Play interactive tour

Edit tour

Analysis Report https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub

Overview

General Information

Sample URL:	https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub
Analysis ID:	356040
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected HtmlPhish_20

Phishing site detected (based on various OCR indicators)

Classification

Startup

System is w10x64

iexplore.exe (PID: 996 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htm	JoeSecurity_HtmlPhish_20	Yara detected HtmlPhish_20	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Yara detected HtmlPhish_20

Show sources

Source: Yara match	File source: 098239.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htm, type: DROPPED

Phishing site detected (based on various OCR indicators)

Show sources

Source: Screenshots

OCR Text: lb hUps//docs.goog|e.comdocumenUd/d2PACX-1vS36Y8R0I C;Search... determine-1217x [I - [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes ^ I! dl N :: Microsoft a Office 365 I LI i Redirecting - Click here to Published by Google Drive - Report Abuse V lb hUps//docs.goog|e.comdocumenUd/d2PACX-1vS36Y8R0I C;Search... determine-1217x [I - [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes ^ I! dl N :: Microsoft a Office 365 I LI i Redirecting - Click here to Published by Google Drive - Report Abuse V Mx8sjlwiw2d C;Search... determine-1217x [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes :: Microsoft' a Office 365 Redirecting - Click here to continue W p 0 X " Published by Google Drive - Report Abuse

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49741 version: TLS 1.2

Networking:

Source: unknown

DNS traffic detected: queries for: themes.googleusercontent.com

Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://docs./url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161400152712
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://docs.ax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://docs.google.com/
Source: pub[1].htm.2.dr	String found in binary or memory: https://docs.google.com/abuse?id=AKkXjoxmn0VxVYna4R2kMixj6xjU5UyiFnb84SzAYSNZgyuuoUgq56SJglMCAzzK8sA
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr, ~DFC597EDA9F124D6A1.TMP.1.dr	String found in binary or memory: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCp
Source: css[2].css.2.dr	String found in binary or memory: https://fonts.google.com/license/googlerestricted
Source: pub[1].htm.2.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: pub[1].htm.2.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
Source: css[1].css0.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/comfortaa/v30/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4Y_LPrc.woff)
Source: css[2].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v27/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: pub[1].htm.2.dr	String found in binary or memory: https://lh3.googleusercontent.com/FCtkh_cVMnq9w0w2EefouDOYE-kLx6conTHn_lapO1sUkLA_arG-RSCq96SJ6Dsgqq
Source: pub[1].htm.2.dr	String found in binary or memory: https://lh4.googleusercontent.com/4lqrNCf-I_g3G-ZRjSCrk4CzHer9-aZGLVZMAv1E5urrkm5iZ-6srIQnL3bv29zPMl
Source: pub[1].htm.2.dr	String found in binary or memory: https://lh4.googleusercontent.com/592S7q3HqTUOgiQvkzddFGMOaqBqKIpIo48LskWavhxGbCFORGwwPJB3K3jyWmt0xY
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://sistema.grutor
Source: url[1].htm.2.dr	String found in binary or memory: https://sistema.grutorax.com.br/deliver.php
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDo
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=Root
Source: ~DFC597EDA9F124D6A1.TMP.1.dr	String found in binary or memory: https://sistema.grutorax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614
Source: imagestore.dat.2.dr, pub[1].htm.2.dr	String found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico~
Source: pub[1].htm.2.dr	String found in binary or memory: https://themes.googleusercontent.com/fonts/css?kit=fND5XPYKrF2tQDwwfWZJI_esZW2xOQ-xsNqO47m55DA
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.google.com
Source: imagestore.dat.2.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://www.google.com/favicon.ico~
Source: pub[1].htm.2.dr	String found in binary or memory: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors
Source: ~DFC597EDA9F124D6A1.TMP.1.dr	String found in binary or memory: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161
Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.google.comm/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49741 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal60.phis.win@3/20@4/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93318288-7557-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8D165E106D3995D4.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub	0%	Avira URL Cloud	safe
https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub	100%	SlashNext	Fake Login Page type: Phishing & Social Engineering

