Automated Malware Analysis Report For

ID: 425819 Cookbook: browseurl.jbs Time: 21:25:27 Date: 27/05/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report https://sites.google.com/view/voice365-net/home 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 11 Static File Info 27 No static file info 27 Network Behavior 27 Network Port Distribution 27 TCP Packets 27 UDP Packets 29 DNS Queries 30 DNS Answers 30 HTTPS Packets 30 Code Manipulations 31 Statistics 31 Behavior 31 System Behavior 31 Analysis Process: iexplore.exe PID: 2628 Parent PID: 800 31 General 31 File Activities 32 Registry Activities 32

Copyright Joe Security LLC 2021 Page 2 of 33 Analysis Process: iexplore.exe PID: 1836 Parent PID: 2628 32 General 32 File Activities 32 Registry Activities 32 Disassembly 33

Overview

General Information Detection Signatures Classification

Sample URL: https://sites.google.c om/view/voice365-net/hom AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb… e AAnntttiiivviiirrruuss d/d eSetttceeaccntttiiinooennr f ffodorerr tUUeRcRtLiLo onorr r f dodoro msuaabiiinn Analysis ID: 425819 HAHTnTtMivLiLr u tttiisitttll leed eddtooeeecstsi o nnnoo ttft o mr aaUtttcRchhL U UoRrR LdLomain Infos:

Ransomware HTML title does not match URL Most interesting Screenshot: Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 56 Range: 0 - 100 Whitelisted: false Confidence: 100%

Process Tree

System is w10x64 iexplore.exe (PID: 2628 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 1836 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2628 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright Joe Security LLC 2021 Page 5 of 33 Hide Legend Behavior Graph Legend: ID: 425819 Process URL: https://sites.google.com/vi... Signature Startdate: 27/05/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 56 Is Dropped

Is Windows Process

Number of created Registry Values Antivirus / Scanner Antivirus detection detection for submitted started for URL or domain Number of created Files sample Visual Basic

Delphi

Java iexplore.exe .Net C# or VB.NET

C, C++ or other language

5 51 Is malicious

Internet started

iexplore.exe

2 80

googlehosted.l.googleusercontent.com

216.58.207.161, 443, 49741, 49742 lh3.googleusercontent.com GOOGLEUS United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link https://sites.google.com/view/voice365-net/home 1% Virustotal Browse https://sites.google.com/view/voice365-net/home 0% Avira URL Cloud safe https://sites.google.com/view/voice365-net/home 100% SlashNext Fake Login Page type: Phishing & Social Engineering

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright Joe Security LLC 2021 Page 7 of 33 Source Detection Scanner Label Link 100% SlashNext Fake Login Page https://docs.google.com/forms/d/e/1FAIpQLScf9e5Jb03x4thoJPsaDC7bgusOgdpbsylCyar0neTbHjGefA/v type: Phishing & iewform Social Engineering https://docs.google.coom/view/voice365-net/home 0% Avira URL Cloud safe www.bohemiancoding.com/sketch 0% URL Reputation safe www.bohemiancoding.com/sketch 0% URL Reputation safe www.bohemiancoding.com/sketch 0% URL Reputation safe www.bohemiancoding.com/sketch 0% URL Reputation safe www.bohemiancoding.com/sketch/ns 0% URL Reputation safe www.bohemiancoding.com/sketch/ns 0% URL Reputation safe www.bohemiancoding.com/sketch/ns 0% URL Reputation safe www.bohemiancoding.com/sketch/ns 0% URL Reputation safe https://docs.google.co 0% URL Reputation safe https://docs.google.co 0% URL Reputation safe https://docs.google.co 0% URL Reputation safe https://docs.google.co 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation googlehosted.l.googleusercontent.com 216.58.207.161 true false high lh3.googleusercontent.com unknown unknown false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.apache.org/licenses/LICENSE-2.0 RGO7YKV9.js.2.dr false high https://docs.google.coom/view/voice365-net/home {670F719C-BF21-11EB-90EB-ECF4B false Avira URL Cloud: safe unknown BEA1588}.dat.1.dr lh3.ggpht.com 1Q1UOLC9.js.2.dr false high https://youtube.com/embed/ RGO7YKV9.js.2.dr false high www.bohemiancoding.com/sketch qp_sprite146[1].svg.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe cb=gapi[1].js.2.dr false high https://developers.googleblog.com/2018/03/discontinuing- support-for-json-rpc-and.html https://drive-thirdparty.googleusercontent.com/ 1Q1UOLC9.js.2.dr false high lh6.ggpht.com 1Q1UOLC9.js.2.dr false high www.bohemiancoding.com/sketch/ns qp_sprite146[1].svg.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://docs.google.co {670F719C-BF21-11EB-90EB-ECF4B false URL Reputation: safe unknown BEA1588}.dat.1.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe lh4.ggpht.com 1Q1UOLC9.js.2.dr false high https://2107170937-atari- home[1].htm.2.dr false high embeds.googleusercontent.com/embeds/16cb204cf3a9d4d22 3a0a3fd8b0eec5d/inner- schema.org/WebPage home[1].htm.2.dr false high lh5.ggpht.com 1Q1UOLC9.js.2.dr false high https://www.youtube.com 1Q1UOLC9.js.2.dr false high

