ID: 200939 Cookbook: browseurl.jbs Time: 17:25:00 Date: 14/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report ://docs.zoho.com/file/io2ap787b5d0ad13c4bdd8a70ad6abae58caf 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Persistence and Installation Behavior: 7 Malware Configuration 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 24 Contacted Domains 24 URLs from Memory and Binaries 24 Contacted IPs 27 Public 27 Static File Info 27 No static file info 27 Network Behavior 28 Network Port Distribution 28 TCP Packets 28 UDP Packets 29 DNS Queries 31 DNS Answers 31 HTTPS Packets 33

Copyright Joe Security LLC 2020 Page 2 of 43 Code Manipulations 41 Statistics 41 Behavior 41 System Behavior 41 Analysis Process: iexplore.exe PID: 5224 Parent PID: 700 41 General 41 File Activities 42 Registry Activities 42 Analysis Process: iexplore.exe PID: 5272 Parent PID: 5224 42 General 42 File Activities 42 Registry Activities 42 Analysis Process: iexplore.exe PID: 6048 Parent PID: 5224 42 General 42 File Activities 43 Disassembly 43

Copyright Joe Security LLC 2020 Page 3 of 43 Analysis Report https://docs.zoho.com/file/io2ap787b5d0ad13c4bdd 8a70ad6abae58caf

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 200939 Start date: 14.01.2020 Start time: 17:25:00 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 58s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://docs.zoho.com/file/io2ap787b5d0ad13c4bdd8a7 0ad6abae58caf Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled Analysis stop reason: Timeout Detection: SUS Classification: sus22.phis.win@5/45@13/9 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://help.zo ho.com/portal/community/topic/writer-ends-support- for-internet-explorer-versions-ie8-ie9-and-ie10 Browsing link: https://writer. zoho.com/writer/open/io2ap787b 5d0ad13c4bdd8a70ad6abae58caf#page=1 Browsing link: https://writer. zoho.com/writer/open/io2ap787b 5d0ad13c4bdd8a70ad6abae58caf#p age=1&zoom=auto,-73,792 Browsing link: https://split.to/uqMH3zd

Copyright Joe Security LLC 2020 Page 4 of 43 Warnings: Show All Exclude process from analysis (whitelisted): ielowutil.exe, HxTsr.exe, RuntimeBroker.exe, conhost.exe, backgroundTaskHost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 92.122.253.130, 104.103.90.39, 152.199.19.161, 23.39.94.151, 40.90.22.191, 40.90.22.189, 40.90.22.190, 204.79.197.200, 13.107.21.200, 52.109.124.23 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.glo balredir.akadns.net, www.bing.com, prod- w.nexus.live.com.akadns.net, lgin.msa.trafficmanager.net, ie9comview.vo.msecnd.net, dual-a-0001.a- msedge.net, tile-service.weather.microsoft.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, e15275.g.akamaiedge.net, storeedgefd.xbetservices.akadns.net, login.msa.msidentity.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, a-0001.a- afdentry.net.trafficmanager.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, go.microsoft.com.edgekey.net, nexus.officeapps.live.com, e16646.dscg.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 22 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification

Copyright Joe Security LLC 2020 Page 5 of 43 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Initial sample is implementing a service and should be registered / started as service

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Graphical User Winlogon Process Masquerading 1 1 Credential File and Application Data from Data Standard Eavesdrop on Remotely Accounts Interface 1 Helper DLL Injection 1 Dumping Directory Deployment Local Compressed Cryptographic Insecure Track Device Discovery 1 System Protocol 2 Network Without Communication Authorization Replication Service Port Accessibility Process Injection 1 Network Application Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Monitors Features Sniffing Window Services Removable Over Other Non- Redirect Phone Wipe Data Removable Discovery Media Network Application Calls/SMS Without Media Medium Layer Authorization Protocol 1