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://docs./url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161400152712	0%	Avira URL Cloud	safe
https://docs.ax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126	0%	Avira URL Cloud	safe
https://sistema.grutorax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614	0%	Avira URL Cloud	safe
https://sistema.grutor	0%	Avira URL Cloud	safe
https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDo	0%	Avira URL Cloud	safe
https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=Root	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sistema.grutorax.com.br	198.57.186.221	true	false	unknown
googlehosted.l.googleusercontent.com	142.250.186.33	true	false	high
themes.googleusercontent.com	unknown	unknown	false	high
lh3.googleusercontent.com	unknown	unknown	false	high
lh4.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sistema.grutorax.com.br/deliver.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://docs./url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161400152712	{9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://sistema.grutorax.com.br/deliver.php	url[1].htm.2.dr	false		unknown
https://docs.ax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126	{9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://lh4.googleusercontent.com/4lqrNCf-I_g3G-ZRjSCrk4CzHer9-aZGLVZMAv1E5urrkm5iZ-6srIQnL3bv29zPMl	pub[1].htm.2.dr	false		high
https://lh4.googleusercontent.com/592S7q3HqTUOgiQvkzddFGMOaqBqKIpIo48LskWavhxGbCFORGwwPJB3K3jyWmt0xY	pub[1].htm.2.dr	false		high
https://sistema.grutorax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614	~DFC597EDA9F124D6A1.TMP.1.dr	false	Avira URL Cloud: safe	unknown
https://lh3.googleusercontent.com/FCtkh_cVMnq9w0w2EefouDOYE-kLx6conTHn_lapO1sUkLA_arG-RSCq96SJ6Dsgqq	pub[1].htm.2.dr	false		high
https://sistema.grutor	{9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDo	{9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=Root	{9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.57.186.221	unknown	United States		46606	UNIFIEDLAYER-AS-1US	false
142.250.186.33	unknown	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356040
Start date:	22.02.2021
Start time:	13:46:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.phis.win@3/20@4/2
Cookbook Comments:	Adjust boot time Enable AMSI Browsing link: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDoyOTkh628z3iR_UBkW
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe, HxTsr.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 131.253.33.200, 13.107.22.200, 104.43.139.144, 168.61.161.212, 104.43.193.48, 52.255.188.83, 88.221.62.148, 216.58.212.142, 142.250.185.202, 142.250.186.131, 142.250.186.67, 184.30.20.56, 142.250.185.164, 152.199.19.161, 51.104.139.180 Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, docs.google.com, ssl.gstatic.com, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, www.google.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, fonts.googleapis.com, fs.microsoft.com, fonts.gstatic.com, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found. VT rate limit hit for: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93318288-7557-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8499466969897256
Encrypted:	false
SSDEEP:	96:r4ZHZN2UWdjtdqbfdQ0DKMCvLqNRQhxfx0S6X:r4ZHZN2UWdjtdKfdQRMCGInfxcX
MD5:	8BAC526E41573A2CAD6867809E289F8C
SHA1:	D5FE50B4C0B4BCB6CF4531F3B3189CAE541515CB
SHA-256:	2590174882504E6F61E151A33E0CE48BE66C771624370A199C24220DE325F75D
SHA-512:	D11C8740FA2B8803811D31A36D3729097E63AC336DB7FDBD411EBB913EA136FD4A9648D76B1133B57C91DC52DF13486BBEC515ECDA090F5F1AF59979A02C29D5
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	38740
Entropy (8bit):	2.1911165499795384
Encrypted:	false
SSDEEP:	384:rF/xJzEUADimvNFrx0/vVWE+9/vVV2/vzB:hmFFra/qkV
MD5:	70A44A40BDDDC93B74937EEA2B161F35
SHA1:	FF2304139B1433D23D5C9D8B8F30D1E7D5346715
SHA-256:	5B6F8DA7B342BE20F5A20829087B6C6C708111F95C871C8A97D4F077892ED401
SHA-512:	D2CBB56DEE5AA2EAC847F769E29362A1B48933DB529EA8DE43CC180AD8072C24FB59F7B8E6A2A91F2BD8EAD55BA3D2088C38BC35FC5FC06C98319E1CD470B8A0
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A5D54CF-7557-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5647969432177713
Encrypted:	false
SSDEEP:	48:IwYGcprVGwpaHG4pQDGrapbSqcGQpKqoG7HpRL7TGIpG:rsZ/Qp6nBSfAqzTVA
MD5:	F3AAF30E0EA9BA988B3222AA8C6774AF
SHA1:	FC3FF6B7B3BEE662CD192D62420148975FD12EB7
SHA-256:	72CA8EC618DCB613611C3A3E21D0CCEA04E8789AEDDB8B310D354AB8AA8EFCE0
SHA-512:	CCA4614AFD97CED38EAD98F1BA49BBFFACBAB356251A795D0E8D8BAB4BC7B7BC352640212A31AB32BEC2B8A0983E1D422E3ACC6CE8DDD93B346CD010494F8896
