Play interactive tour

Edit tour

Windows Analysis Report http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip

Overview

General Information

Sample URL:	http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip
Analysis ID:	438548
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Potential browser exploit detected (process start blacklist hit)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5340 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

unarchiver.exe (PID: 6004 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)

7za.exe (PID: 3124 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 4256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0286099Bh		11_2_028602A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0286099Ah		11_2_028602A8

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\SysWOW64\unarchiver.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 3134 WEB-CLIENT PNG large colour depth download attempt 198.71.233.254:80 -> 192.168.2.5:49698
Source: Traffic	Snort IDS: 3133 WEB-CLIENT PNG large image height download attempt 198.71.233.254:80 -> 192.168.2.5:49698

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesAge: 1495Cache-Control: no-store, no-cache, must-revalidateContent-Encoding: gzipContent-Length: 150Content-Type: text/html; charset=UTF-8Date: Tue, 22 Jun 2021 16:03:46 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTPragma: no-cacheVary: Accept-EncodingX-Backend: localX-Cache: cachedX-Cache-Hit: HITX-Cacheable: YESX-Content-Type-Options: nosniffX-Xss-Protection: 1; mode=blockData Raw: 1f 8b 08 00 00 00 00 00 00 03 35 8d 41 0a c2 30 10 45 af 12 b2 49 bb 48 72 00 d3 82 82 8b 9e c0 f5 98 09 3a 38 4d 4a 32 2d e8 e9 b5 50 77 8f 0f ef bf 80 b4 29 c2 41 33 6b 85 20 60 6b 1d b4 9f 6b b3 f6 05 5b c9 36 16 4e 16 b1 79 2c 71 9d 53 96 e6 3e b4 e8 31 f8 9f 3a 86 16 2b 2d 32 72 89 20 54 b2 5b 40 9e 19 e6 a4 06 f5 17 dc 23 c9 95 d3 8e 97 f7 84 9d 61 36 fd 3e 9e 45 2a dd 57 49 9d 39 d2 a6 3f 05 7f 5c de 80 c4 39 f7 05 0e 83 a9 28 a2 00 00 00 Data Ascii: 5A0EIHr:8MJ2-Pw)A3k `kk[6Ny,qS>1:+-2r T[@#a6>E*WI9?\9(
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesAge: 429595Cache-Control: must-revalidate, post-check=0, pre-check=0Content-Description: File TransferContent-Disposition: attachment; filename=Content-Length: 149509Content-Transfer-Encoding: binaryContent-Type: application/octet-streamDate: Thu, 17 Jun 2021 17:08:46 GMTExpires: 0Pragma: publicX-Backend: localX-Cache: cachedX-Cache-Hit: HITX-Cacheable: YESX-Content-Type-Options: nosniffX-Xss-Protection: 1; mode=blockData Raw: 50 4b 03 04 14 00 00 00 08 00 ec 5e d1 52 79 5e b6 d1 59 47 02 00 36 6f 02 00 13 00 00 00 61 69 6d 2d 31 32 37 36 36 39 37 37 38 35 2e 78 6c 73 62 ec 5a f5 77 dd cc 11 f5 67 66 c6 98 99 99 e1 33 c4 cc f8 cc 10 73 cc cc 0c 31 43 e2 18 62 66 7a 66 66 3b 31 26 66 86 98 99 99 b9 56 e1 f4 b4 a7 fd 0b 5a fd 70 df 48 7b ef ec 48 bb 9a 1d 49 4f 45 1e 0a 1a 1b 02 16 02 1e 02 02 82 1c 82 a4 72 a2 eb e4 0f 08 88 25 38 08 08 2c 08 78 48 3d 71 07 7b 57 73 7b 57 23 0d 2f 47 73 17 03 16 4f 3b 5b b2 3c 68 48 ba 1c 08 48 88 ff 6f ff d3 5b 3b e8 87 d2 12 1b 7a 87 d6 81 88 44 67 de 7c 1b 11 18 fc 9b 29 1c 12 33 1c 97 aa c4 9b e7 fc a8 bf bb 86 d9 27 f0 68 95 f3 26 cc 2e d2 bd 47 aa a4 83 ca 29 e1 76 65 38 9d c0 c7 69 b6 a1 c8 33 18 bd a1 0e 27 fd 92 80 f1 fb ac 92 55 5b e5 7c 55 db d0 05 23 23 85 5c 59 81 13 2e 43 63 d0 cf d1 e4 6c 11 e6 13 1e 12 13 b1 8f 84 8c b3 64 0f 0e ef 7b 5b 83 34 a5 4e 84 b4 1f 6a 9d 73 93 64 86 aa 71 0d 67 d1 9c 51 36 5c 79 1e 29 ac 2d 31 98 92 bf f1 cd 3b 3b a1 32 de 7f ac 6e de db bb e6 49 f0 b1 d3 39 f7 7b 34 4a 00 7f bb 5a d9 d3 a5 80 61 c8 2a df b0 63 ca 2d fb 71 36 0f 41 46 1b 88 4c b8 32 28 d0 8c c4 78 8a 32 ce 9a a0 dd 6b e8 ef 30 07 e5 bf 5c 74 37 f9 f8 1c 01 41 83 4a d6 f3 79 65 c7 e0 86 df e5 fd 4e b5 69 be 9f 10 b9 29 2a 5d 01 6b b8 cb 89 d3 9c 46 79 0e 0e 36 2f c7 9a f2 42 02 67 1e e7 c6 c2 a7 70 5b 09 ec 7b 1e e5 b0 98 ea 0e 27 47 38 a5 a0 0e d6 ea 86 87 41 86 3d 9a 5f e8 2c 21 fe 03 18 99 fa df 85 b1 ec 26 14 c6 68 72 5f aa 89 e8 af 27 32 fc 63 b6 eb 2f 9b 58 47 f7 5f e9 47 a9 52 f3 a3 42 b8 56 c9 2e dc 46 07 16 b9 b9 e7 3f 90 2c 59 17 da a8 54 fa db 5a 3d 78 15 79 11 87 43 19 e0 39 99 92 29 d5 d8 44 e3 97 7a db 9a 41 b8 45 07 35 36 5b 0d 07 40 49 43 0b b1 53 86 ea 89 2a 60 9a 54 0b 5b 98 f5 c7 46 0b 07 6a 78 b1 e9 f6 c0 5d 51 06 95 92 65 bb 48 3c f7 0c c8 cf 63 75 a8 f7 8a 85 8a 8b c7 59 4d 05 7c 80 bf 5e 57 74 14 9e b4 c2 fe e0 cd d9 65 7f 82 60 e0 4d 11 1c f8 ce 7d f1 b1 d3 7f 85 7e b2 85 dd c0 91 ed cf cf a3 72 30 d6 f1 8d 3f 2d 2f 2f 60 20 20 5e 5f a1 20 fe 35 4d 88 07 6f f6 dd be 59 0a 6f 59 00 e9 2d 4d 18 39 9b db ba b0 b2 00 f8 ff f4 f0 ff 0d d8 62 12 c6 94 7a d8 90 fb 4f 65 da c5 b7 1e 0f ec 65 e0 73 1b da c8 0a 96 d1 19 d0 d6 a8 ed 09 1b 62 f3 a9 44 6f 6f cc 68 4b b8 1a 89 9f 4f 2f c7 b2 db 97 47 a6 4a 3a f9 24 18 2b 83 dd 54 83 4d 8a fb b4 e7 40 67 13 ed 95 59 a2 7d 12 a3 e3 74 71 8c 7c ce a1 06 7e 01 4d 7e bb 5f d4 48 a2 3a ae 55 cd 71 f0 18 f7 d4 2f c6 22 54 6f 85 54 99 7a eb 86 92 34 bb 25 e8 Data Ascii: PK^

