52 4d 11 c0 48 62 39 5f ba 6d c6 80 10 80 29 4c 67 4a 90 cc 35 58 07 80 3a 48 4d a3 2a 2e 96 b6 85 10 80 3c 88 70 4c 3e 58 b2 1a 0d 08 63 37 11 fb a9 06 a9 9c aa 0a 02 97 24 98 2f 96 4e 9b 11 28 00 80 21 1d cd 04 09 ac e1 2a 4a 0a 8d 68 6c aa b2 74 e6 96 40 02 80 90 3c 09 8e 77 a5 24 00 c0 01 27 85 75 d3 0d a2 12 15 05 30 06 a1 f5 62 ed 34 99 d0 a3 81 40 04 60 0d d6 20 99 05 82 ab b0 4a 93 44 e8 85 3b 0e fa 48 95 b5 b5 9c 81 b0 70 04 51 13 0d f2 6c aa 1b 00 1c 27 e1 ca fa 99 06 51 8a 32 11 01 c8 42 cb c5 72 8e b7 78 1e ed 07 0a 42 20 f4 b0 47 93 99 60 99 2e 47 4c 92 48 b0 d5 1b 76 3d 54 65 3e 5f 5a 41 98 04 38 e4 5a a5 41 2a c7 54 05 07 64 8c 89 d0 4d 2b 1c 93 a5 Data Ascii: LH0UmP@9(usRMHb9_m)LgJ5X:HM.<pL>Xc7$/N(!Jhlt@<w$'u0b4@` JD;HpQl'Q2BrxB G`.GLHv=Te>_ZA8ZA*TdM+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49699	104.19.152.69	443	7084	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 16:29:06 UTC	684	OUT	GET /favicon.ico HTTP/1.1 Host: braze-images.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-24 16:29:06 UTC	340	IN	HTTP/1.1 403 Forbidden Date: Thu, 24 Oct 2024 16:29:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close x-amz-request-id: SRSZPC1J2KWNS4Q9 x-amz-id-2: hLtVw7El38g4tocZ90QGBtBBF3IUYnlCCsRUxQfIKZzRAkmC+vfHJzKLS3IFZCBNiYuuMACfTY4= CF-Cache-Status: MISS Server: cloudflare CF-RAY: 8d7b58028845e552-DFW
2024-10-24 16:29:06 UTC	249	IN	Data Raw: 66 33 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 41 63 63 65 73 73 44 65 6e 69 65 64 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 41 63 63 65 73 73 20 44 65 6e 69 65 64 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 53 52 53 5a 50 43 31 4a 32 4b 57 4e 53 34 51 39 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 68 4c 74 56 77 37 45 6c 33 38 67 34 74 6f 63 5a 39 30 51 47 42 74 42 42 46 33 49 55 59 6e 6c 43 43 73 52 55 78 51 66 49 4b 5a 7a 52 41 6b 6d 43 2b 76 66 48 4a 7a 4b 4c 53 33 49 46 5a 43 42 4e 69 59 75 75 4d 41 43 66 54 59 34 3d 3c 2f 48 6f 73 74 49 64 3e 3c 2f 45 72 72 6f 72 3e 0d 0a Data Ascii: f3<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>SRSZPC1J2KWNS4Q9</RequestId><HostId>hLtVw7El38g4tocZ90QGBtBBF3IUYnlCCsRUxQfIKZzRAkmC+vfHJzKLS3IFZCBNiYuuMACfTY4=</HostId></Error>
2024-10-24 16:29:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49709	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-24 16:29:12 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-24 16:29:12 UTC	464	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=932 Date: Thu, 24 Oct 2024 16:29:12 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	49710	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-24 16:29:13 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-24 16:29:14 UTC	513	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=1021 Date: Thu, 24 Oct 2024 16:29:13 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-24 16:29:14 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.16	49711	52.149.20.212	443

Timestamp	Bytes transferred	Direction	Data
2024-10-24 16:29:17 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vHeFNeYZGfKBprR&MD=Ou7zpfur HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-24 16:29:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 319c7042-326f-4048-ba72-d12afcfa6891 MS-RequestId: 19919b98-c782-43c8-aa29-efd92d547271 MS-CV: AFEGl1EVSEaRn06z.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 24 Oct 2024 16:29:16 GMT Connection: close Content-Length: 24490
2024-10-24 16:29:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-24 16:29:17 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.16	49712	52.149.20.212	443

Timestamp	Bytes transferred	Direction	Data
2024-10-24 16:29:55 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vHeFNeYZGfKBprR&MD=Ou7zpfur HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-24 16:29:55 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 22c31252-0434-4e8a-91f3-e21815d6b299 MS-RequestId: 7797a396-4efa-483e-b7e6-5d8a59a7479a MS-CV: Bk+T9iBfkEWohY6G.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 24 Oct 2024 16:29:54 GMT Connection: close Content-Length: 30005
2024-10-24 16:29:55 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-24 16:29:55 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6856, Parent PID: 2900

General

Target ID:	0
Start time:	12:29:02
Start date:	24/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7084, Parent PID: 6856

General

Target ID:	1
Start time:	12:29:03
Start date:	24/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1952,i,1658265727779771746,17902262811640550139,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6544, Parent PID: 2900

General

Target ID:	2
Start time:	12:29:04
Start date:	24/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238"
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: global traffic	HTTP traffic detected: GET /appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238 HTTP/1.1Host: braze-images.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: braze-images.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vHeFNeYZGfKBprR&MD=Ou7zpfur HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vHeFNeYZGfKBprR&MD=Ou7zpfur HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: braze-images.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 56

Chrome Cache Entry: 57

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6856, Parent PID: 2900

General

Chronological Activities

Analysis Process: chrome.exePID: 7084, Parent PID: 6856

General

Chronological Activities

Analysis Process: chrome.exePID: 6544, Parent PID: 2900

Windows Analysis Report
https://braze-images.com/appboy/communication/assets/image_assets/images/644807fe4a60a8004cbd46df/original.png?1682442238