Copyright Joe Security LLC 2020 Page 6 of 43 Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects External Windows Accessibility Path Rootkit Input Query Windows Data from Automated Standard Exploit SS7 to Obtain Remote Management Features Interception Capture Registry Remote Network Exfiltration Application Track Device Device Services Instrumentation Management Shared Layer Location Cloud Drive Protocol 2 Backups

Signature Overview

• Phishing • Networking • System Summary • Persistence and Installation Behavior

Click to jump to signature section

Phishing:

Phishing site detected (based on logo template match)

HTML body contains low number of good

HTML title does not match URL

Invalid T&C link found

META author tag missing

META copyright tag missing

Networking:

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Spawns processes

Found graphical window changes (likely an installer)

Uses new MSVCR Dlls

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Copyright Joe Security LLC 2020 Page 7 of 43 Malware Configuration

No configs have been found

Behavior Graph

Hide Legend Legend: Process Signature Created File Behavior Graph

ID: 200939 DNS/IP Info URL: https://docs.zoho.com/file/... Is Dropped Startdate: 14/01/2020 Architecture: WINDOWS Is Windows Process Score: 22 Number of created Registry Values

Number of created Files Phishing site detected (based on logo template started match) Visual Basic

Delphi

iexplore.exe Java

.Net C# or VB.NET 3 89 C, C++ or other language

Is malicious

support.zoho.com help.zoho.com started started Internet

iexplore.exe iexplore.exe

4 60 33

docs.zoho.com support.zoho.com sylterhofroyalpvtltd.com computational-artichoke-w0ccsrpa5dv58ardn93ucggy.herokudns.com

8.39.54.105, 443, 49753, 49754 8.39.54.110, 443, 49763, 49764 11 other IPs or domains 199.79.62.144, 443, 49765, 49766 34.204.156.91, 443, 49761, 49762 split.to ZOHO-AS-ZOHOUS ZOHO-AS-ZOHOUS unknown unknown United States United States United States United States

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches Copyright Joe Security LLC 2020 Page 8 of 43 Domains

Source Detection Scanner Label Link zohostatic.com 0% Virustotal Browse computational-artichoke-w0ccsrpa5dv58ardn93ucggy.herokudns.com 0% Virustotal Browse .zohostatic.com 0% Virustotal Browse split.to 4% Virustotal Browse js.zohostatic.com 0% Virustotal Browse

URLs

Source Detection Scanner Label Link https://sylterhofroyalpvtltd.com/error/Hotmail%20SkyNet2/ 1% Virustotal Browse https://sylterhofroyalpvtltd.com/error/Hotmail%20SkyNet2/ 0% Avira URL Cloud safe https://js.zohostatic.com/writer3/Jan_14_2020_2/js/pdf.worker.js 0% Avira URL Cloud safe https://split.to/uqMH3zd) 0% Avira URL Cloud safe https://split.to/uqMH3zd 0% Avira URL Cloud safe https://writer.zooyalpvtltd.com/error/Hotmail%20SkyNet2/a70ad6abae58caf#page=1&zuid 0% Avira URL Cloud safe https://js.zohostatic.com/writer3/Jan_14_2020_2/js/zw_pdfpreview_part1.js 0% Avira URL Cloud safe https://writer.zoh 0% Avira URL Cloud safe https://writer.zoRoot 0% Avira URL Cloud safe https://writer.zom/writer/open/io2ap787b5d0ad13c4bdd8a70ad6abae58cafRoot 0% Avira URL Cloud safe https://sylterhofrqMH3zdoyalpvtltd.com/error/Hotmail%20SkyNet2/Root 0% Avira URL Cloud safe https://www.zohouniversity.com 0% Virustotal Browse https://www.zohouniversity.com 0% Avira URL Cloud safe https://writer.zouid 0% Avira URL Cloud safe https://www.zohowebstatic.com/sites/default/files/yes-tick.png); 0% Avira URL Cloud safe jedwatson.github.io/classnames 0% Virustotal Browse jedwatson.github.io/classnames 0% Avira URL Cloud safe https://js.zohostatic.com/writer3/Jan_14_2020_2/ 0% Avira URL Cloud safe https://writer.zoho.co 0% Avira URL Cloud safe https://sylterhofroyalpvtltd.com/error/Hotmail%20SkyNet2/a70ad6abae58caf#page=1&zoom=auto 0% Avira URL Cloud safe https://split.to/uqMH3zdRoot 0% Avira URL Cloud safe https://css.zohostatic.com/writer3/Jan_14_2020_2/styles/writer_preview_min_all.css 0% Avira URL Cloud safe https://help.zoho. 0% Avira URL Cloud safe https://us.zohomerchandise.com 0% Avira URL Cloud safe https://js.zohostatic.com/zohosecurity/v3/js/security_min.js 0% Avira URL Cloud safe www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe https://sylterhofroyalpvtltd.com/error/Hotmail%20SkyNet2/.Sign 0% Avira URL Cloud safe https://writer.zom/writer/open/io2ap787b5d0ad13c4bdd8a70ad6abae58caf 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