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	31152
Entropy (8bit):	2.9003224583168437
Encrypted:	false
SSDEEP:	96:BzshzQhzOhze8rTruQ4vIJct+MP47v+rcqlBPG9u:BwhkhyhXPH4vI6tFPqWceBPGU
MD5:	F8F41CAF30ED7E844025B007842A2CBD
SHA1:	26EB3E0EA6B4048955592D0693866AC0FD3B8BDF
SHA-256:	1C10F3654C77AF129B830F84DF443342CE3D7D270540DB9F96DF2DA662AF01C1
SHA-512:	8B466C074C72D59763B25F25B3DC5E8F97882E6A57F2D7E8C174D052BC011B26E1B20160956BA63519F28C860E06124AA17CB1209D2AA73B742CE9144491E9C5
Malicious:	false
Reputation:	low
Preview:	>.h.t.t.p.s.:././.s.s.l...g.s.t.a.t.i.c...c.o.m./.d.o.c.s./.d.o.c.u.m.e.n.t.s./.i.m.a.g.e.s./.k.i.x.-.f.a.v.i.c.o.n.7...i.c.o.~............... .h.......(....... ..... ...........................Db.B..B..B..B..B..B..B..B..B..B..B..B..B..B..Da.B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..........................B..B..B..B..B..B..B..B..B..B..........................B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..........................................B..B..B..B..B..B..........................................B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..........................................B..B..B..B..B..B.............................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\4UaGrENHsxJlGDuGo1OIlL3Owpg[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 26228, version 1.1
Category:	downloaded
Size (bytes):	26228
Entropy (8bit):	7.98323449413518
Encrypted:	false
SSDEEP:	768:DBOEuz6T0146JY/J6unqhOYK0GJenzOoyo6:DBHuea4j/vnqo304enzUo6
MD5:	6DD4AD69D53830BDF5232A13482BD50D
SHA1:	6FFF1079D7E5D02A2259CB5D7833E790239E01CF
SHA-256:	5CE48D9E9D748AD4686094D3CC33F5AE1E272A5B618F5C6D146C4D12EF02E4A6
SHA-512:	FC91E8C4EAE384D38667E330C5A5E4BF82EBAC9A23AB88439D7C22CCDD125DE7F1371DD953F18DEE60EF68B680DF49A32F684157D90F20E1DAC3BFFC9DF84118
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.gstatic.com/s/googlesans/v27/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff
Preview:	wOFF......ft.......`........................GDEF.......\.......RGPOS.......#..+..P.LGSUB................OS/2.......U...`h...cmap...........~n..cvt .......y........fpgm...$.......uo..gasp................glyf......=...m..N..head..Z....6...6..'.hhea..[.... ...$.0.6hmtx..[<.........})9loca..]....z.....&..maxp..`p... ... .>..name..`........r.i6Ppost..a<........O...prep..e....p..... ..x.U....Q.F..=#.`ZD.@@<..... "...Zp....+.c.f...).>Z.bm.Om..?...\\.zi.f.^b...[y/.........x..Z.......%......033333333...e....r......U..u.r.....sV..Z..^..c..>v..p7.x...w.i...Y.....X...N<.k...0...kc];.u......4.j...@....y."......,....#.;..........9...1....q..b..c...{....i2.H..g..:.....du.FX.].w3...{y...G....E.....~..RdX.\|.\..U.^.x!....e.\|.:.RX.Wxg....&.5....2n.Q...5.{..2....Ia.Vb%....:.Yn..QI.Z...x..Z.6..?........G..W.^#.e..#\|l2p.S+.?'.<E..<....M.H..".>..d....>n%.(..."....<"........U/z.%..=...Le.cL3.4..4..znxgX!JD%.....s....&.a..z1._....O+..g.dm.?.9Vj.1...B...8..S........ ._.E.... .[#_..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\KFOmCnqEu92Fr1Mu4mxM[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 20268, version 1.1
Category:	downloaded
Size (bytes):	20268
Entropy (8bit):	7.970212610239314
Encrypted:	false
SSDEEP:	384:LyfRPUY1e32pJd75q1DzPjsnouCrZsZtetWFNFfIP0cIWvdzNcrm:uJPb1em3dSPjKrZYtWntk0wvdzh
MD5:	60FA3C0614B8FB2F394FA29944C21540
SHA1:	42C8AE79841C592A26633F10EE9A26C75BCF9273
SHA-256:	C1DC87F99C7FF228806117D58F085C6C573057FA237228081802B7D8D3CF7684
SHA-512:	C921362A52F3187224849EB566E297E48842D121E88C33449A5C6C1193FD4842BBD3EF181D770ADE9707011EB6F4078947B8165FAD51C72C17F43B592439FFF4
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff
Preview:	wOFF......O,.......P........................GDEF.......G...d....GPOS................GSUB.......'......r.OS/2.......P...`t...cmap...$..........W.cvt .......T...T+...fpgm...p...5....w.`.gasp................glyf......;Q..lD..&0hdmx..H....n..... ..head..Hx...6...6.j.zhhea..H........$....hmtx..H....t......Xdloca..KD........BC%.maxp..M0... ... .(..name..MP.......t.U9.post..N ....... .m.dprep..N4.......I.f..x...1..P......PB..U.=l.@..B)..w.......Y.e.u.m.C.s...x.h.~R....R...A.J.x.l..h.a........l.m.6.1+.X....i...y....&...._..63..5....2>...x\|D...ct.Kx..H@b.3..l..#u.....L......^..4.....rP..{.......Q...JT.:Xu>..T./>...oq...........~..@.....lq../.... ..#..".&.8.H$..r...J)..jj...&..f.=.9..N9.....'F..8.4.....m...m...m.m..n..&.X..}....S.\|.....n........PHaE...J...4..MjJ.*..nW)..rn3'/.....ks5zY5c...Mgg.5..p..rR{c...p..t\.8.c=..p...X.(.......7....=.........!...H ........(.0...(.q.JT?.b..z].'T...m..vNi.....t....:P.R..H....t.........&?.:.j.51+.S.":j.SK'I.^....}S.i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\css[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	200