Source: global traffic	HTTP traffic detected: GET /mrs--kavon-cole-dds/uozdogru-39.zip HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sndpkuruppampady.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mrs--kavon-cole-dds/documents.zip HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Referer: http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zipAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sndpkuruppampady.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: sndpkuruppampady.com

Source: unknown

DNS traffic detected: queries for: sndpkuruppampady.com

Source: unarchiver.exe, 0000000B.00000002.383833336.00000000012A0000.00000002.00000001.sdmp, ~DF4EEC81F457CBDB58.TMP.1.dr	String found in binary or memory: http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip
Source: {56FCBAF5-D3C2-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zipRoot

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 11_2_028602A8		11_2_028602A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 11_2_02860299		11_2_02860299

Source: classification engine

Classification label: mal48.win@8/13@3/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{56FCBAF3-D3C2-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF426483966D72EDC8.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'

Jump to behavior

Source: unarchiver.exe, 0000000B.00000002.383833336.00000000012A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 0000000B.00000002.383833336.00000000012A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: unarchiver.exe, 0000000B.00000002.383833336.00000000012A0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: unarchiver.exe, 0000000B.00000002.383833336.00000000012A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: unarchiver.exe, 0000000B.00000002.383833336.00000000012A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution1	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer2	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://sndpkuruppampady.com/favicon.ico	0%	Avira URL Cloud	safe
http://sndpkuruppampady.com/mrs--kavon-cole-dds/documents.zip	0%	Avira URL Cloud	safe
http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zipRoot	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sndpkuruppampady.com	198.71.233.254	true	true		unknown
secureservercdn.net	192.124.249.16	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip	true		unknown
http://sndpkuruppampady.com/favicon.ico	true	Avira URL Cloud: safe	unknown
http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip	true		unknown
http://sndpkuruppampady.com/mrs--kavon-cole-dds/documents.zip	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zipRoot	{56FCBAF5-D3C2-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.71.233.254	sndpkuruppampady.com	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	438548
Start date:	22.06.2021
Start time:	18:27:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@8/13@3/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, ielowutil.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 168.61.161.212, 104.43.193.48, 184.24.20.248, 23.35.236.56, 152.199.19.161, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, fs.microsoft.com, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, ocsp.digicert.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target unarchiver.exe, PID 6004 because it is empty Not all processes where analyzed, report is missing behavior information VT rate limit hit for: http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{56FCBAF3-D3C2-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	33368
Entropy (8bit):	1.88098787947482
Encrypted:	false
SSDEEP:	96:roZfZn2OWWt/bfP5Q3KMxvquN1QBxfzQ+6rM20:roZfZn2OWWtjfP5RMUukHfzcrC
MD5:	22ABC3C72A616E863C27E52B33983F35
SHA1:	F8C13054EF4992B4D7D9052F57BBDCDBD1B5558A
SHA-256:	48C31B73D8F572FF261CB64D671D9F3F2C9DC0C8370487951956EA4FFC821CE8
SHA-512:	F5A2B78D55666E7B77484544714BCD3E678F48279DB98AE7F318B70037414BEFD7BC2BFE2320A328E25276F4334B3D8E5B2F5113E97BC82DD3B3797E18196E8E
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{56FCBAF5-D3C2-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24236
Entropy (8bit):	1.643178287668459
Encrypted:	false
SSDEEP:	48:IwUGcprhGwpaZG4pQhGrapbSFGQpBiGHHpc/TGUp8wGzYpmkbGopumuJwGeNpm:rIZ7Q76xBSvj52JWEMgP5g
MD5:	C4ECAF324512D86A9713BA1B46117052
SHA1:	97314CA490F10F08CDE2CC1C46F55679140F9598
SHA-256:	6183FC57FD5EBF9D196E5957EBCD1EC5AE0CDC61804EFC319DB9377BFAD8D774
SHA-512:	45674CC0369A25DB9F81F84E6CF53A4BDB6A7FCB11C9893BB4419E687B035F492EFE33AE5443E9DECCB47EE515990A3687055F3AAF78766316AA0FC815487A71
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{60E0A826-D3C2-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.563531453955824
Encrypted:	false
SSDEEP:	48:Iw0GcprBGwpasG4pQcGrapbSEGQpKlG7HpRoTGIpG:roZbQs6aBScAUTsA
MD5:	D470B391862367CA01854BDFCA653388
SHA1:	376C563834ED8FFAAFDE73E041076B1EB6E8C842
SHA-256:	5FA3C602E0AEAE5CBC68883F93DBD9260E765074C46430EE99364A06D324B3F2
SHA-512:	05DC013095B14C4DF601B62697BB81C903A7B85C0A16756B69CD556F980C76C9ED1B08A7CE05157B8FB786DE9127371F504AA616F1DC18E466AE1169A19B62C4
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\documents[1].zip Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	149509
Entropy (8bit):	7.997825098415298
Encrypted:	true
SSDEEP:	3072:A+tg9Y7pLYWe09fTZyCd1xXL2ylUBWC6CFve7bpCxAVIKo5I/19/K00b:5sPp0jyix72yliWC69sYo5YTg
MD5:	A06BE586FC172FFC8792768EF2932967
SHA1:	EED0A41AB898C548853F197661F71D7D303F958F
SHA-256:	F154F4BBB7901063AC70641DED71FB6A788040FC69B386AA390B3299CAD9BC2E
SHA-512:	08C78202FF0EEB9F1139C36A2EEE2F6F6F653BA1F63A21DE0789E4DF0A500508DDB85C38AC0877BB4DBEC5A0007D4090266DE70D58CCB3D3320C198C2C10D6C1
Malicious:	false
Reputation:	low