Copyright Joe Security LLC 2020 Page 9 of 43 No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2020 Page 10 of 43 Startup

System is w10x64 iexplore.exe (PID: 5224 cmdline: 'C:\Program Files\\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5272 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5224 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) iexplore.exe (PID: 6048 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5224 CREDAT:82954 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\0QZMDP18\writer.zoho[1]. Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 1863 Entropy (8bit): 5.014828638584959 Encrypted: false MD5: 403B4BFC8FC2842527E5114603D23EC3 SHA1: 3DC6B5BDD9A059BEAF7131924047BE9122960608 SHA-256: 24ABB8428D8BDD9AABD471679C03EC0C6FE8311CA4D5CE716A13E49AEAC67C9B SHA-512: F0C769F314C3C209E61828FC4F4243A47B25035D0BCC288696C0F05D5FEF6D23C432242765CCC91B4BC22D5DBF91822E58A7A59AD63B8CDD1774143789676828 Malicious: false Reputation: low

Copyright Joe Security LLC 2020 Page 11 of 43 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\0QZMDP18\writer.zoho[1].xml Preview: ..0xf5f0344c,0x01d5cb420x f5f0344c,0x01d5cb42....0xf5f0344c,0x01d5cb420xf5f23888, 0x01d5cb42..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe

Copyright Joe Security LLC 2020 Page 13 of 43 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 661 Entropy (8bit): 5.105980285773823 Encrypted: false MD5: 10C2929D5EAD9D19BE6E6DE0347BF340 SHA1: 8A18F9F8205DFF416FF048ED715E6DFAB739CA3E SHA-256: D050A072508FD4894E98908A2DB5B6F1006726DA7931DAA22F76C8299B022076 SHA-512: 4FA18AE07C65D0BA4751095A07138EFBDF2D3A5E5C25CCC278A22FC4EDEE315B38DF8707D1668CF5D9ACF35FA1D0BFA0498A964B2B94ECE2491EDE2830885E B2 Malicious: false Reputation: low Preview: ..0xf5b51a0d,0x01d5cb420xf5b51a0d,0x01d5cb42....0xf5b51a0d,0x01d5cb420xf5b51a0d,0x01d5cb42..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 670 Entropy (8bit): 5.12810571644134 Encrypted: false MD5: 071A008AD99C2CE70347FB93980BB4B6 SHA1: FF571531CE4D0FE75B9010AB30B80C3D4F5FC66A SHA-256: 3D62E23772E570D0F7C1A86484B0052798F19669D0150ED635BBC7A631A47DFF SHA-512: F43083281FECE24FB611EDBB7E00F35E59F13559D73687160D026BD56E9763FA742D7D0CFE6E04F2E679E8984F3C54D10CEF0C363B30D03977AB8A1A5BE3F119 Malicious: false Reputation: low Preview: ..0xf6027b4a,0x01d5cb42 0xf6027b4a,0x01d5cb42....0xf6027b4a,0x01d5cb420xf60a0fea,0x01d5cb42..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 655 Entropy (8bit): 5.128624010054305 Encrypted: false MD5: 76B6D6029F41201C0D38F4F0B74EACB9 SHA1: 2890FA35B67E63CF0302F3B063F67E24B83FD647 SHA-256: C7BC4F6C3C1E7F3492743543CF8074F287E98F1ADE298C5F33841331CCFD1CA1 SHA-512: 0A3BE332DA7DA615A530BD33407E650DBF362ACB0AA51F141BD44127D3EB78A7BCD18903BAA5333EDF93A780B83EB0014229010A6072BAB5691901F6BB57916 9 Malicious: false Reputation: low Preview: ..0xf5e236a7,0x01d5cb420xf5e236a7,0x01d5cb42....0xf5e236a7,0x01d5cb420xf5e53 c17,0x01d5cb42 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 664 Entropy (8bit): 5.157489009250727 Encrypted: false MD5: 02A0AB39EA91182FCAF0B5E6846356F5 SHA1: 043F274B333AB289996F8C26C0AADF753A966C53 SHA-256: 94EF2B2956C756A1FA3B01C386BDF917C48DD98CAF76021B854791B0005FF00C SHA-512: 544D6453135C03F23487D6E2D90FC308617458C6B633DECC0684608E400EC26947502C5E9A2AA1370FCE38691B17A716D3BAF17D390C7325A1F0F29FF0DDB5B5 Malicious: false Reputation: low