Entropy (8bit):	5.177017569671991
Encrypted:	false
SSDEEP:	3:0SYWFFWlIYCT9RI5XwDKLRIHDfFS/w7fqzrZqcdaQEhUbzBwwhpE+JaroYARNin:0IFFT9+56ZN7izlpdaQEmwoNin
MD5:	299E5536FF21691E44E713F5159F0144
SHA1:	87E21E6574830098ED6148DD4C85FDDA79A190A2
SHA-256:	2A4CD4B8CB518E6C2A54DCB5AF6DD4E31C7B2DB95885618374790567B570FDDE
SHA-512:	C2AA36CD1762FAF41CDE8D1B61098B48A24E151455AA8BF995B0AC6644B123A8DC5DF7F33B64F876BC70FB7FB3DDD573EAF4FCD77D94D2E26E2C3632868C62E7
Malicious:	false
Reputation:	low
IE Cache URL:	https://themes.googleusercontent.com/fonts/css?kit=fND5XPYKrF2tQDwwfWZJI_esZW2xOQ-xsNqO47m55DA
Preview:	@font-face {. font-family: 'Comfortaa';. font-style: normal;. font-weight: 700;. src: url(https://fonts.gstatic.com/s/comfortaa/v30/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4Y_LPrc.woff) format('woff');.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\image2[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 383 x 76, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	12049
Entropy (8bit):	7.93004560955902
Encrypted:	false
SSDEEP:	192:CkHcS55FDTSY98UnT4oO33jhNGESADIzUcHGxepbSKECd+vw/LCem:7HcKOg8QTG3lNGESPQ8eepbTE9w/hm
MD5:	725E08D8355D5E5EF594BC7F24A201ED
SHA1:	5E0A8C9049263DCBF536D4C7578B4FBDEB7AD24F
SHA-256:	B8B87775AC7705E550594D7D55725C3B71F20EDCBA59F480F39B4C58F9678974
SHA-512:	18BB56EE5BFB5D99C636E7548D4B1AE7077E012BED84735DC370D4B63652DD8E7755D294B95D26B1D2075F916D1D116ED0BB96D312735AB6731A55F6647D56BB
Malicious:	false
Reputation:	low
IE Cache URL:	https://lh4.googleusercontent.com/592S7q3HqTUOgiQvkzddFGMOaqBqKIpIo48LskWavhxGbCFORGwwPJB3K3jyWmt0xYjvSY2UR7CZhkg-926OjSMhfal75tLD0ppJ97g17xceT_YJ2MgwMCMh2R9lfOYiUNwJgL9DmQ8
Preview:	.PNG........IHDR.......L............sBIT....\|.d... .IDATx..}{.\E.....L2!...!..yDB..(.+.>We}.....?M.!..G&.]sgB....,.]qQW.."...../H.YP^!....&......{{nWW...=.....N.[u.so.>Uu.T.=.zL.N..{...........+'L.S.f.n."pQ^.......zd.!.H..8V.VYs....$.I.......P...p2..^(..i..D..._..E...R.#.D.L...8P._B...K.(..<.....=...2d.s..$....?..V:U../..0h8..U..k..l".......>dC..%C...^.h....F..R.5....\.3d..6..!..J..c"..l..x.)..k.....U.h..&..d.,t...<....?....2d...@..c.C\.:m;.....2.cJ...W-.^.U.w..jwO...s.d......b.F.F.4..&.H.z&.2d..JC......n..A...2.f<...Q3e~R.\|.?1.>#il.\K6.J.C.zg....2.B0..S.IcI...t.......n..-w.....'.&.......Yw C....(gN.V.8..A..'5.]i.Mz. C.Ao..+C.... .\|..h.JU.:1..V....e.1wP.h.y..h....o..y....C...^.2d..Zk....o...B.0...R....v..;\|./.N..>..gtnk..ha..,.T..`b.T...1-...)...}.....6.B.U..n.DV.?.[.4s.g......D.."r....N".I.@D.....(".-Z...mmm.....gU....@...&l......_..}s.9..1. Vid.!...g{.y.k./"...CD.,.....#"S.\.`...rdO.?Dj.?&.MV...1.rU.s2...In....L6W..H....Ck..`.1c....\..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\image3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 657 x 477, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	29387
Entropy (8bit):	7.922876676354205
Encrypted:	false
SSDEEP:	768:OPO3ZDhE75ouUQLxayXkuWvz0k2myVg+OBd6BYivMi7LNCA:OPcFhcokEugOOBwJUidCA
MD5:	531849F0619292487D853DD849FCF7E0
SHA1:	5B2BB8260E32AC1A42B53554CCD6CD94444BEFC6
SHA-256:	B78D196123C38608C682D18044393EE9ED9B856F2B714FAC148EC70BFBC13413
SHA-512:	A9C2AA4DC9B31768B15B08BA3F2565CDC38762DAAE2E87F784B050D2BCA7860192FD664F4201F99053031B941D1CF856D0E73D08D6F2574D80C2ADF7A5C6EE4F
Malicious:	false
Reputation:	low
IE Cache URL:	https://lh4.googleusercontent.com/4lqrNCf-I_g3G-ZRjSCrk4CzHer9-aZGLVZMAv1E5urrkm5iZ-6srIQnL3bv29zPMlpUBQWj5ytAEAT5v7oOq4QJUkQeGVggtZOPl1H3A1MKCWmkAnLJsliSgdV0_yyZGkrYG797Rlg
Preview:	.PNG........IHDR.............EY"A....sBIT....\|.d... .IDATx...y.\W}.....^.y.d..%!z..e0..#l..2.Fx....!..,.L.6..L..d2.d.d..B./$.!.I.!^...U..[h..Z.Z.eYkw....!....VW...~..G..V.{?R..>u.=.H...@F.w..@u.W..,....6.<x.'J..ozx...y....(......Z.......!..&...."..s../.l...n...y$.....%..&....ln.....t.L.f:.k.)>!.{..6.._....&-.FC.....T.^..`..laU..:j....!....j}..-[F.rl.......@.w.E..p....YK....S.......Ovl..U.....(..P......J7.e...;?. .....3.0..;..f=..4.,...%.../[.\.q...n..k...yg.n..T......!y..o...3....H.....=K......]"YS.........L....n...<.\.j....9._X....cz......yg..?%.............N..6(..0..-k...O]...{.WK.yg...}2m..zSz.Zf......c...J$.........?..g.G...............;...Q"..F.u.......yyg....f...MOt.....w,.g....U.{...MS.\...X..j.....~.][,.&..7.?=.og).X.^.%....@o...6Yr...y...}..6..1.M.........w../G.....+,.......Z..ygj8..%.f.....d.&.:...%..2.*,....!..w.k..w5.........cmswl........(...:\.}+:..$.]..ezG. ....6..&....':.v..;.0YP"..U.^.tfS....f..F.)yg.s.]...6.D..Y.?.w&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	27552