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 216.58.207.161 googlehosted.l.googleuser United States 15169 GOOGLEUS false content.com

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 425819 Start date: 27.05.2021 Start time: 21:25:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 22s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://sites.google.com/view/voice365-net/home Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal56.win@3/49@1/1

Copyright Joe Security LLC 2021 Page 9 of 33 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://docs.go ogle.com/forms/d/e/1FAIpQLScf9 e5Jb03x4thoJPsaDC7bgusOgdpbsyl Cyar0neTbHjGefA/viewform Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 168.61.161.212, 2.20.157.220, 88.221.62.148, 172.217.23.46, 172.217.23.67, 172.217.22.234, 172.217.22.206, 172.217.23.3, 172.217.20.227, 20.50.102.62, 152.199.19.161 Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, docs.google.com, ssl.gstatic.com, store-images.s-microsoft.com- c.edgekey.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, www.gstatic.com, fonts.googleapis.com, plus.l.google.com, fonts.gstatic.com, ie9comview.vo.msecnd.net, sites.google.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, iris-de-prod- azsc-uks.uksouth.cloudapp.azure.com, store- images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, apis.google.com, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\docs.google[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 13 Entropy (8bit): 2.469670487371862 Encrypted: false SSDEEP: 3:D90aKb:JFKb MD5: C1DDEA3EF6BBEF3E7060A1A9AD89E4C5 SHA1: 35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966 SHA-256: B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB SHA-512: 6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FE D Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{670F719A-BF21-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.8554087455463077 Encrypted: false SSDEEP: 192:r0ZQZT2fWit9ifI6QzMcIB6uD8sfq6tjX:rkAquaC1Zvr3 MD5: CBAA3A3EFF4A777266D36DC747AA4206 SHA1: 5260FC14EADD0212087881E9A5F5E4FCF31A1FFF SHA-256: 9F297EDB8E51AA82A4D0F1415458791EAD42CAAB3D598ACB192485658D7D9191 SHA-512: 85C8CE91A500A837BB21F141EFD046BEE6E6E32FE60B1F7EE020C03F792926EB38B1371DE9C9929A838A4331112E9ADB70EF5768A99BA9FFA6FB2B1D28AE4FC C Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{670F719C-BF21-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 