Copyright Joe Security LLC 2020 Page 14 of 43 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Preview: ..0xf61969f0,0x01d5cb42< accdate>0xf61969f0,0x01d5cb42....0xf61969f0,0x01d5cb420 xf61f600a,0x01d5cb42 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 661 Entropy (8bit): 5.096353954248279 Encrypted: false MD5: 47315FBCF249A722F3C3A60396883EB2 SHA1: BAE1B82AD578520BA23A6C22DF71EBB3B0AFD2A0 SHA-256: F81D1FB64AC50EC5518B4B25B1ECF44DFB15B42FBD1CDE7CA0A62F5AE1B3B5FE SHA-512: 743F1E3F0E547C4AAFD98A76CCE33A774CE5DCA7AD330A76BF111058525FE27EF20B0035E85253A39A34BAB001AE7AE691808C1091B2FF892C7BBCC0E6D04E2 B Malicious: false Reputation: low Preview: ..0xf5eca424,0x01d5cb420xf5eca424,0x01d5cb42....0xf5eca424,0x01d5cb420xf 5efd7d8,0x01d5cb42 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 664 Entropy (8bit): 5.139271542404559 Encrypted: false MD5: 416513EC28EEDC33EF8EDA6E1645A089 SHA1: 0A18850D077238B9331CBF4BD7C67216772DF186 SHA-256: 025D0A9652D943562FC80C0C6363C682779067C93A4863224E05DE22AA222A4E SHA-512: FE237DEF1BA46D3081AD6AAD3759D3642A27F95975260D1864A16765281EA1B1523839142E1DB49E1022A24480D61DC3D2E1B41BD7AF481241C85447CE502221 Malicious: false Reputation: low Preview: ..0xf5e911bb,0x01d5cb42< accdate>0xf5e911bb,0x01d5cb42....0xf5e911bb,0x01d5cb420 xf5eac3bd,0x01d5cb42 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 667 Entropy (8bit): 5.103695187026407 Encrypted: false MD5: 75DA5349FADAA7AB2A430814ED6AF8CA SHA1: D0D177870C05648A6DB6049CB08031A03FF48419 SHA-256: D5172F6D0975E1E770C84214C9BEF637FD05D13B6427FEB0AE4100CA6FA823CE SHA-512: AE80A9BEF17B9373F12EB34B8DA2C4CC869893947B0D3117BABABC92AF1C558AA4B1FC2EA2720858639503DAD8FA7E0E209E51DECED8F56D3ED22A36752A39 0C Malicious: false Reputation: low Preview: ..0xf5ba5200,0x01d5cb42 0xf5ba5200,0x01d5cb42....0xf5ba5200,0x01d5cb420xf5d32d4c,0x01d5cb42..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 661 Entropy (8bit): 5.094505055030128 Copyright Joe Security LLC 2020 Page 15 of 43 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Encrypted: false MD5: D3326A51CD1CF2925AB3E4233277E95D SHA1: A52E41D37E88406585CF54F0DC5B7011BE6C2AFC SHA-256: 0EFBE4AE6ADD2F24BAA828916A4BC168C08D18586B209C833C481E627F49B45F SHA-512: A2BA24A76E678A8665F90558F622F7188B622CA982640D8C678620A8A3A2A297C670164CBCD9CC65368434DC0D377E348436C0D567B7F9AE39E6EEABB1547E61 