Entropy (8bit):	5.599495403334055
Encrypted:	false
SSDEEP:	768:eXSFQp52xbbSBhyseWv/qUKTRAaUy/d3Lq2h:QSwqbbChyuqUKnU+h
MD5:	B7580D63B1D39780442FC9B04A46CDF1
SHA1:	63F54A69C62E23062802A11323A1A7EC40233CB4
SHA-256:	ECB8DFB88C6FBED4FB520BF0BE78DB5CA9B0A7275CE9E3D325F0910E540A5BEC
SHA-512:	AA7CDF009BF5AABDA3DBA55705473CD720F0EE6E7137EB69B657B4AE2149BB8688AD8B8E3305400C831DF4DB6EFA22E3F6B58803577BB3F7E47957D576828EA7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_20, Description: Yara detected HtmlPhish_20, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htm, Author: Joe Security
Reputation:	low
IE Cache URL:	https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub
Preview:	<!DOCTYPE html><html><head><title>determine-1217</title><link rel="shortcut icon" href="https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico"><meta name="referrer" content="origin"><style type="text/css" nonce="PJ8GwJK7vvCOrJ7BCnxWOw">. @import url("https://fonts.googleapis.com/css?family=Google+Sans");. @import url("https://fonts.googleapis.com/css?family=Roboto");.. body {. font-family: Roboto, arial, sans, sans-serif;. margin: 0;. }.. iframe {. border: 0;. frameborder: 0;. height: 100%;. width: 100%;. }.. #header {. align-items: center;. background: white;. border-bottom: 1px #ccc solid;. display: flex;. height: 60px;. justify-content: space-between;. position: fixed;. top: 0;. width: 100%;. z-index: 100;. }.. #header #title {. font-family: 'Google Sans';. font-size: large;. margin: auto 0 auto 20p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4Y_LPrc[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 61388, version 1.1
Category:	downloaded
Size (bytes):	61388
Entropy (8bit):	7.993967349078421
Encrypted:	true
SSDEEP:	1536:hhX7ypR+h5H9tqSqyA77uzVYx82cApc4jyQCbRzGo+MV:hpypRs9tJTe7CYizPbVN
MD5:	CFB5C0742DA82A266683A456BD187A65
SHA1:	72AC8AE58D8D0C0D3993AA0E0CA10FA73DD368CF
SHA-256:	BEC58022290FCB93EF158217B1E44E84D157676661F32397C24325F7075B95FE
SHA-512:	CC7D93AB38DECC9253E152AFFF6DE65E14187D2EC0B50471645CA64468451C3947A586BE3B917B082F0AB98FDDC0FCC96DCDD9CF16CB3253A6C65B585783B4C1
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.gstatic.com/s/comfortaa/v30/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4Y_LPrc.woff
Preview:	wOFF........................................GDEF.......;....3..GPOS......&.....$..MGSUB..).........W.I.OS/2..+....P...`i.M.STAT..+....&...y.kIcmap..,........:{...cvt ..2....?......%4fpgm..3..........6..gasp..9.............glyf..9.......HD...Jhead...X...6...6..}.hhea...... ...$...Mhmtx......=....N..tloca..............maxp...... ... ...8name.......9....;.Y.post...........n5.prep... ........1H~.x...3..P.E.=.m.N..m..m.el41..ul'O......Ls...D...;.'rW..cl.N.5......~..?...W..X.kbm....;......(.[}...8;.>?...(...x...E..W...x...C..O..>.....b.'c.g`..+..c1....T...VW...ZXW....bcu....5..i.......8R#q...4M.Y..s4..i....\.E.L.p........._....;..?LQ..).<.E>,...E....1...d.s.Y1r5r..y.Ct.N.9.F7....%V.M..'.}.-.F..x....dI.E.......06..m.m.m.m[.c+N...-I.../}v./R."a..<z..0..\....T.H.r.P.B9....0...?......O..4..6.k....l....)z..r...):..;7...../.t..h........^Q.M)...+.RJ^r.wBw......7]?...O.q....$t.w.}..[.?...U..2...nx...nG...x..q..Y...W=......M2=.N/k..^./....u..{[..O.O.....3OFC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\image1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 272 x 93, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	18614
Entropy (8bit):	7.979504934178646
Encrypted:	false
SSDEEP:	384:Vm5PquWXN88M8o0fXOJ5n4RxcJBhfmk6sdddN3OIsTpt8+:V5vo9G84jcJLfmk6sdd/cptH
MD5:	0E3159ED1CEE1DF6B6A60296D3B18AAC
SHA1:	E002ACC6972C907FFD019D02D8CA7920FF22F932
SHA-256:	55E029B8C2321F0511F2B35A30EB2293A84C7AC9495AC27C611DD7759AFFE4D6
SHA-512:	6762EE042B89581A99ED9B08A35750DBE35F33CC72C30028696F94B1DC6FA5A3D733221DA5F707D8813920911A42AC607706D53056417E2EEB1ACA0B2CCBD6C8
Malicious:	false
Reputation:	low
IE Cache URL:	https://lh3.googleusercontent.com/FCtkh_cVMnq9w0w2EefouDOYE-kLx6conTHn_lapO1sUkLA_arG-RSCq96SJ6DsgqqVWiXiJCCzuTPizqbHocOwbMXoUwK6Y9cclsPnDcIvwaJtunw6rWNOeV1DCKq6I3kSU0Y1ai4A