54342 Entropy (8bit): 2.2951586242035025 Encrypted: false SSDEEP: 192:rsZfQ86mk8bj92eSWdMEGvE30EEUEOMbwSfbKytlKytxpyt5JPEOCbwSfbKytlKV:rsYHn8H0eRuEkBkWY4nY/+x1iP17 MD5: B43C2886360B6EF3FF68555A9BFA024D SHA1: FE8137E65E6C19C51C96ACF49AC16D67E15253F4 SHA-256: 9E4FDA62D01CCC0EA376435E000DCB7575C45CF5F079C50B0FFEF4C5CC3B0CE0 SHA-512: E2962AC723B353EA4C7D5B72BA583A9BE0736012BE29898E0214988C3920E902C586646D3412733E348EC18023F664B19003326BFA3F2FBD7C621666EDE27B7D Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6ED5D810-BF21-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 16984 Entropy (8bit): 1.5650206774851874 Encrypted: false Copyright Joe Security LLC 2021 Page 11 of 33 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6ED5D810-BF21-11EB-90EB-ECF4BBEA1588}.dat SSDEEP: 48:IwPGcpreGwpaIG4pQYGrapbS6GQpKmG7HpRN2TGIpG:rFZWQY6mBSCART4A MD5: 86421C61B02B8AD18D5029EABC152773 SHA1: A0A41CF1E19D3C902DDE975A532FE7134A3280B5 SHA-256: F24481EFB5B6FF1B9ED5FFF9DED82E79FE53AC6C3264E45478B249DA33E9ADE5 SHA-512: 952F7B974313C23C90BA722E914A5E22646555C384BC8EF21C569B736F50F59CC65BA01CE16EBCD3EBCD9F3CAB10DF61FBA4F412F238E8308B2222E5605B24C9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 3838 Entropy (8bit): 6.56955106229656 Encrypted: false SSDEEP: 48:MZZO56lKHQlYdIey71171171nKew74VuXdaq0j2p7aPSA:AV/y6x1x1xamSaqXU MD5: 150DAC341E4C58A72683D85997F7E9B6 SHA1: 79A55F9A250A9811D64D8ACAD42F502F095B6C70 SHA-256: FE2256180B942AFC3E2C7FDC5A4B74E7EC97349BDCE1F4B05BF9F4B05C5CA6D5 SHA-512: 0DBA5769452D90F0091BBD6F19E119888C05E1D6BA090EA4884806F4842AB88B0C05249C7A8F3973199C526E80EABBDBBDD1E5AA86B6DE2E5F43A51481ABCE3 4 Malicious: false Reputation: low Preview: 7.h.t.t.p.s.:././.s.s.l...g.s.t.a.t.i.c...c.o.m./.a.t.a.r.i./.i.m.a.g.e.s./.p.u.b.l.i.c./.f.a.v.i.c.o.n...i.c.o.~...... h...... (...... @...... P>..P>..P>..P>..P>..P>..P>..P>. .P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>. .P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>...... P>..P>...... P>..P>..P>..P>..P>..P>...... P>..P>...... P>..P>..P >..P>..P>..P>...... P>..P>...... P>..P>..P>..P>..P>..P>...... P>..P>...... P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>. .P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>...... P>..P>..P>..P>..P>..P>...... P>..P >..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P>..P