Malicious: false Reputation: low Preview: ..0xf5db341e,0x01d5cb420xf5db341e,0x01d5cb42....0xf5db341e,0x01d5cb420xf 5dd33a1,0x01d5cb42 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\typalil\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 18141 Entropy (8bit): 5.0336633663358565 Encrypted: false MD5: 143BEB0C37F1ADA3E671F0BF6B919AF5 SHA1: 3657143805F637FBEC796DF7CE26CE92E4CE6005 SHA-256: 5D351A1AB564A5467727CDF6AD7C3EB6910C576ECF8193984B2B89B8758249FE SHA-512: EEFE7FA9942114ACF98F7A6863EABF3983EFD5172756F1372A5711C093612F333DF0EBEFC0F80556E76A910BA37B9F4071607DDA48C8DE2551C444A4002F9786 Malicious: false Reputation: low Preview: #.h.t.t.p.s.:././.w.r.i.t.e.r...z.o.h.o...c.o.m./.f.a.v.i.c.o.n...i.c.o..%...... 00...... %...... (...0...`...... $...... -...A...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C.. .C...C...C...<...... -...... d...... ]...... '...... [......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\footer[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text Size (bytes): 6251 Entropy (8bit): 4.697962580941477 Encrypted: false MD5: 77EFE521A3C261273D1B5B47D8074818 SHA1: 3747FBA2F5453600E1C68039BE9493879D23F468 SHA-256: 3134DB8918F52595D921738A7D48412638E4918C7C2E7C757AF46454E54FB6E3 SHA-512: 55641617B8C5D0E153C71B7084E4024D33B30C0CCB3CEB8429C2077BD5411E8354C91AF9693A5BB3CF06448EB49C026914F9F30DD923BBB51F6991FA6622546C Malicious: false Reputation: low Preview:

...
Follow us on:
...
. .
....
....
...
..
.
.
.
.
.
.

Apps

.
.
.
.
. . ${CompanyName} .
.
.
. .
.
.
    .
  • ${Home}
    • .
  • ${MyRequests}
    • .
  • ${KnowledgeBase}
    • .
  • Writer....favicon[1].ico Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel Size (bytes): 15086 Entropy (8bit): 4.230016730871105 Encrypted: false MD5: CC78777FB41EEC04A432F96D8192D5C1 SHA1: 70DE1826A2CA17C1BE8184EA9DD5F0911678FD6A SHA-256: ADE637F2BF96E65EA9B759DCCBF115AAF72812DAEA5771687E634B4BAEAE2CCE SHA-512: 7E014F3E191F1E51243D0CA7547E5C91AD9B8834C2DE1CF83FB11CAA457ACB26DED88A4C72CAA42BE4BCAE4F6DD5312F268EEF5E4D8D98EB848EF5A3F1B7E 424 Malicious: false Reputation: low Preview: ...... 00...... %..6...... %...... h....6..(...0...`...... $...... -...A...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...C...<...... -...... d...... ]...... '...... [......