Preview:	.PNG........IHDR.......].....m.9.....sBIT....\|.d... .IDATx..w.\.y..>..Swgwggf{_u...B.^l0.1....&.I....7N.........!.cL..b........Bt.wW..N.{..U;.EZ...K.jo9..<......w.'..O..F..fe...Q...\|.?...\|..7a.........\....]97IaU..o...F....V3.....y...O...\|.U...Q......C..B.jM.!.G.GicGO..)..fjs..d>..@..;.#F.\...4.9....C)...L.mRhn.D..9..R.h..../...w......>....%;..6.,.MH.R\-.pjB......N...=.~.+5.................tu.f9r....[...W...w..........s.i5\|~...#}.e.px\.Z../M.-..V..B..O...~.?..C%k.z..Dh.n..Sri..%pH].....).......5..]yV<~...(0....].LS..kOH)..#h.b.\.%.@).U)c..y.R.V...C?...9k....O.Zr...$z.&...Se8....c...c.. 9g-....m....5.....k4..V+..zAZ./.TZH...p8....h%J!xM..s..D..Q...muE..M}..-.[../..r........../Od..D..S....xc.....x...m...^%..wH.:)...GFV.(Rz..i=.Ss..........H$.%.9..e ...g.w.........5..Pz.\|-.*dX.RH..y.!.....3L...lH...#W......B.(.......+..nG......g.p.-W..O&r.d.P...X'Pk..t[..p..N.5'.R.t.,._.:v.r.{.j...HK.\8.W;...i...n.K..\..D..[7K{...1..Qd..0j,.oC.u[4...&:.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\url[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Category:	downloaded
Size (bytes):	385
Entropy (8bit):	5.245699587623391
Encrypted:	false
SSDEEP:	6:wBzkrQWR0iYBtqW3kUWPq2JlKIOhlKX0nxSk7uR1lKX0n+i71QrizYhlKX0nzYP:4krY1trWPqf9lKOa1lKO+yQrphlKOzW
MD5:	2CAC2C892785EBED250299E211CEA207
SHA1:	C5D1BC01ED9231537522A9E779D44540686AC2BE
SHA-256:	62ECD67771DE62B2C2646A6FA1E67D193227D899448819D93301B1D761904CF4
SHA-512:	D5B17CA7B9C9F57701473F049BCA0838CEC26A59719FAA98D4D523D1A69C0EA9FB38CA3C668F3DD5F1E5BDD9AE2772A02551A3E1BDE864C577CC38077F614B71
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDoyOTkh628z3iR_UBkW
Preview:	<HTML><HEAD>.<meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>Redirecting</TITLE>.<META HTTP-EQUIV="refresh" content="1; url=https://sistema.grutorax.com.br/deliver.php">.</HEAD>.<BODY onLoad="location.replace('https://sistema.grutorax.com.br/deliver.php'+document.location.hash)">.Redirecting you to https://sistema.grutorax.com.br/deliver.php</BODY></HTML>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\css[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	175
Entropy (8bit):	5.036499950322848
Encrypted:	false
SSDEEP:	3:0SYWFFWlIYCzHRiRI5XwDKLRIHDfFRWdFTfqzrZqcdAqsKTFEfENRgVoYARNin:0IFFli+56ZRWHTizlpdAxIFGVuNin
MD5:	941B0F885D63EB60090D1DE0B493F1E2
SHA1:	456CBAE17E153391F0745E190A2FE44B9AD39A20
SHA-256:	4B1CEC019735D77E1DCB6911A520BFA438A2B5E027BD2799DE1EB83F2A110659
SHA-512:	01572411E7BA21E1B6FDCF7DFB6BA4BB17D14D8EAD7DE76018FE98753AA3DF5939A3B9DA46BE4EFB30041CDA5BA869B08F2658A134D0ABD738AB0C6B1F2F83EE
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.googleapis.com/css?family=Roboto
Preview:	@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: url(https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff) format('woff');.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\css[2].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	256
Entropy (8bit):	5.0467196072933
Encrypted:	false
SSDEEP:	6:U+4OUr940FF/5+56ZRWHTizlpdAqoSENin:UJO6940FF5O6ZRoT6pWqoSEY
MD5:	B32DCA61F65F0FBBB5C2BAFFFA93DEC6
SHA1:	8A003419BFC888A206D39568184924AE04132779
SHA-256:	104B5902DA8676DD427E84A0C0D78B98A0DABA5A889BD39FF20776A8B802E502
SHA-512:	2CA56DF9F7C13D390E50A83718918B0C0B2CC729E780E44A686AC454F3C7762DB79310DCE2E8545001E8EF5B6D166C7185F1A3A29481A2DB856B8BD70ED37D13
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.googleapis.com/css?family=Google+Sans
Preview:	/. See: https://fonts.google.com/license/googlerestricted. */.@font-face {. font-family: 'Google Sans';. font-style: normal;. font-weight: 400;. src: url(https://fonts.gstatic.com/s/googlesans/v27/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff) format('woff');.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\kix-favicon7[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
Category:	downloaded
Size (bytes):	24838
Entropy (8bit):	2.2699128030598548
Encrypted:	false
SSDEEP:	12:vqUaRqwaRQnaRgnaRqwaRSC2mxiUkatcQaxbgdUeZeZY8rTrivkqoeZhcEay:CUODTuXC2mxTgxCV8rTruBHhSy
MD5:	833F495423709EE4A2C87EE1E4C2A7AA
SHA1:	E2CB41D31524366260AE3DA9A6A33ED67D2514FF
SHA-256:	D40E9376B2F8C8FA5E0372C3DDACB5F6044539CF1D264BBCBEE8057DAF71ED96
SHA-512:	BE6843273049316C87962417FBE97719DFDF1C81B1B1CD9A3AA41DA3A4DB2EDFB8843A261DB7D11FD6B7493763845D1883F4749BE9566D6F2ED836EA9C2042D3
Malicious:	false
Reputation:	low
IE Cache URL:	https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico
Preview:	............ .h...F......... ......... .... .....6...@@.... .(B......(....... ..... ...........................Db.B..B..B..B..B..B..B..B..B..B..B..B..B..B..Da.B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..........................B..B..B..B..B..B..B..B..B..B..........................B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..........................................B..B..B..B..B..B..........................................B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..........................................B..B..B..B..B..B..........................................B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..B..