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\1Q1UOLC9.js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Category: dropped Size (bytes): 1041430 Entropy (8bit): 5.608262864534834 Encrypted: false SSDEEP: 12288:w46ys5k09pJFNJPOzBWTF/iVtG08GLJWcBkIKG:wn3kGpJFNJWzBWTy808GLwdIx MD5: 7BCC5FE647688E770B71011DFB1D3296 SHA1: A8230FE78B10F9DA80EC6976E2D158FF030A6283 SHA-256: E06A73B825B4258888F3474ABA2A3624569ED73E8790DF16758F424B446B2663 SHA-512: E0771F1BC9110913B1AF5FB16B24E795CEC5B7ABBAFB4536437CF0546F3B7E259BB9A28BF2E03A5B97A85DB5BDCE3206D44178C4A69D210F0A085DDB95ABF8 3B Malicious: false Reputation: low Preview: "use strict";this.default_vw=this.default_vw||{};(function(_){var window=this;.try{._.n("MpJwZc");.._.y();..}catch(e){_._DumpException(e)}.try{._.n("n73qwf");.._.y();..}catch(e) {_._DumpException(e)}.try{._.n("A4UTCb");.._.y();..}catch(e){_._DumpException(e)}.try{._.n("qAKInc");.var QF=function(a){_.Hn.call(this,a.va);this.B=this.getData(" active").wb(!1);this.C=this.O("vyyg5");this.D=_.Mb(_.Nb(this).kc().Ua(function(){var b=this.aa();this.B?b.Ma("qs41qe"):b.Ma("sf4e6b");this.B&&this.C.hf(b.getData("loading message").string(""));this.B||setTimeout(this.rt.bind(this),500)}))};_.G(QF,_.Hn);QF.ja=_.Hn.ja;QF.prototype.Hb=function(){return this.B};QF.prototype.setActive=function(a) {_.xc(this.aa(),"data-active",a)};.QF.prototype.vk=function(a){var b=a.data.bv;switch(a.data.name){case "data-active":this.B="true"==b,this.D()}};QF.prototype.rt=function() {var a=this;_.Mb(_.Nb(this).Ua(function(){var b=a.aa();_.rn(b,"sf4e6b")&&(b.Ka("sf4e6b"),a.B||b.Ka("qs41qe"),a.C.hf(""),a.Ba(_.Dl))}))()};_.O(QF.p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOlCnqEu92Fr1MmEU9vAA[1].woff

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 65492, version 1.1 Category: downloaded Size (bytes): 65492 Entropy (8bit): 7.991232185639051 Encrypted: true SSDEEP: 1536:8o/13YBCGZQwcfqIq+Czw6UdcJaznRbmySbbxB8DtseIGoIix/uq:h/13Y4GZQxq+H6UdcJonRObbxgXIVpuq MD5: 08926D7A008503F9C640B1772C225476 SHA1: 6A57DF5217D336599BDEC757772025BEB40C4536

Copyright Joe Security LLC 2021 Page 12 of 33 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOlCnqEu92Fr1MmEU9vAA[1].woff

SHA-256: C93F4332DAA92F95A2C2446599D6CF9E87B00B20D60DB827AF63B0E4A3FEB22B SHA-512: 1EA8EB016DC4163F51F1CA7BE439E2C3468BE9B39BB5487FA93386E180DFFD88682FC5E2C5EB190C4CE274B92AFC24A4C331E298EE641B06B672036DC868220 F Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmEU9vAA.woff Preview: wOFF...... GDEF...... -....p.m.GPOS...... &...VL.o?]GSUB..)...... u.]?OS/2...... S...`..cmap../...... v...cvt ..3....\...\1..Kfpgm..4....2...... $.gasp..54...... glyf..5@...... n.t...hdmx...\...P...... head...... 6...6...rhhea...... $....hmtx...... B.....K..loca...H...... maxp...... name...... :.post...... m.dprep...... S...)x...3..P. D.7..nb.Ul....f..V..N..Yo..w.z..*...... ;.&8...Nlqb..;.m.r.t.,..\s..7.]'.;...N.t.5o.;..N|.....'.H.i..B'.%..h....:....Fjb..9Qm....:...l{...v.....e.i....v.f...o.j.]..v.V..Zm.j....D.....).)#LBaj8c.{.Axc ...k.y!...b.X.V.Ul...... x...... x.^.i...... Q...;....\....Z"J..I.qI7J...V....x.R..]A...... G...m....E..2Nm.E.'/N..y.Z....F..!RE..F.w..k..L\.`..L]0y.....h...x!...9.7f...sD..fDk.BPI.wDL.:..s&..<.I|.4D... 5...'.B.R=.....I....~.H.t...*....g`F'..#....5...2..:.+.T.Y.2S!.Y..W.....L[.opD.."..QIrIfI.7....]..o.>.f...V...zK.}.P2..j..F7..h..q...... f..Wai.w.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOlCnqEu92Fr1MmSU5vAA[1].woff