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\react.vendor[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines Size (bytes): 184489 Entropy (8bit): 5.319085156577124 Encrypted: false MD5: 51F0599592D31F7BF867201840106D6D SHA1: FA70AABE68EFAD1AC199B85A6FBE6C953AC399CF SHA-256: FCBB40D01F9616554A7C8378E9DD248AEE49886EE0FF622CAB1FA3F240CF059F SHA-512: 878739C66E09DB25617BBA6248824417BEFB8392740ED7003108E3058D4737E98578823721D9CC92DC4EDE2168EC1F7C52A0DBD1B99BEC31883A7861F16FDD29 Malicious: false Reputation: low Preview: !function(e){function t(n){if(r[n])return r[n].exports;var o=r[n]={i:n,l:!1,exports:{}};return e[n].call(o.exports,o,o.exports,t),o.l=!0,o.exports}var n=window.jsonpHelpC enterTheme3;window.jsonpHelpCenterTheme3=function(r,i,a){for(var s,u,l,c=0,p=[];c

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\security_min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 56429 Entropy (8bit): 5.524527131271104 Encrypted: false MD5: 0FEE5064DED33778C4F466B2DFA7DE92 SHA1: 6CD0391C2DD67C8DE33212111D4F41E6014F20CF SHA-256: 4E7DDAD98A784378D11F0388C0B9AB1F57B9836B7FF7DC2379D465CEF594DB0B SHA-512: DC041CCEBE8F5D882AE30CC81F2CCBA4E829419957127C33E049ACE07853300F76151669DE909C56185DA85556EE9EE0945807440835B00C0C8643B58665486A Malicious: false Reputation: low Preview: "use strict";if(window.ZSEC||Object.defineProperty(window,"ZSEC",{value:{},writable:!1,configurable:!1,enumerable:!1}),Object.defineProperty(ZSEC,"util",{value:{},writabl e:!1,configurable:!1,enumerable:!1}),function(){if(!Object.defineProperty||!function(){try{return Object.defineProperty({},"x",{}),!0}catch(e){return!1}}()){var orig=Obje ct.defineProperty;Object.defineProperty=function(o,prop,desc){if(orig)try{return orig(o,prop,desc)}catch(e){}if(o!==Object(o))throw TypeError("Object.defineProperty called on non-object");return Object.prototype.__defineGetter__&&"get"in desc&&Object.prototype.__defineGetter__.call(o,prop,desc.get),Object.prototype.__defineSette r__&&"set"in desc&&Object.prototype.__defineSetter__.call(o,prop,desc.set),"value"in desc&&(o[prop]=desc.value),o}}}(),ZSEC.util.defineProperty=function(obj,pro perty,value,isOverrideDefaultValue,isWritable,isConfigurable,isEnumerable){if(isOverrideDefaultValue||!(property in obj))return isWritable=1==isWritable,isConfigurable=1=

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\vendor[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines Size (bytes): 1655750