C:\Users\user\AppData\Local\Temp\~DF8D165E106D3995D4.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4802844706621096
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loW9loG9lWLplBLv:kBqoIRX9lh
MD5:	4BC594F8DDB646ABE45BDD0ED577BCFD
SHA1:	9BA74D0F29A8FFD695BA1FA304F6B035FFAD6910
SHA-256:	D36278CB1378BF4B5317425ED14F7D39AAAF190791747F2A2BCBDCE31507DA82
SHA-512:	E0CC74272258A8524E8A5518B512FED7A9ACE79EC9DACC1029D7C2126784954D2E19F39E046357D70CCA358E9AE50D9EF30C8B828CD3544E13CFF643AB48E4C6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBD9FE092F92641A9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.2879420929574197
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAVX0X:kBqoxxJhHWSVSEaby
MD5:	36596CACD520D8F7144D4A8CB75643F7
SHA1:	8723A12E9A8A0AF5951AF4E515698B2CD0C9DD62
SHA-256:	AC425D4E10B51CFB1FA6DCDFB271B4DD53E6243ECED374250F225B0EB4FECEFD
SHA-512:	241C765910992B23FDCAA256DB651F3F8DFCC669D4926D1F55EAC962763209693B74719E3FEA65F10B9661660A617080A379071F460B25E4C4172BC52B6F5A8E
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC597EDA9F124D6A1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	48809
Entropy (8bit):	0.6443837718611066
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+QWMNWZVU4U1hyU6UCtUdKVUoAY5jYT5:kBqoxKAuqR+QWMNWZiTvNFr0iot5UT5
MD5:	E2B3411C19850115607E7DEB6E81AE55
SHA1:	8A7FB30D3B36D6AE0F8AC195344DE8A4AEDD127A
SHA-256:	4E2DFF000E54ED8C7129669780336A6CC00FB289BC8BBC7768CA4CF8104860C0
SHA-512:	E9A39DF49942F26A2D4F400F08CBB2903F88D1596658AA22EB50E197BBC772C90E5A6FA57FD4AA677CDC17EC0796C1CF6DD48D50347722515B34C10BC0A27CD6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 13:47:42.843142986 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.844665051 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.846417904 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.846636057 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.847922087 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.848042011 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.891593933 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.891690969 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.892630100 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.894856930 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.894948959 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.895775080 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.895833969 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.895912886 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.896183968 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.896212101 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.896255970 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.896378040 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.897777081 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.897876978 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.904458046 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.904592037 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.904628038 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.909485102 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.940928936 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.944108009 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.947987080 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.948012114 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.948026896 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.948043108 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.948054075 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.948076963 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.948890924 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.951179981 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.951209068 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.951227903 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.951246023 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.951297998 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.951338053 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.952976942 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.955667019 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.955689907 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.957799911 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.958120108 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.958318949 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.958770037 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.958906889 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.959026098 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.959059000 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.960130930 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.960154057 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.960170984 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.960186958 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.960199118 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.960242033 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.962675095 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.962702036 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.962718010 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.962774992 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.962794065 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.962819099 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.962866068 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.963296890 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.963315010 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.963335991 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.963352919 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.963356018 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.963388920 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.963445902 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.964932919 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.965008020 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.965017080 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.965039968 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.965058088 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:42.965121031 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.965135098 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.965138912 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.965468884 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.965908051 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.966466904 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.966872931 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.969964027 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.970381975 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.971132994 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.971517086 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.971852064 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:42.972348928 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.009294033 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.009325027 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.009351015 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.009371042 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.009376049 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.009414911 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.009464025 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.009479046 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.009773016 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.009843111 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.009865046 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.009910107 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.010364056 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.010373116 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.014720917 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.015876055 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.016129971 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.016191006 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.016194105 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.016233921 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.016305923 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.016347885 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.017035007 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.017338991 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.019051075 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.019079924 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.019098043 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.019109964 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.019117117 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.019432068 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.019443035 CET	49722	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.020324945 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.020347118 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.020399094 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.020438910 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.020642996 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.020776987 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.021158934 CET	49727	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.021657944 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.021678925 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.021753073 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.021754026 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.021792889 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.021797895 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.022490025 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.022579908 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.022588968 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.022653103 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.023053885 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.023133993 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.023159027 CET	49725	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.023550034 CET	49723	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.058871984 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.064137936 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.067806005 CET	443	49722	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.069468975 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.074421883 CET	443	49727	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.079305887 CET	443	49723	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.079466105 CET	443	49725	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.143589973 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.143624067 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.143642902 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.143660069 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.143687010 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.143712997 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.147001982 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.147032976 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.147088051 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.147126913 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.150367975 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.150397062 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.150439024 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.150469065 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.153811932 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.153850079 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.153892040 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.156160116 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.157172918 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.157212973 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.157241106 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.157258034 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.160583973 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.160612106 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.160835981 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.163989067 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.164022923 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.164073944 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.164093018 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.164345026 CET	49724	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.189261913 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.189307928 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.189332008 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.189346075 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.189352036 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.189379930 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.189420938 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.192584991 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.192620039 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.192656994 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.192682981 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.196012020 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.196065903 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.196075916 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.196111917 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.199384928 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.199415922 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.199568033 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.202778101 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.202812910 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.202856064 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.202882051 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.206131935 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.206161022 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.206199884 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.206223011 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.209558964 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.209594965 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.209687948 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.212744951 CET	443	49724	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.212821007 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.212891102 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.237699986 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.237726927 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.237772942 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.237796068 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.239408016 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.239434958 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.239465952 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.242789984 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.242819071 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.242845058 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.242878914 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.246222019 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.246252060 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.246296883 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.246320963 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.246690989 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.249557018 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.249588013 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.249619961 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.249641895 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.253015041 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.253055096 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.253108978 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.253132105 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.256361008 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.256397963 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.256428957 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.256458044 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.259761095 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.259797096 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:47:43.260241032 CET	49726	443	192.168.2.5	142.250.186.33
Feb 22, 2021 13:47:43.294923067 CET	443	49726	142.250.186.33	192.168.2.5
Feb 22, 2021 13:48:03.170290947 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.170317888 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.353754997 CET	443	49740	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.353781939 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.353868008 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.353918076 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.355197906 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.355492115 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.538676023 CET	443	49740	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.538788080 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542156935 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542181015 CET	443	49740	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542192936 CET	443	49740	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542201996 CET	443	49740	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542215109 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542223930 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.542332888 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.542433977 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.542457104 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.543632984 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.555727005 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.556659937 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.563060999 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.740750074 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.740967035 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.749710083 CET	443	49740	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.749821901 CET	49740	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.780376911 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.802350044 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.802459002 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.807432890 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:03.807564974 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:03.868493080 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:04.052089930 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:04.055861950 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:04.055980921 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:09.060528040 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:09.060597897 CET	443	49741	198.57.186.221	192.168.2.5
Feb 22, 2021 13:48:09.060632944 CET	49741	443	192.168.2.5	198.57.186.221
Feb 22, 2021 13:48:09.060751915 CET	49741	443	192.168.2.5	198.57.186.221