Preview:	PK.........^.Ry^..YG..6o......aim-1276697785.xlsb.Z.w....gf....3.....s...1C..bfzff;1&f.....V......Z.p.H{..H...IOE..............r......%8..,.xH=q.{Ws{W#./Gs...O;[.<hH...H..o..[;....z...Dg.\|.....)..3...........'.h..&...G....).ve8...i...3....'.......U[.\|U...##.\Y...Cc....l...........d...{[.4.N...j.s.d..q.g.Q6\y.).-1.....;;.2...n...I..9.{4J...Z...a..c.-.q6.AF..L.2(..x.2...k..0..\t7....A.J..ye......N.i....)].k...Fy..6/..B.g....p[..{....'G8.....A.=._.,!........&..hr_...'2.c../.XG._.G.R.B.V...F.....?.,Y..T..Z=x.y..C..9..)..D.z.A.E.56[..@IC..S..`.T.[...F..jx....]Q...e.H<....cu.......YM.\|..^Wt........e..`.M....}....~........r0..?-//` ^_. .5M..o..Y.oY..-M.9............b..z..Oe.....e.s............b.Doo.hK....O/..G.J:.$.+..T.M....@g..Y.}...tq.\|..~.M~._.H.:.U.q..../."To.T.z.4.%..s..s...._.E;.5\|.....TF&vG....v.&...\-`.2..x.I9.dx...!..#..5e.......M..V.Eb...B....C.....T.^F.b...T!.L..&-...O..2.6...r.v;....e.pp.1qp.a1....2......p{....C^...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\uozdogru-39[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with no line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.8569078590363395
Encrypted:	false
SSDEEP:	3:uMBabGMoGLI0QWK8HIuRZdaOFG4KRNdBiR20gJYRnd7CJMKD1HQBIXWec7DSn:d5MoGLmApb8OOBibDRd7Q1wBqWeYDSn
MD5:	92EBBA2D7B311C7246056BDCDB51D970
SHA1:	C5AEE2411EA71A95B180CDFB8B620CC3CA0FD391
SHA-256:	10FAEE96424F7E1B9A87C493A59F0A7ECF999B15FF6A2E9FFC386BC70E7042BD
SHA-512:	4A2B490A383BDEF1964D568B47FBA2F43CD07EA5DEE691E746AF35B189E21C8B3A1991AF1004DCAB85CEFA742510E0561A596F9EF808A033EEA23791B184494D
Malicious:	false
Reputation:	low
Preview:	<div id="ll" data-rr="/mrs--kavon-cole-dds/documents.zip"></div><script>location.pathname = document.getElementById('ll').getAttribute('data-rr');</script>Wait...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip.5uu3uf1.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	149509
Entropy (8bit):	7.997825098415298
Encrypted:	true
SSDEEP:	3072:A+tg9Y7pLYWe09fTZyCd1xXL2ylUBWC6CFve7bpCxAVIKo5I/19/K00b:5sPp0jyix72yliWC69sYo5YTg
MD5:	A06BE586FC172FFC8792768EF2932967
SHA1:	EED0A41AB898C548853F197661F71D7D303F958F
SHA-256:	F154F4BBB7901063AC70641DED71FB6A788040FC69B386AA390B3299CAD9BC2E
SHA-512:	08C78202FF0EEB9F1139C36A2EEE2F6F6F653BA1F63A21DE0789E4DF0A500508DDB85C38AC0877BB4DBEC5A0007D4090266DE70D58CCB3D3320C198C2C10D6C1
Malicious:	false
Reputation:	low
Preview:	PK.........^.Ry^..YG..6o......aim-1276697785.xlsb.Z.w....gf....3.....s...1C..bfzff;1&f.....V......Z.p.H{..H...IOE..............r......%8..,.xH=q.{Ws{W#./Gs...O;[.<hH...H..o..[;....z...Dg.\|.....)..3...........'.h..&...G....).ve8...i...3....'.......U[.\|U...##.\Y...Cc....l...........d...{[.4.N...j.s.d..q.g.Q6\y.).-1.....;;.2...n...I..9.{4J...Z...a..c.-.q6.AF..L.2(..x.2...k..0..\t7....A.J..ye......N.i....)].k...Fy..6/..B.g....p[..{....'G8.....A.=._.,!........&..hr_...'2.c../.XG._.G.R.B.V...F.....?.,Y..T..Z=x.y..C..9..)..D.z.A.E.56[..@IC..S..`.T.[...F..jx....]Q...e.H<....cu.......YM.\|..^Wt........e..`.M....}....~........r0..?-//` ^_. .5M..o..Y.oY..-M.9............b..z..Oe.....e.s............b.Doo.hK....O/..G.J:.$.+..T.M....@g..Y.}...tq.\|..~.M~._.H.:.U.q..../."To.T.z.4.%..s..s...._.E;.5\|.....TF&vG....v.&...\-`.2..x.I9.dx...!..#..5e.......M..V.Eb...B....C.....T.^F.b...T!.L..&-...O..2.6...r.v;....e.pp.1qp.a1....2......p{....C^...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip.5uu3uf1.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil\aim-1276697785.xlsb Download File
Process:	C:\Windows\SysWOW64\7za.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	159542
Entropy (8bit):	7.96115135206652
Encrypted:	false
SSDEEP:	3072:aIIh9vajtC1gBbZmxVymd1xXPMU9VlUBWA6CFvA7bRCxAVIKPMI2:ZIQegBbcxVyWxfMU3liWA6FsYP+
MD5:	1019BFEBB97DE3EB8EC428358587BEF1
SHA1:	964A23BBB0CE3021464518510F1E3DF3FEF20BC9
SHA-256:	2FE2BABFCC7EA5AD682D772D74AEE8D1CDBD6E1974274669B262D9A6D4C8AAA3
SHA-512:	E1B0D59BD7E3B75B119EF4CFEA96C75B73CFC6854FE1CDF2FD06E605D86B310578732F0A8D7B8312CF32B2A3B7A11B3219E58EB5C95E2507AC2BAA72CE64D46C
Malicious:	false
Reputation:	low
Preview:	PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.N.0..W.?D.......,.....$.z6....-{...3..m.v.F..$q.....{q..x........+..Ni......++"J..q......?-.6.bAh.+. .oB..VF.<X..r..H..^..r..t6."jg.,..8.rq.+.h.....6.{mY.}._......Z"....m,...... '.....:..+.../.X.^~o..~.......&. ...].9sB.c.}<!c.(./.s.q.T....72.O.3.3...lD..6O....qp.N../....*.&....~...\.>.m.L.&....)..~.../...).$....4. .u...55.`..j.kP.~li.y.y...].qc N.k...zld.u....i...G.<1#.[@L.b.>fd..>.Ty0Z...#.. .sD...K...S.

C:\Users\user\AppData\Local\Temp\pcdulxpe.xs1\unarchiver.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1468
Entropy (8bit):	5.1591523526521845
Encrypted:	false
SSDEEP:	24:Oc2ceYeVY2RQw20iJG20iJjWIG20iJG20iJUw020iJfFv20iJG20iJFTAYeVY20l:OcPeDi6QwNGGNGbGNGGNGp0NGBNGGNGT
MD5:	1D1E795E7B8332A2A02BB10EE5863E2F
SHA1:	9C0B3819828C0C4DC790837DE36539E5DD1307D1
SHA-256:	0C1F22654C6E920D6D20A758375A6D82F723529647D725E4776D83AA00653308
SHA-512:	8DAE34F7293938A155383A7AC25791FFDE4A4521ECBB417591FED28886FC31C7CF41532747413FB9049285935C1FB7766F58C43C8CF08FF29E2FC9302FDFAAE7
Malicious:	false
Reputation:	low
Preview:	06/22/2021 6:29 PM: Unpack: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip..06/22/2021 6:29 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil..06/22/2021 6:29 PM: Received from standard out: ..06/22/2021 6:29 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..06/22/2021 6:29 PM: Received from standard out: ..06/22/2021 6:29 PM: Received from standard out: Scanning the drive for archives:..06/22/2021 6:29 PM: Received from standard out: 1 file, 149509 bytes (147 KiB)..06/22/2021 6:29 PM: Received from standard out: ..06/22/2021 6:29 PM: Received from standard out: Extracting archive: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip..06/22/2021 6:29 PM: Received from standard out: --..06/22/2021 6:29 PM: Received from standard out: Path = C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip..06/22/2021 6:29 PM: Received from

C:\Users\user\AppData\Local\Temp\~DF426483966D72EDC8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13077
Entropy (8bit):	0.5157573192245184
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lobI9lobY9lWbBE3Kc6fS5KW:kBqoIHhQKZ6IW
MD5:	F5581A4325C6CB9B0440BF9FDE11AA76
SHA1:	56A1B38E731F00BFDDDA9F834CE8984190A253D9
SHA-256:	35B24AB08E34E7810B3B27BEA1B2B00D8B2665538692F9674962AF8EB0DF12AD
SHA-512:	BFDDF470CBC952B008605F6565485FB8FD93C1D13D023126BC08BABCC2854AED5A1FD9A2DB2A6CDACC6F78304DF3E54A715BD9E363C9790B145D1AAC74AF038F
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4EEC81F457CBDB58.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34429
Entropy (8bit):	0.36247696279437985
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwy9lwC9l209l2U9l/kO:kBqoxKAuvScS+1bZIkIkYmuJP
MD5:	C7B69592A6E5CF50B6CF0A44CE20A99A
SHA1:	35C7C4F29AA8B9123E235766278A6192B2074443
SHA-256:	0F19A6DD30789DEFBC844CAC28BB7D33F00919A861B38EF90686CDBE6A7A86BC
SHA-512:	8129CD88BB82F39D3CC39A3456EC86FAA3E74AE599FF9657604BAD07743C2B3D6E196B712F124A4A3D1B827F7E98478C8AEB67CFD15FE9F193FD7C28B55977C9
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFED12FFEC4428B97E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.33703736285108915
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAYvZYqs98dd:kBqoxxJhHWSVSEabYvZYn9cP1
MD5:	6FD8B5F5A01D5F25D1A40CDAB8C19316
SHA1:	F73606C068013D879C1569110EE17DCB90500245
SHA-256:	B4686C86CCCAF7551E6BF5E432B6C993BBAC37AD368A00E0E4028D7628173621
SHA-512:	26A530D712A491F37890D763449DE86ADCF6BB77998A4A1DFC245CE43D9848535A51AB7AA0CD161079D7C9F8C2753E145DD7A68F5AF891CA7F82C6F43CE5C776
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/22/21-18:28:43.800333	TCP	3134	WEB-CLIENT PNG large colour depth download attempt	80	49698	198.71.233.254	192.168.2.5
06/22/21-18:28:43.800333	TCP	3133	WEB-CLIENT PNG large image height download attempt	80	49698	198.71.233.254	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 22, 2021 18:28:42.736602068 CEST	49697	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:42.736792088 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:42.867228985 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:42.867320061 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:42.868660927 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:42.870611906 CEST	80	49697	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:42.870743036 CEST	49697	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.005182981 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.005285978 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.271178007 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.404979944 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.405214071 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.405241013 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.405320883 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.405584097 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.405678988 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.405991077 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406075954 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.406363010 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406404018 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406443119 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406485081 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406503916 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406550884 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.406630039 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.406689882 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.535908937 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.535945892 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.535969973 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.535994053 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536017895 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536041021 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536077023 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536113977 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536139011 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536153078 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536190987 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536726952 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536885977 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536900043 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536911011 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536931992 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536936998 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536962032 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.536963940 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536986113 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.536987066 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537012100 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537019968 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.537039995 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537043095 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.537067890 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537069082 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.537091970 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537101030 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.537116051 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537134886 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.537139893 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.537189007 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666292906 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666333914 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666357040 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666383982 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666408062 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666431904 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666455030 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666471004 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666481018 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666498899 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666506052 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666532993 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666557074 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666584015 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666611910 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666630030 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666636944 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666661978 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666661978 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666688919 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666690111 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666712046 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666718006 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666735888 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.666749954 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.666786909 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667155027 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667181015 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667229891 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667244911 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667258978 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667303085 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667340040 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667495966 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667525053 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667557001 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667573929 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667596102 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667639971 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667643070 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667685986 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667695045 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667738914 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667771101 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667825937 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667844057 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667867899 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667893887 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667915106 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667922974 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667948008 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667972088 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.667990923 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.667994022 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668015003 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668036938 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668040991 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668066025 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668088913 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668091059 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668135881 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668143034 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668191910 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668195009 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668220043 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668241978 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668247938 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668267965 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668279886 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668313026 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.668313026 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.668353081 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.798063993 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.798108101 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.798130035 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.798156023 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.798209906 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.798269033 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.798477888 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.798542976 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.799704075 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799746037 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799774885 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799802065 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799814939 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.799834967 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799869061 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799876928 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.799901009 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799922943 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.799933910 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799956083 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.799967051 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.799993992 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800015926 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800021887 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800031900 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800050974 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800064087 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800077915 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800105095 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800122023 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800131083 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800146103 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800164938 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800190926 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800194025 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800220966 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800242901 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800249100 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800276041 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800276995 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800302982 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800331116 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800333023 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800359964 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800360918 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800381899 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800401926 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800424099 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800451040 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800472975 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800476074 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800503016 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800515890 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800530910 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800545931 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800564051 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800582886 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800592899 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800622940 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800626040 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800649881 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800656080 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800678015 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800688028 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800705910 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800724983 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800733089 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800759077 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800786018 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800790071 CEST	80	49698	198.71.233.254	192.168.2.5
Jun 22, 2021 18:28:43.800811052 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:28:43.800858974 CEST	49698	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:29:44.133023977 CEST	49704	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:29:44.268215895 CEST	80	49704	198.71.233.254	192.168.2.5
Jun 22, 2021 18:29:44.268348932 CEST	49704	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:29:44.268506050 CEST	49704	80	192.168.2.5	198.71.233.254
Jun 22, 2021 18:29:44.405162096 CEST	80	49704	198.71.233.254	192.168.2.5
Jun 22, 2021 18:29:44.405373096 CEST	49704	80	192.168.2.5	198.71.233.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 22, 2021 18:28:31.810986042 CEST	53	51165	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:32.314482927 CEST	53183	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:32.371510983 CEST	53	53183	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:33.276650906 CEST	57587	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:33.331541061 CEST	53	57587	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:34.215976954 CEST	55432	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:34.271586895 CEST	53	55432	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:35.129914045 CEST	64936	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:35.195111990 CEST	53	64936	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:36.089667082 CEST	52704	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:36.140325069 CEST	53	52704	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:37.140433073 CEST	52212	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:37.200997114 CEST	53	52212	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:38.223990917 CEST	54302	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:38.275173903 CEST	53	54302	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:39.179160118 CEST	53784	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:39.230101109 CEST	53	53784	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:40.165025949 CEST	65307	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:40.216916084 CEST	53	65307	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:41.175666094 CEST	64344	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:41.240863085 CEST	53	64344	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:41.343334913 CEST	62060	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:41.400057077 CEST	53	62060	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:42.651504040 CEST	61805	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:42.724716902 CEST	53	61805	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:42.768199921 CEST	54795	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:42.820797920 CEST	53	54795	8.8.8.8	192.168.2.5
Jun 22, 2021 18:28:57.212042093 CEST	49557	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:28:57.272470951 CEST	53	49557	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:11.239142895 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:11.307344913 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:12.109983921 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:12.170080900 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:12.257997990 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:12.315649986 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:13.116883993 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:13.167072058 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:13.305113077 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:13.374363899 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:14.132270098 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:14.182442904 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:15.304904938 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:15.362901926 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:16.179187059 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:16.229326010 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:19.351814032 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:19.419954062 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:20.226516008 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:20.285379887 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:27.943300962 CEST	52441	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:27.994091988 CEST	53	52441	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:44.068449020 CEST	62176	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:44.127366066 CEST	53	62176	8.8.8.8	192.168.2.5
Jun 22, 2021 18:29:44.435430050 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 22, 2021 18:29:44.499984980 CEST	53	59596	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 22, 2021 18:28:42.651504040 CEST	192.168.2.5	8.8.8.8	0x7a2d	Standard query (0)	sndpkuruppampady.com	A (IP address)	IN (0x0001)
Jun 22, 2021 18:29:44.068449020 CEST	192.168.2.5	8.8.8.8	0x9962	Standard query (0)	sndpkuruppampady.com	A (IP address)	IN (0x0001)
Jun 22, 2021 18:29:44.435430050 CEST	192.168.2.5	8.8.8.8	0xbf05	Standard query (0)	secureservercdn.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 22, 2021 18:28:42.724716902 CEST	8.8.8.8	192.168.2.5	0x7a2d	No error (0)	sndpkuruppampady.com	198.71.233.254	A (IP address)	IN (0x0001)
Jun 22, 2021 18:29:44.127366066 CEST	8.8.8.8	192.168.2.5	0x9962	No error (0)	sndpkuruppampady.com	198.71.233.254	A (IP address)	IN (0x0001)
Jun 22, 2021 18:29:44.499984980 CEST	8.8.8.8	192.168.2.5	0xbf05	No error (0)	secureservercdn.net	192.124.249.16	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

sndpkuruppampady.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49698	198.71.233.254	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 22, 2021 18:28:42.868660927 CEST	307	OUT	GET /mrs--kavon-cole-dds/uozdogru-39.zip HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: sndpkuruppampady.com Connection: Keep-Alive
Jun 22, 2021 18:28:43.005182981 CEST	308	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Age: 1495 Cache-Control: no-store, no-cache, must-revalidate Content-Encoding: gzip Content-Length: 150 Content-Type: text/html; charset=UTF-8 Date: Tue, 22 Jun 2021 16:03:46 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Vary: Accept-Encoding X-Backend: local X-Cache: cached X-Cache-Hit: HIT X-Cacheable: YES X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Data Raw: 1f 8b 08 00 00 00 00 00 00 03 35 8d 41 0a c2 30 10 45 af 12 b2 49 bb 48 72 00 d3 82 82 8b 9e c0 f5 98 09 3a 38 4d 4a 32 2d e8 e9 b5 50 77 8f 0f ef bf 80 b4 29 c2 41 33 6b 85 20 60 6b 1d b4 9f 6b b3 f6 05 5b c9 36 16 4e 16 b1 79 2c 71 9d 53 96 e6 3e b4 e8 31 f8 9f 3a 86 16 2b 2d 32 72 89 20 54 b2 5b 40 9e 19 e6 a4 06 f5 17 dc 23 c9 95 d3 8e 97 f7 84 9d 61 36 fd 3e 9e 45 2a dd 57 49 9d 39 d2 a6 3f 05 7f 5c de 80 c4 39 f7 05 0e 83 a9 28 a2 00 00 00 Data Ascii: 5A0EIHr:8MJ2-Pw)A3k `kk[6Ny,qS>1:+-2r T[@#a6>E*WI9?\9(
Jun 22, 2021 18:28:43.271178007 CEST	313	OUT	GET /mrs--kavon-cole-dds/documents.zip HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: sndpkuruppampady.com Connection: Keep-Alive
Jun 22, 2021 18:28:43.404979944 CEST	317	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Age: 429595 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Description: File Transfer Content-Disposition: attachment; filename= Content-Length: 149509 Content-Transfer-Encoding: binary Content-Type: application/octet-stream Date: Thu, 17 Jun 2021 17:08:46 GMT Expires: 0 Pragma: public X-Backend: local X-Cache: cached X-Cache-Hit: HIT X-Cacheable: YES X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Data Raw: 50 4b 03 04 14 00 00 00 08 00 ec 5e d1 52 79 5e b6 d1 59 47 02 00 36 6f 02 00 13 00 00 00 61 69 6d 2d 31 32 37 36 36 39 37 37 38 35 2e 78 6c 73 62 ec 5a f5 77 dd cc 11 f5 67 66 c6 98 99 99 e1 33 c4 cc f8 cc 10 73 cc cc 0c 31 43 e2 18 62 66 7a 66 66 3b 31 26 66 86 98 99 99 b9 56 e1 f4 b4 a7 fd 0b 5a fd 70 df 48 7b ef ec 48 bb 9a 1d 49 4f 45 1e 0a 1a 1b 02 16 02 1e 02 02 82 1c 82 a4 72 a2 eb e4 0f 08 88 25 38 08 08 2c 08 78 48 3d 71 07 7b 57 73 7b 57 23 0d 2f 47 73 17 03 16 4f 3b 5b b2 3c 68 48 ba 1c 08 48 88 ff 6f ff d3 5b 3b e8 87 d2 12 1b 7a 87 d6 81 88 44 67 de 7c 1b 11 18 fc 9b 29 1c 12 33 1c 97 aa c4 9b e7 fc a8 bf bb 86 d9 27 f0 68 95 f3 26 cc 2e d2 bd 47 aa a4 83 ca 29 e1 76 65 38 9d c0 c7 69 b6 a1 c8 33 18 bd a1 0e 27 fd 92 80 f1 fb ac 92 55 5b e5 7c 55 db d0 05 23 23 85 5c 59 81 13 2e 43 63 d0 cf d1 e4 6c 11 e6 13 1e 12 13 b1 8f 84 8c b3 64 0f 0e ef 7b 5b 83 34 a5 4e 84 b4 1f 6a 9d 73 93 64 86 aa 71 0d 67 d1 9c 51 36 5c 79 1e 29 ac 2d 31 98 92 bf f1 cd 3b 3b a1 32 de 7f ac 6e de db bb e6 49 f0 b1 d3 39 f7 7b 34 4a 00 7f bb 5a d9 d3 a5 80 61 c8 2a df b0 63 ca 2d fb 71 36 0f 41 46 1b 88 4c b8 32 28 d0 8c c4 78 8a 32 ce 9a a0 