    Copyright Joe Security LLC 2020 Page 20 of 43 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\vendor[1].js Entropy (8bit): 5.612150092759802 Encrypted: false MD5: 40E834DA26E15C25657D1F9AA08363ED SHA1: A36F87270CFE667696B439D25D69D050C6EC8BEB SHA-256: E2B3F7A28B168B24200B2E05058ED739C16AE73DAF240B31417927D7F80531FE SHA-512: 87B14815C3B8D6E0803885B9A71782E3FD0FCFC98F056961CBC50E6624D1E320C37C7F9B56FAD2E11AC0FABACCE3973C67B8B40CCD88210B8CA3EE4E0C46FC F8 Malicious: false Reputation: low Preview: ,e}function p(e,n,c,t){return vn(e,n,c,t,!0).utc()}function f(){return{empty:!1,unusedTokens:[],unusedInput:[],overflow:-2,charsLeftOver:0,nullInput:!1,invalidMonth:null, invalidFormat:!1,userInvalidated:!1,iso:!1,parsedDateParts:[],meridiem:null,rfc2822:!1,weekdayMismatch:!1}}function l(e){return null==e._pf&&(e._pf=f()),e._pf}function d(e) {if(null==e._isValid){var n=l(e),c=Tt.call(n.parsedDateParts,function(e){return null!=e}),t=!isNaN(e._d.getTime())&&n.overflow<0&&!n.empty&&!n.invalidMonth&&!n.invalidW eekday&&!n.weekdayMismatch&&!n.nullInput&&!n.invalidFormat&&!n.userInvalidated&&(!n.meridiem||n.meridiem&&c);if(e._strict&&(t=t&&0===n.charsLeftOver&& 0===n.unusedTokens.length&&void 0===n.bigHour),null!=Object.isFrozen&&Object.isFrozen(e))return t;e._isValid=t}return e._isValid}function b(e){var n=p(NaN);return null!=e?s(l(n),e):l(n).userInvalidated=!0,n}function A(e,n){var c,t,o;if(r(n._isAMomentObject)||(e._isAMomentObject=n._isAMomentObject),r(n._i)||(e._i=n._i),r(n._f)||( e._f=n._f)

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QESP4GEJ\Payment Confirmation[1] Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PDF document, version 1.4 Size (bytes): 50912 Entropy (8bit): 7.31113859683019 Encrypted: false MD5: 3F12FFAB1B3BA3BF00696695A35F284B SHA1: C34905ECAC52C4B967801BB5ABE06346C262EC8F SHA-256: 9764372489A9C36C6BC57D80AC0B949E2D68A7C779A663542938B9730200A043 SHA-512: C2FB066E61BD449F995A69CDCA39F8A66323F207B9C6DCD1ACAE2E9C750A70235E78C66D213E3DC56CBB9654F0CC958BA685C2312D91715FDDE2B04959A0895 1 Malicious: false Reputation: low Preview: %PDF-1.4.%...6 0 obj.<>.stream.x..OA..0....+.5.&M{.}@%..j[...... [email protected]..=.1b.h.s.._.14...:...RG...... Z.H..r.nd...\.L.....U*..... A...8.~hp..N..L..g...#...P...S...... C.<.endstream.endobj.7 0 obj.169.endobj.5 0 obj.<>./Annots[4 0 R]/Contents 6 0 R.>>.endobj.3 0 obj.<< /Type /Pages /Kids [.5 0 R.] /Count 1./Rotate 0>>.endobj.1 0 obj.<>.endobj.4 0 obj.<>./File 4./Subtype/Link>>endobj.8 0 obj.<>endobj.9 0 obj.<<./Registry(Adob e)./Ordering(Identity)./Supplement 0.>>.endobj.14 0 obj.<>.endobj.15 0 obj.<>.endobj.13 0 obj.<