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 13:47:28.579488039 CET	53	54795	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:29.081240892 CET	49557	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:29.130018950 CET	53	49557	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:29.213445902 CET	61733	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:29.270680904 CET	53	61733	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:30.177751064 CET	65447	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:30.231750965 CET	53	65447	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:31.330466032 CET	52441	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:31.389437914 CET	53	52441	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:32.383229017 CET	62176	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:32.432071924 CET	53	62176	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:34.732259989 CET	59596	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:34.783767939 CET	53	59596	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:36.261358976 CET	65296	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:36.312880993 CET	53	65296	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:37.544635057 CET	63183	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:37.603614092 CET	53	63183	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:40.839432955 CET	60151	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:40.890913963 CET	53	60151	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:41.899943113 CET	56969	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:41.951435089 CET	53	56969	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:42.125833035 CET	55161	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:42.196686029 CET	53	55161	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:42.737571955 CET	54757	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:42.743611097 CET	49992	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:42.759917021 CET	60075	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:42.771945953 CET	55016	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:42.806308985 CET	53	54757	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:42.823281050 CET	53	49992	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:42.838263988 CET	53	55016	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:42.841267109 CET	53	60075	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:43.041116953 CET	64345	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:43.118774891 CET	53	64345	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:43.191967010 CET	57128	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:43.240489960 CET	53	57128	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:43.527733088 CET	54791	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:43.595779896 CET	53	54791	8.8.8.8	192.168.2.5
Feb 22, 2021 13:47:58.134505987 CET	50463	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:47:58.196333885 CET	53	50463	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:00.391664028 CET	50394	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:00.440352917 CET	53	50394	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:02.617014885 CET	58530	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:02.668056011 CET	53	58530	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:03.110430002 CET	53813	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:03.167943954 CET	53	53813	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:07.579848051 CET	63732	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:07.631057978 CET	53	63732	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:08.588836908 CET	63732	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:08.639566898 CET	53	63732	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:09.604624987 CET	63732	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:09.632874966 CET	57344	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:09.653196096 CET	53	63732	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:09.681458950 CET	53	57344	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:11.633071899 CET	63732	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:11.684047937 CET	53	63732	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:11.862690926 CET	54450	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:11.914146900 CET	53	54450	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:12.871073008 CET	54450	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:12.924257994 CET	53	54450	8.8.8.8	192.168.2.5
Feb 22, 2021 13:48:13.870352983 CET	54450	53	192.168.2.5	8.8.8.8
Feb 22, 2021 13:48:13.921763897 CET	53	54450	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 13:47:42.743611097 CET	192.168.2.5	8.8.8.8	0xb2da	Standard query (0)	themes.googleusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:47:42.759917021 CET	192.168.2.5	8.8.8.8	0x6715	Standard query (0)	lh4.googleusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:47:42.771945953 CET	192.168.2.5	8.8.8.8	0x1674	Standard query (0)	lh3.googleusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:48:03.110430002 CET	192.168.2.5	8.8.8.8	0x9634	Standard query (0)	sistema.grutorax.com.br	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 22, 2021 13:47:42.823281050 CET	8.8.8.8	192.168.2.5	0xb2da	No error (0)	themes.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 13:47:42.823281050 CET	8.8.8.8	192.168.2.5	0xb2da	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.33	A (IP address)	IN (0x0001)
Feb 22, 2021 13:47:42.838263988 CET	8.8.8.8	192.168.2.5	0x1674	No error (0)	lh3.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 13:47:42.838263988 CET	8.8.8.8	192.168.2.5	0x1674	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.33	A (IP address)	IN (0x0001)
Feb 22, 2021 13:47:42.841267109 CET	8.8.8.8	192.168.2.5	0x6715	No error (0)	lh4.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 13:47:42.841267109 CET	8.8.8.8	192.168.2.5	0x6715	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.33	A (IP address)	IN (0x0001)
Feb 22, 2021 13:48:03.167943954 CET	8.8.8.8	192.168.2.5	0x9634	No error (0)	sistema.grutorax.com.br		198.57.186.221	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 22, 2021 13:47:42.948043108 CET	142.250.186.33	443	192.168.2.5	49722	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.948043108 CET	142.250.186.33	443	192.168.2.5	49722	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.951246023 CET	142.250.186.33	443	192.168.2.5	49724	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.951246023 CET	142.250.186.33	443	192.168.2.5	49724	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.960186958 CET	142.250.186.33	443	192.168.2.5	49726	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.960186958 CET	142.250.186.33	443	192.168.2.5	49726	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.962794065 CET	142.250.186.33	443	192.168.2.5	49723	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.962794065 CET	142.250.186.33	443	192.168.2.5	49723	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.963352919 CET	142.250.186.33	443	192.168.2.5	49725	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.963352919 CET	142.250.186.33	443	192.168.2.5	49725	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.965058088 CET	142.250.186.33	443	192.168.2.5	49727	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:47:42.965058088 CET	142.250.186.33	443	192.168.2.5	49727	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:48:03.542192936 CET	198.57.186.221	443	192.168.2.5	49740	CN=sistema.grutorax.com.br CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Jan 21 04:24:15 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Wed Apr 21 05:24:15 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:48:03.542192936 CET	198.57.186.221	443	192.168.2.5	49740	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:48:03.542215109 CET	198.57.186.221	443	192.168.2.5	49741	CN=sistema.grutorax.com.br CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Jan 21 04:24:15 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Wed Apr 21 05:24:15 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 22, 2021 13:48:03.542215109 CET	198.57.186.221	443	192.168.2.5	49741	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 996 Parent PID: 792

General

Start time:	13:47:36
Start date:	22/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6d2ed0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 2900 Parent PID: 996

General

Start time:	13:47:40
Start date:	22/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2
Imagebase:	0x1e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 996 Parent PID: 792

General

Chronological Activities

Analysis Process: iexplore.exe PID: 2900 Parent PID: 996

General

Chronological Activities

Disassembly