dd 6b e8 ef 30 07 e5 bf 5c 74 37 f9 f8 1c 01 41 83 4a d6 f3 79 65 c7 e0 86 df e5 fd 4e b5 69 be 9f 10 b9 29 2a 5d 01 6b b8 cb 89 d3 9c 46 79 0e 0e 36 2f c7 9a f2 42 02 67 1e e7 c6 c2 a7 70 5b 09 ec 7b 1e e5 b0 98 ea 0e 27 47 38 a5 a0 0e d6 ea 86 87 41 86 3d 9a 5f e8 2c 21 fe 03 18 99 fa df 85 b1 ec 26 14 c6 68 72 5f aa 89 e8 af 27 32 fc 63 b6 eb 2f 9b 58 47 f7 5f e9 47 a9 52 f3 a3 42 b8 56 c9 2e dc 46 07 16 b9 b9 e7 3f 90 2c 59 17 da a8 54 fa db 5a 3d 78 15 79 11 87 43 19 e0 39 99 92 29 d5 d8 44 e3 97 7a db 9a 41 b8 45 07 35 36 5b 0d 07 40 49 43 0b b1 53 86 ea 89 2a 60 9a 54 0b 5b 98 f5 c7 46 0b 07 6a 78 b1 e9 f6 c0 5d 51 06 95 92 65 bb 48 3c f7 0c c8 cf 63 75 a8 f7 8a 85 8a 8b c7 59 4d 05 7c 80 bf 5e 57 74 14 9e b4 c2 fe e0 cd d9 65 7f 82 60 e0 4d 11 1c f8 ce 7d f1 b1 d3 7f 85 7e b2 85 dd c0 91 ed cf cf a3 72 30 d6 f1 8d 3f 2d 2f 2f 60 20 20 5e 5f a1 20 fe 35 4d 88 07 6f f6 dd be 59 0a 6f 59 00 e9 2d 4d 18 39 9b db ba b0 b2 00 f8 ff f4 f0 ff 0d d8 62 12 c6 94 7a d8 90 fb 4f 65 da c5 b7 1e 0f ec 65 e0 73 1b da c8 0a 96 d1 19 d0 d6 a8 ed 09 1b 62 f3 a9 44 6f 6f cc 68 4b b8 1a 89 9f 4f 2f c7 b2 db 97 47 a6 4a 3a f9 24 18 2b 83 dd 54 83 4d 8a fb b4 e7 40 67 13 ed 95 59 a2 7d 12 a3 e3 74 71 8c 7c ce a1 06 7e 01 4d 7e bb 5f d4 48 a2 3a ae 55 cd 71 f0 18 f7 d4 2f c6 22 54 6f 85 54 99 7a eb 86 92 34 bb 25 e8 Data Ascii: PK^Ry^YG6oaim-1276697785.xlsbZwgf3s1Cbfzff;1&fVZpH{HIOEr%8,xH=q{Ws{W#/GsO;[<hHHo[;zDg\|)3'h&.G)ve8i3'U[\|U##\Y.Ccld{[4NjsdqgQ6\y)-1;;2nI9{4JZac-q6AFL2(x2k0\t7AJyeNi)]kFy6/Bgp[{'G8A=_,!&hr_'2c/XG_GRBV.F?,YTZ=xyC9)DzAE56[@ICS*`T[Fjx]QeH<cuYM\|^Wte`M}~r0?-//` ^_ 5MoYoY-M9bzOeesbDoohKO/GJ:$+TM@gY}tq\|~M~_H:Uq/"ToTz4%
Jun 22, 2021 18:28:43.405241013 CEST	319	IN	Data Raw: c3 73 c5 95 bd 73 e2 9c d4 93 e3 f1 5f ac 45 3b c6 35 7c d4 c5 e6 d3 e1 54 46 26 76 47 e6 1a 0a ed 2a 76 f0 26 b2 b1 da 5c 2d 60 2e 32 e6 09 78 18 49 39 f4 64 78 8c f2 df 21 12 17 23 c6 ec 35 65 c4 c9 ac e0 11 10 9e 09 4d ec b8 e7 bd 56 f5 45 62 Data Ascii: ss_E;5\|TF&vGv&\-`.2xI9dx!#5eMVEbBC.T^FbT!L&-O26r*v;epp1qpa12p{C^7NWTThFG-E,Lk^!mcn MPw
Jun 22, 2021 18:28:43.405584097 CEST	320	IN	Data Raw: 71 a1 37 24 af 2d ba f6 1d c5 61 be f9 2b b2 89 77 cf 9e 1b bf d6 c5 7f cc 3a f2 b0 3e 27 2d 6f ab 40 fa f7 3f 20 88 ff 36 15 ec 8c 4d 9d 1d fe 3e 17 ac ec 5d 6d ff 39 1f 8e 32 e1 7c 41 db 04 fd 5d 2e 50 5b e8 90 a1 6c dd 2a c8 f0 18 3d 6c 81 58 Data Ascii: q7$-a+w:>'-o@? 6M>]m92\|A].P[l*=lX2ts}r/i8Z9Ynhkh.==Z}<rnDXiolZ8ctnREj$j009he_U^~i~Z{-H\|dy_;ipVcGQ<O
Jun 22, 2021 18:28:43.405991077 CEST	322	IN	Data Raw: 51 3f 55 cd c3 26 2d ec cb 77 8c e1 1c bb d6 b5 ea e6 a9 2d 91 e6 d2 8b 57 88 8a ad ac b9 ff 5c d5 6c 5a 66 76 92 fe b9 8a da 34 bb 6b fb a5 df ae b3 04 25 61 85 4e 71 51 d7 23 95 cb 19 69 49 32 a1 4b 67 b6 ed a7 c1 be 92 63 71 cb 94 41 fa 96 ad Data Ascii: Q?U&-w-W\lZfv4k%aNqQ#iI2KgcqAnjzf0c~:Sb^eb%[qW0&\ih.6=b=}T]vOL(W}[~V0Y\'sxMy.7.R"2+]p$nilb(uC
Jun 22, 2021 18:28:43.406363010 CEST	323	IN	Data Raw: c3 4b d4 d0 a2 a9 6f d8 7d bd 9d aa f7 45 1f b9 de bb 13 7a c7 e8 82 6a c0 5f c0 6c 9d 88 87 b9 c5 68 83 b7 fc 32 7d 1f 6f df 93 48 c1 88 e5 06 20 82 c5 66 f8 40 b1 e0 fe b2 0b 3c 9c 2f 51 b4 d6 59 a4 b2 77 42 22 45 97 83 f1 95 1d 17 0d 4b 8c a7 Data Ascii: Ko}Ezj_lh2}oH f@</QYwB"EKYZSld t$@$]*=aYL/mr/D/gGlQf!m:a%_a5l1#wojKi):-P#hst~yuLj,g