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QESP4GEJ\Zoho-favicon[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced Size (bytes): 2447 Entropy (8bit): 7.89590017944309 Encrypted: false MD5: 90FCE1CEC9AC86A91CDF6F2D5F82E500 SHA1: D888B3C5F3DEAF89047C8186D9F44A0AB0C47387 SHA-256: 6F5DEB4A4FD98C6EDA74B95AFF9A28751606E1BBB0ABA423DE2F72D55F55317E SHA-512: C98149FCD8F01569CE1FC98EE2B3C8831154166A34A3DDCAC6366FBB2C686FC33521E625BDC8D7EA1F70499C556CDE6AD11418FAF9DCA204DCE395878B99830 0 Malicious: false Reputation: low Preview: .PNG...... IHDR...0...0.....W...... VIDATh..YM.^W.~.9.Nf23i@...\..$+.L.B*V]jT.I.u."Rm..$.]hf...Kkw..Qq!h7...5...h..23.N...<..7..}g..$..3..;.y....w...... ].?...m...xh.#j..w.....<\Np...i.l.. _@s.,...... !9...... D..E..y...... vV~...... *....9$8.?....3./..7...3....SP.3:R..%...... 1.K...... @y.\@.4.t....98dP....G..>C..m.(..,..+.*...<..:.>..p..h...b..i).%.?2.~..\U. [email protected].. .\...4B...W3e..)...H.#NBo.GO!8:^F.U.h...... #.].. .Tj..-..Y...QH..$....t#....3..S.0@...{.l.....T.3|...U0R;.u...... P...\G.=.s.`&..r.B4.".^..*!..6.B.(d...... "|..q..0..7...%..;.a.).+....c#{..=....8... .2.v...... @..0....*.R...... {.g...... Gf...E....O?+.d...\[email protected].$.&... 5...Z.....c.....I...... wd2.&}.h..../I...B]o.....\...4.P.M.I.....<....8.s#..G.../...... |.K...... J...%.Nb.n.I....<#5...\ .\..o.,p.....>..A&...F..f....v..>.-..x&.10~..I.Y0...... 433...... Gi....v.C..U.n....)%.D.%...xrt.\B..&...... B;;....h..H.>Q...t...*lm..U=#~2..Py .=..r....V

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QESP4GEJ\bg-small[1].jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: [TIFF image data, big-endian, direntries=7, xresolution=98, yresolution=106, resolutionunit=2, software=paint.net 4.0.13], baseline, precision 8, 50x28, frames 3 Size (bytes): 5590 Entropy (8bit): 7.743536000346562 Encrypted: false MD5: 49AB019CAF9EBBA9767A0E372DD495B7 SHA1: E4E5BD47B41BB7BA6A423A89934C180384BD1299 SHA-256: C5A6B4FDCA6EA52215866516595DE8D1A65192AC4A87F6333874C9185B655E6B SHA-512: C56B9D7A4BD8196F82841B8A4756D5FE049AF2F0A0566D953503CA93968073E830EB3EDD6BF1068C703DB5A6AB9A7A442A8200E56C339FBE7018B99767E3B5DF Malicious: false Copyright Joe Security LLC 2020 Page 21 of 43 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QESP4GEJ\bg-small[1].jpg Reputation: low Preview: ...... JFIF.....`.`...... Exif..MM.*...... b...... j.(...... 1...... rQ...... Q...... Q...... `...... `....paint.net 4.0.13.....C...... $ &%# #"(-90(*6+" #2D26;=@@@&0FKE>J9?@=...C...... =)#)======...... 2.."...... }...... !1A..Qa."q.2....#B...R..$3br...... %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...... w...... !1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...... ?..ou..2.m.t.0....jn...?Z...:.? zB.R...Q.;..ku....A...... 6..H.A~Gz....-.'.u...... T....$V-..?8.7..^..W.....x..\.=.U.U{.(S.z...?...... s.Hv2b...MZ...}.=j.fr.4...... '..nM.k.im.0.!.\HQW-!oj.#...zW..+..k&.....C..9#.M.+.[..'$

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QESP4GEJ\io2ap787b5d0ad13c4bdd8a70ad6abae58caf[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with very long lines Size (bytes): 17823 Entropy (8bit): 5.1218106283245115 Encrypted: false MD5: F956558C486139EFA2ED1D989A49CDE6 SHA1: FE82FD9E90AD4D72228AD0D8867CC900E78746FC SHA-256: B10A3EDC8A939B3D8F655B52B91F4D51D3FD882DAADAABF94C87ACCE70F84714 SHA-512: 84BAF6A3AD7C6644F7F9EC0CE0EA98F1B92702B113EAB933CB8D4A6149DD83E60FE1A298CBFC286B1A9D2F4198664B687FC2761AAB152F8FC2AC9B1D1E2D7D 97 Malicious: false Reputation: low Preview: .. ..Writer.