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 64952, version 1.1 Category: downloaded Size (bytes): 64952 Entropy (8bit): 7.9912520031982375 Encrypted: true SSDEEP: 1536:vsLyiY8Jcy8i1lkbl2evmqm8cgcoxIJ7uW3pqo:EL3Y/HbQeefGCJn3p3 MD5: 130EAFC23A987A6CF560C9B69AF84818 SHA1: 67274FA757715FA68CBA4E1E0105B89C30A2DF60 SHA-256: CBF6CB2430AE871620CA4BE54F689B7DD217793513F0DD0FB9529C4304B7AFE1 SHA-512: 4B6FBC55DFF9C76A4EBB30F8D342278127C6E7ACF7C32CC570636BC4ED29131D2152FDB8321921502E7D594FD1C5AEE34D6F1E51A6B4B7AA483182EBEC18338 C Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmSU5vAA.woff Preview: wOFF...... GDEF...... -....p.m.GPOS...... "...N...}.GSUB..%...... u.]?OS/2..*....R...`....cmap..+8...... v...cvt ../....X...X/...fpgm..0....4...... ".gasp..1L...... glyf..1X...... p4)...hdmx...T...R...... head...... 6...6.Y.ihhea...... $...uhmtx...... H....S.U.loca...H...... Z)maxp...... \name...... |..9.post...... m.dprep...... :z/ .Wx...3..P.D.7..nb.Ul....f..V..N..Yo..w.z..*...... ;.&8...Nlqb..;.m.r.t.,..\s..7.]'.;...N.t.5o.;..N|.....'.H.i..B'.%..h....:....Fjb..9Qm....:...l{...v.....e.i....v.f...o.j.]..v.V..Zm.j....D.....).)#LBaj8c. {.Axc...k.y!...b.X.V.Ul...... x...... x.^.i...... Q...;....\....Z"J..I.qI7J...V....x...d.a.._.,....%.=.v'.|...N1...`.i.F...C.0.p`...... f....'*..@....|Z.h~..w...{...([email protected]{k...r.q n..U.wP..Vj..J?../..oz).UL!..a.D.[~)4.....J..y#.L.7..]...Z.3.o\.W..S....?...j.'^J..^.scp3...... nO...... z.t.4m.i..C..hy...... +=..&._:.he...z.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 20396, version 1.1 Category: downloaded Size (bytes): 20396 Entropy (8bit): 7.974131663185347 Encrypted: false SSDEEP: 384:SfXdUIIA0zhyKR28ePpAwxZ5M3py8wtshtdf45DEVTGdYb7H2Q/VEgm:Svdj0zhbRmjIQ8wtsV4lEVGdY3/i/ MD5: 68D6DABFE54E245E7D5D5C16C3C4B1A9 SHA1: 7FDAB895EAEBECEDB3FB5473EAB94A1B292CEF19 SHA-256: A01A632E56731A854F35701AA8C3A6A19A113290D9032FF9048F8064C45383BD SHA-512: 44EB151F85178A2F9600E85AD43FAE470FABE0F247C9A03E67931B36028E600C7550D9DE2D69B3576A06577A5DEAF54822EE4BDC9DCBB47588D1972C8A959D43 Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff Preview: wOFF...... O...... GDEF...... G...d....GPOS...... oGSUB...... OS/2...p...Q...`u...cmap...... #cvt ...... H...H+~..fpgm...$...3...._...gasp...X...... glyf...d..< ..l..C^]hdmx..H....m....03#7head..H....6...6...\hhea..I,...... $.&..hmtx..IL...... ".J.loca..K...... maxp..M...... 4..name..M...... ~..9.post..N...... m.dprep..N...... )* v60x...1..P...... [email protected])..N4C.\.51.3...... q.q.qu.O...OjC.cA...... R.x....%Y....Wm=..mo..k.m....rl...m.g"^..../..[.}.S...\.mD...1..G>..giz...=C..}.y....|o..c.x.R.r"B...... m...... /.&. /6..5D.AGX.....)<'.)....?.... .Y4>|1...ES.Gc...FO.>$.../...}RCl..T.zD..uZ4~D.._OK.$.Z.(..JR...\..\..\..\.\...... *'n..6:x...b,..$...?.g:./y.iLg.3..l.0.y.g..X..V...d.#O...0....b7{..>.n.iD.V....." e.\A..OR.kwp.].....6p..."ZE..%...e.u3..L..V...W.7b..L.3.L1K...Ts..$6.-b...... 9...b@..!1,...v.C....{...dox.G(...|a%E:.Fn.Nn.^n...... Sf..E)...k....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOmCnqEu92Fr1Me5g[1].woff