Jun 22, 2021 18:28:43.406404018 CEST	324	IN	Data Raw: 5c b2 5c 71 a3 19 97 bb c0 fd e3 bd 3f 21 fe e3 79 2a 8a 04 32 95 c1 42 40 04 be 7b fb 6e fc b7 f3 74 fd 68 6e 67 fe 37 64 07 be 1b 1f e9 8c 45 2f 4a 61 77 e2 3d 88 c0 2f 13 bf 26 98 f9 44 f2 ce d7 76 58 d5 a5 87 ce cb fe 72 b2 8d af f8 15 c7 25 Data Ascii: \\q?!y2B@{nthng7dE/Jaw=/&DvXr%dC=9)D"G>u(@b52SJ4JLB&gswB^8Ca> )QqxY0<8~`PFB>{0>\ ~V 1~)LR4
Jun 22, 2021 18:28:43.406443119 CEST	326	IN	Data Raw: be e3 97 69 4d 35 13 4a 5f 8f 1c 9f aa 8c fd 29 63 59 9c 73 96 aa a9 5d c5 70 79 18 52 48 ad f7 be 35 7c e2 6a 89 60 ca fc 01 5e 2c f2 3e 16 8c bc 96 e8 e8 b9 ad 3e 92 c7 4f 7d 86 5a 87 5e ab f8 6c c7 5d a4 ef 7e 9d 12 01 0e ab 75 92 c0 c3 18 14 Data Ascii: iM5J_)cYs]pyRH5\|j`^,>>O}Z^l]~ub!am(P4eJe`g+vF7;\|GYb7-$a:u/dJdQ5i)*Y+CW6Q4Exuxt9'z<I
Jun 22, 2021 18:28:43.406485081 CEST	327	IN	Data Raw: 8b e5 77 c6 9a 9a ee 60 9a 6e 9a b5 ed 76 9a 06 a4 dd 3d 9b 14 87 ae 05 ec 4f 56 6c 3d ea b6 9f 0f d0 6f 79 5d 84 42 d6 97 76 0f 85 8e 1a e3 8b 6d 56 ed e6 9a 36 a6 ca d6 e9 51 68 e3 9b 02 b1 aa 48 48 ec 0b eb d4 d2 2e cd 7b 74 06 a2 3d 16 3d 9a Data Ascii: w`nv=OVl=oy]BvmV6QhHH.{t==,hFYP]b7NN\P%ja\|W($}K4<:'bvHV+Viz[gy~bg6L!kceC"bQ)TGa7U
Jun 22, 2021 18:28:43.406503916 CEST	328	IN	Data Raw: 71 9b 52 31 b0 89 e6 e3 1b 24 78 32 5a a5 75 d7 9f 82 17 de 57 8d 25 9c 71 f9 45 75 cb 6b ea a2 ea 26 4e a8 ed cf 13 ff 3d e2 f3 7e 50 39 25 5e c0 cf 7d e1 ec e7 77 01 99 6e 05 ce 4d 90 fe d1 78 a4 f0 24 93 13 81 1c 42 a0 a5 01 bb 6d ff f0 8e b3 Data Ascii: qR1$x2ZuW%qEuk&N=~P9%^}wnMx$Bm!U>go?(tFp`MrJ>;mxa\|jqK*ZlLou;#?xb+OK`ptjrc8/%0&!
Jun 22, 2021 18:28:43.406550884 CEST	330	IN	Data Raw: 51 49 7e f8 bb 95 09 43 50 62 16 17 aa 15 d1 24 5f 81 13 cb bb 62 b5 5b 5a 32 a5 c2 4b 57 e8 8d 9f b3 90 70 d0 a1 0a 57 93 94 13 b0 b9 d6 02 02 3d 79 0d 30 8f 7c c4 31 13 f4 91 2b 8d e8 8e f9 f5 f0 ff 1e 64 c7 5f 83 fc 19 b4 22 c5 f2 89 e3 9b d2 Data Ascii: QI~CPb$_b[Z2KWpW=y0\|1+d_"dG\|(Mv' +BTxLoh"FterNl9FDY4Ct]qp1i]u<%"gq23g>Pc\|7nfXvq\|3Dt
Jun 22, 2021 18:28:43.535908937 CEST	334	IN	Data Raw: 90 e2 e1 da f4 c0 27 4b a1 86 73 1f 9b 65 1b 07 b5 1d c3 cd 51 ba de 61 f7 53 2e 4d 13 9b 4b c3 9a ea 5d be 13 d8 70 50 87 a9 07 c4 e3 bb cd da d6 fe 58 dc 2e de c3 6b cf 46 2a 79 00 e5 f2 e5 f0 bb ba c3 ee 29 bd c2 26 8d 4f 71 49 62 da 40 a2 b6 Data Ascii: 'KseQaS.MK]pPX.kFy)&OqIb@L"6T)<6^\sqm\I=.gG_f'gg~?\:p}@mpKL?s<*PbDEJ5AQ`A$3vPS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49704	198.71.233.254	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 22, 2021 18:29:44.268506050 CEST	499	OUT	GET /favicon.ico HTTP/1.1 User-Agent: AutoIt Host: sndpkuruppampady.com
Jun 22, 2021 18:29:44.405162096 CEST	500	IN	HTTP/1.1 302 Found Age: 444526 Content-Length: 0 Content-Type: text/html; charset=UTF-8 Date: Thu, 17 Jun 2021 13:00:56 GMT Location: https://secureservercdn.net/198.71.233.254/m8l.34d.myftpupload.com/wp-content/uploads/2020/03/cropped-GuruSquar-32x32.png X-Backend: local X-Cache: cached X-Cache-Hit: HIT X-Cacheable: YES X-Content-Type-Options: nosniff X-Redirect-By: WordPress X-Xss-Protection: 1; mode=block

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 900 Parent PID: 792

General

Start time:	18:28:40
Start date:	22/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7bd500000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 5340 Parent PID: 900

General

Start time:	18:28:41
Start date:	22/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:900 CREDAT:17410 /prefetch:2
Imagebase:	0x1330000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: unarchiver.exe PID: 6004 Parent PID: 900

General

Start time:	18:29:21
Start date:	22/06/2021
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'
Imagebase:	0x580000
File size:	10240 bytes
MD5 hash:	DB55139D9DD29F24AE8EA8F0E5606901
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: 7za.exe PID: 3124 Parent PID: 6004

General

Start time:	18:29:22
Start date:	22/06/2021
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\5g3nu0sr.qil' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\documents.zip'
Imagebase:	0xfc0000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4256 Parent PID: 3124

General

Start time:	18:29:22
Start date:	22/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: unarchiver.exe PID: 6004 Parent PID: 900 unarchiver.exeCOMMON

Executed Functions

Function 028602A8, Relevance: 1.7, Strings: 1, Instructions: 481COMMON

Download Yara Rule

Strings

X1(r, xrefs: 028606FA

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 8f29d934f8721bb129aad430193b61b0d5b0540a8dd5d9ebddca9c42bfed098e
Instruction ID: 1e04a513b0b7dfef2f16d34a63b9eee83ae2f0ac60276c0ba286f300062bc821
Opcode Fuzzy Hash: 8f29d934f8721bb129aad430193b61b0d5b0540a8dd5d9ebddca9c42bfed098e
Instruction Fuzzy Hash: 10221579E01218DFDB14EFA5D884BADBBB2FB89305F109569E809A7354CB309D81DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02860C40, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f527c96c6fd2fc76785f46cb1846b42b5b59f42791fc5859de9b38302a51336
Instruction ID: aefb697a4849fb5f57f4c6ea9e5407c12bfcc1e27a32aa5ab83a5ea2b253c2f0
Opcode Fuzzy Hash: 1f527c96c6fd2fc76785f46cb1846b42b5b59f42791fc5859de9b38302a51336
Instruction Fuzzy Hash: 6B51F674E42208DFDB18DFB5D890AAEBBB2FF89315F209429E405B7350DB359942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02860C30, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ff857b43e4c65900c872289a2b2abe2d6dbb2e0020ef3b6032c9d51d1c9280
Instruction ID: a55be059a3c74d4c3ed214940d16e6e7b596342dedadfa2ceb969d3cf7197850
Opcode Fuzzy Hash: a8ff857b43e4c65900c872289a2b2abe2d6dbb2e0020ef3b6032c9d51d1c9280
Instruction Fuzzy Hash: 73513674E42209DFDB19DFB4D890AAEBBB2FF8A315F208429E405B7350DB359842CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02860ACB, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f396f688d0e4aaa2103b70cef4f917b150f6759eb3113080d54e67269233bc0b
Instruction ID: 296d01f9f30f418e60328b0384cbb87dd3e8829a42c468b73461c89f06c8b485
Opcode Fuzzy Hash: f396f688d0e4aaa2103b70cef4f917b150f6759eb3113080d54e67269233bc0b
Instruction Fuzzy Hash: 84212539D45208CFCB01EFA4D8446EEBBB6FB89308F20852AD405A7254DB716E46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02860AD8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183737f7ad266502a3a75504f3798e4a9ee434f11d4cd2434aaea2e710af02f0
Instruction ID: a91d02153520cf1242c60dbac4a178ecb738cae9c0a8ef60d8c7e2e7e385b2f2
Opcode Fuzzy Hash: 183737f7ad266502a3a75504f3798e4a9ee434f11d4cd2434aaea2e710af02f0
Instruction Fuzzy Hash: 7D213739D01208CFCB04EFA4D8446EEBBB6FB89305F20842AD505B3254DB71AE46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 027107FA, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383931828.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2710000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94078b6ffa9d2d95e7f15f5c9c457731aacae31c0a225e8a13db0acba7a5b81
Instruction ID: 8c248e292758c725e45b74a7bd4c7a53b8741b749c9eafca7875057e23894668
Opcode Fuzzy Hash: d94078b6ffa9d2d95e7f15f5c9c457731aacae31c0a225e8a13db0acba7a5b81
Instruction Fuzzy Hash: E00184B64097846FD701CB15EC41C56FFF8DF86620F18C56EED498B602D2656A18CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 027105CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383931828.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2710000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0466e31da2a856e364f8410c79719dbef5d2edcc53bf6788ae928db66506e352
Instruction ID: ebc1f333aed879027631bea71c4cab6ba89b8f9d7a40894906363cb3c97b2a68
Opcode Fuzzy Hash: 0466e31da2a856e364f8410c79719dbef5d2edcc53bf6788ae928db66506e352
Instruction Fuzzy Hash: E1F086B65097806FD7118F1ADC44862FFE8EF86620708C5AFEC498B612D265A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02860E38, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0ae5e6a138c88525c421ae4f959f18f03c9575aaabe1e2fdcd7ee51b19c350
Instruction ID: 52fc59ef58143b87a38a8854a7ab99f083571a3d706db309de0b90779334b429
Opcode Fuzzy Hash: 6b0ae5e6a138c88525c421ae4f959f18f03c9575aaabe1e2fdcd7ee51b19c350
Instruction Fuzzy Hash: DD010878C06359DFCB04EFA4D4457BEBBB1BF01305F6094AAC404B7281D7759A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02860E48, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412a832f2b370dee5571c061a4d8a81eb3ab3150e4efc8861c0cc1411f1fa2d7
Instruction ID: 6cdc1b5e35aab8b4ee2001852e41bfb6af5e9aafcad456fcd3725618689c3e2c
Opcode Fuzzy Hash: 412a832f2b370dee5571c061a4d8a81eb3ab3150e4efc8861c0cc1411f1fa2d7
Instruction Fuzzy Hash: FB01D278C02219DFCB04EFA4D5447BEBBB2FB05305F6095A9C405B7380D7799A84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02860BBF, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c630724d8865e15e0787ef7f33217bb35e1f03ea95b159706708a4e44d24e031
Instruction ID: 49b179a73a848c8f7d882ddf5ca39deb64cfdcbe0b0695770d31bb4be4f054c2
Opcode Fuzzy Hash: c630724d8865e15e0787ef7f33217bb35e1f03ea95b159706708a4e44d24e031
Instruction Fuzzy Hash: 4A01F6B8D09209DFCB04DFA9D9456AEBFB1FF45300F2085AAC849A3241D7345A05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0271081E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383931828.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2710000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a707862879cea12438cce393a822e76d9e1c1241a3f50987b2f11059495371
Instruction ID: d020bea97318b5449a5a5a77d4c2eb071712e9f1463ff74beb2e1e584bc03d24
Opcode Fuzzy Hash: 17a707862879cea12438cce393a822e76d9e1c1241a3f50987b2f11059495371
Instruction Fuzzy Hash: 13F0A7B28056046FD200DF19EC41856F7ECEF94621F14C52FEC088B700E676BA148BF2

Uniqueness

Uniqueness Score: -1.00%

Function 02860BD0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b38cffe86622ec90fd9385f6eb3f8c5b2097127d885e818d33cbd63e03db923
Instruction ID: 147b7a18c6f1144f5d1934fc33b057b4caa5854028f81eb740a000e3deb8907b
Opcode Fuzzy Hash: 6b38cffe86622ec90fd9385f6eb3f8c5b2097127d885e818d33cbd63e03db923
Instruction Fuzzy Hash: 51F0E2B8D0520DDBCB44EFA9D5445AEBBB1FF84300F2095AA8808B3300EB346A00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 027105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383931828.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2710000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12db2f646c7493a3f85d9f385b7b66edbb2a3e4aaab88beae3dc3777a0c8f344
Instruction ID: e949d066594ebb38086f6e80097b636d7b445e40d76144573ca6615629895d0a
Opcode Fuzzy Hash: 12db2f646c7493a3f85d9f385b7b66edbb2a3e4aaab88beae3dc3777a0c8f344
Instruction Fuzzy Hash: D7E092B6A006045BD650CF0AEC81452FBD8EB84630718C47FDC0D8BB01D535B508CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02860299, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.383965300.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2860000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3612e6edfd65ce5ddfcd4dad21cf06a267eb34ac6c22feb64304132ce3e094b6
Instruction ID: 70da4af444ab057c44e417880947ef63871206ef29ad58dc076671b155b7f2ed
Opcode Fuzzy Hash: 3612e6edfd65ce5ddfcd4dad21cf06a267eb34ac6c22feb64304132ce3e094b6
Instruction Fuzzy Hash: E491D77AD11208EFDB18EFA5E844B9DBBB3FB89305F108565E80AA7368DB305945DF10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report http://sndpkuruppampady.com/mrs--kavon-cole-dds/uozdogru-39.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 900 Parent PID: 792

General

Chronological Activities

Analysis Process: iexplore.exe PID: 5340 Parent PID: 900

General

Chronological Activities

Analysis Process: unarchiver.exe PID: 6004 Parent PID: 900

General