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 65244, version 1.1 Category: downloaded Size (bytes): 65244 Entropy (8bit): 7.991096421944703 Encrypted: true SSDEEP: 1536:usLyiYRm7KcA16K7XxlQSa3DucaXhMBbGaDWz2e:xL3YMWcAM8Fa36vRhag MD5: 73F26BF98A715ECAB4D2287FF3A02AD0 SHA1: C6C8A2B7E67C182D77916CD2118B1B0D8A6CA549

Copyright Joe Security LLC 2021 Page 13 of 33 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOmCnqEu92Fr1Me5g[1].woff

SHA-256: 55110586D3719C3E8BDAA21F06E4CC1C0A7451ABBAE662344CBD4411536B585F SHA-512: 429C24A54FD35F9E7DFE341425BC88746BAE605DD3BB53E48679F0174312A2A8C0C29C2B138411118E8D2678258224FF50EF10FB460CEB4B010F2FA30FA40FE0 Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Me5g.woff Preview: wOFF...... 0...... GDEF...... -....p.m.GPOS...... "...N...}.GSUB..%...... u.]?OS/2..*....R...`....cmap..+8...... v...cvt ../....T...T+...fpgm..0....5....w.`.gasp..1L...... glyf..1X...... u`..p6hdmx...T...R...... head...... 6...6.j.zhhea...... $....hmtx...... L...... 3rloca...L...... j..maxp...... name...... t.U9.post...... m.dprep...... I.f..x...3.. P.D.7..nb.Ul....f..V..N..Yo..w.z..*...... ;.&8...Nlqb..;.m.r.t.,..\s..7.]'.;...N.t.5o.;..N|.....'.H.i..B'.%..h....:....Fjb..9Qm....:...l{...v.....e.i....v.f...o.j.]..v.V..Zm.j....D.....).)#LBaj8c.{.A xc...k.y!...b.X.V.Ul...... x...... x.^.i...... Q...;....\....Z"J..I.qI7J...V....x...d.a.._.,....%.=.v'.|...N1...`.i.F...C.0.p`...... f....'*..@....|Z.h~..w...{...([email protected]{k...r. qn..U.wP..Vj..J?../..oz).UL!..a.D.[~)4.....J..y#.L.7..]...Z.3.o\.W..S....?...j.'^J..^.scp3...... nO...... z.t.4m.i..C..hy...... +=..&._:.he...z.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\home[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines Category: dropped Size (bytes): 41322 Entropy (8bit): 5.75350923152592 Encrypted: false SSDEEP: 384:mnGVAwWWj9w/PoXr2iRD/+8+5qz+lhkD+DHq+ViwT2GG+nD+qHBOB:vawW6aepWjqAkoHRFU+n3c MD5: 69F405E8C7F1FF8D7793258512922964 SHA1: 43A485CFFA74F81235CB1C18085B5DF6FB655E89 SHA-256: 61EF595A6BE8CA7671BF7E14FD8E21D96E8EF1C240B84CAB862FBF8C50B0E456 SHA-512: 820D56FDC52EBA4EB465BD447E8CA48B07DA0EEDB574B50F15DF8AB8C5AFEFAF7716976429111DDECF61B62FF5C58550A48C61CBE836EC35F25422286E649A 69 Malicious: false Reputation: low Preview: