ID: 208940 Sample Name: cross-selling- email-examples[1].htm Cookbook: defaultwindowshtmlcookbook.jbs Time: 05:10:16 Date: 18/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report cross-selling-email-examples[1].htm 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Stealing of Sensitive Information: 8 Malware Configuration 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Screenshots 11 Thumbnails 11 Startup 12 Created / dropped Files 12 Domains and IPs 26 Contacted Domains 26 Contacted URLs 26 URLs from Memory and Binaries 26 Contacted IPs 27 Public 27 Static File Info 27 General 27 Network Behavior 28 Network Port Distribution 28 TCP Packets 28 UDP Packets 30 ICMP Packets 31 DNS Queries 31 DNS Answers 31 HTTP Request Dependency Graph 32 HTTP Packets 32
Copyright Joe Security LLC 2020 Page 2 of 63 Code Manipulations 61 Statistics 61 Behavior 61 System Behavior 62 Analysis Process: iexplore.exe PID: 4400 Parent PID: 700 62 General 62 File Activities 62 Registry Activities 62 Analysis Process: iexplore.exe PID: 4372 Parent PID: 4400 62 General 62 File Activities 62 Registry Activities 63 Disassembly 63
Copyright Joe Security LLC 2020 Page 3 of 63 Analysis Report cross-selling-email-examples[1].htm
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 208940 Start date: 18.02.2020 Start time: 05:10:16 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 13m 30s Hypervisor based Inspection enabled: false Report type: light Sample file name: cross-selling-email-examples[1].htm Cookbook file name: defaultwindowshtmlcookbook.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 16 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus22.spyw.winHTM@3/48@6/2 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .htm Browsing link: file:///C:/User s/user/Desktop/index.php?dir=% 2Fhome%2Fc523qufvxxey%2Fpublic_html%2F
Copyright Joe Security LLC 2020 Page 4 of 63 Warnings: Show All Max analysis timeout: 720s exceeded, the analysis took too long HTTP Packets have been reduced TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, TiWorker.exe, wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe, TrustedInstaller.exe Excluded IPs from analysis (whitelisted): 92.123.10.235, 172.217.23.202, 152.199.19.161, 40.90.137.125, 40.90.137.120, 40.90.23.206, 51.105.249.223, 172.227.172.60, 92.123.22.114, 92.122.213.201, 92.122.213.217, 51.143.111.7, 20.44.86.43, 13.107.4.50, 93.184.221.240, 67.26.137.254, 67.26.139.254, 8.248.123.254, 67.27.233.126, 8.248.131.254 Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, 2-01- 3cf7-0009.cdx.cedexis.net, Edge-Prod- FRA.env.au.au-msedge.net, a767.dspw65.akamai.net, wns.notify.windows.com.akadns.net, e15275.g.akamaiedge.net, wu.azureedge.net, cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, emea1.notify.windows.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2- 0.edgecastdns.net, watson.telemetry.microsoft.com, elasticShed.au.au- msedge.net, auto.au.download.windowsupdate.com.c.footprint.n et, wu.wpc.apr-52dd2.edgecastdns.net, fonts.googleapis.com, client.wns.windows.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, ipv4.login.msa.akadns6.net, download.windowsupdate.com, login.msa.msidentity.com, afdap.au.au-msedge.net, download.windowsupdate.com.edgesuite.net, au.au-msedge.net, go.microsoft.com.edgekey.net, e1553.dspg.akamaiedge.net, au.c-0001.c- msedge.net, login.msa.akadns6.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 22 0 - 100 false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2020 Page 5 of 63 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Mitre Att&ck Matrix
Copyright Joe Security LLC 2020 Page 6 of 63 Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Graphical User Winlogon Process Masquerading 1 Credential Network Remote File Data from Data Uncommonly Eavesdrop on Remotely Accounts Interface 1 Helper DLL Injection 1 Dumping Share Copy 2 Local Compressed Used Port 1 Insecure Track Device Discovery 1 System Network Without Communication Authorization Replication Service Port Accessibility Process Network File and Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Monitors Features Injection 1 Sniffing Directory Services Removable Over Other Non- Redirect Phone Wipe Data Removable Discovery 1 Media Network Application Calls/SMS Without Media Medium Layer Authorization Protocol 3 External Windows Accessibility Path Obfuscated Files Input Query Windows Data from Automated Standard Exploit SS7 to Obtain Remote Management Features Interception or Information 1 Capture Registry Remote Network Exfiltration Application Track Device Device Services Instrumentation Management Shared Layer Location Cloud Drive Protocol 3 Backups Drive-by Scheduled System DLL Search Obfuscated Files Credentials System Logon Input Data Remote File SIM Card Compromise Task Firmware Order or Information in Files Network Scripts Capture Encrypted Copy 2 Swap Hijacking Configuration Discovery
Signature Overview
• Phishing • Networking • System Summary • Stealing of Sensitive Information
Click to jump to signature section
Phishing:
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found
META author tag missing
META copyright tag missing
Networking:
Detected TCP or UDP traffic on non-standard ports
Downloads compressed data via HTTP
Downloads files from webservers via HTTP
Found strings which match to known social media urls
Performs DNS lookups
Urls found in memory or binary data
System Summary:
Classification label
Creates files inside the user directory
Creates temporary files
Copyright Joe Security LLC 2020 Page 7 of 63 Reads ini files
Spawns processes
Found graphical window changes (likely an installer)
Uses new MSVCR Dlls
Stealing of Sensitive Information:
Opens network shares
Malware Configuration
No configs have been found
Behavior Graph
Hide Legend Behavior Graph Legend: ID: 208940 Process Sample: cross-selling-email-example... Signature Startdate: 18/02/2020 Architecture: WINDOWS Created File Score: 22 DNS/IP Info Is Dropped
Is Windows Process
cdn.onenote.net alishkexports.com started Number of created Registry Values
Number of created Files
Visual Basic
iexplore.exe Delphi
Java
3 84 .Net C# or VB.NET
C, C++ or other language started Is malicious
Internet iexplore.exe
1 66
www.topshellv.com alishkexports.com
104.24.118.83, 49787, 49788, 80 166.62.28.122, 139, 445, 49789 unknown unknown United States United States
Opens network shares
Simulations
Behavior and APIs
No simulations
Copyright Joe Security LLC 2020 Page 8 of 63 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
Source Detection Scanner Label Link www.topshellv.com 0% Virustotal Browse alishkexports.com 1% Virustotal Browse cdn.onenote.net 1% Virustotal Browse
URLs
Source Detection Scanner Label Link www.topshellv.com/ 0% Virustotal Browse www.topshellv.com/ 0% Avira URL Cloud safe https://wa.me/ 0% Virustotal Browse https://wa.me/ 0% Avira URL Cloud safe daneden.me/animate 0% Virustotal Browse daneden.me/animate 0% URL Reputation safe https://wpbakery.com) 0% Avira URL Cloud safe https://una.im/CSSgram/ 0% Virustotal Browse https://una.im/CSSgram/ 0% URL Reputation safe labs.skinkers.com/touchSwipe/ 0% Virustotal Browse labs.skinkers.com/touchSwipe/ 0% URL Reputation safe www.topshellv.com/kaydet.php 0% Virustotal Browse www.topshellv.com/kaydet.php 0% Avira URL Cloud safe https://nicescroll.areaaperta.com 0% Virustotal Browse https://nicescroll.areaaperta.com 0% Avira URL Cloud safe https://spectadors.com/ 0% Avira URL Cloud safe www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
Copyright Joe Security LLC 2020 Page 9 of 63 No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context unknown LTP&CRF-app-debug.apk Get hash malicious Browse 172.217.23.238 EFT_Receipt02182020003.html Get hash malicious Browse 43.255.154.109 en.k-meat.net/checkpoint/login- Get hash malicious Browse 157.7.188.130 submit/js/webmaill/index.php? [email protected] MT PEGAS_ Ulsan EPDA CALCULATION_pdf.exe Get hash malicious Browse 208.79.232.22 Get hash malicious Browse 205.204.101.7 etrack05.com/track/click/eyJtYWlsbGlzdF9pZCI6IDAsICJ0YX NrX2lkIjogIiIsICJlbWFpbF9pZCI6ICIxNTgxOTUwMjgwMTMzX zk5NjEyXzI3MDU5Xzg3NDMuc2MtMTBfOV8xXzc1LWluYm9 1bmQwJGNvbnRhY3QuY2VudHJlQHN0b2NrbGFuZC5jb20uY XUiLCAic2lnbiI6ICJiYWQyZjViZDUyMmY4YTA1MWNmOTRj M2IzN2ZiOGI4MCIsICJ1c2VyX2hlYWRlcnMiOiB7IlNDLUN1c3 RvbS1ub2RlSWQiOiAiMTk2IiwgIlNDLUN1c3RvbS1vcmlnaW5 hbFRhc2tDb2RlIjogIjc2M2EwOTk3LTU4MjUtNGVkNi04YTFlL TdmMWM3MTZkOTFhOSIsICJTQy1DdXN0b20tY2hhbm5lbEl kIjogIjE5MyJ9LCAibGFiZWwiOiAwLCAidHJhY2tfZG9tYWluIjo gImV0cmFjazA1LmNvbSIsICJsaW5rIjogImh0dHAlM0EvL2h5Z 2lmdC5lbi5hbGliYWJhLmNvbS9wcm9kdWN0Z3JvdXBsaXN0 LTgwNDI3Mjc4Ny9BcHJvbi5odG1sJTNGc3BtJTNEYTI3MDA uaWNidVNob3AuODguMjEuMTQxYzYxOTZ1VU0zd0siLCAid XNlcl9pZCI6IDk5NjEyLCAib3ZlcnNlYXMiOiAiZmFsc2UiLCAiY 2F0ZWdvcnlfaWQiOiAxNzA5MDN9.html https://www.lstuffle.com/ Get hash malicious Browse 138.201.9.137
https://pankow-sharepoint- Get hash malicious Browse 159.65.176.129 directories.serviceonlinepartner.com/auth0//directories/login.p hp www.cgoogle.com Get hash malicious Browse 52.3.105.152 form.doc Get hash malicious Browse 104.31.68.30 Where are the female CEOs.docx Get hash malicious Browse 178.63.12.147 updated W-9.doc Get hash malicious Browse 162.241.95.113 Purchase Orders 206584, 206585 and 206586.exe Get hash malicious Browse 35.198.186.120 https://storage.googleapis.com/jjo00/dre.htm Get hash malicious Browse 162.241.65.229 passware kit forensic 2020.1_63859.exe Get hash malicious Browse 104.18.45.18 passware kit forensic 2020.1_63859.exe Get hash malicious Browse 104.18.45.18 https://vatorr.com/?a=-1&oc=4271&c=15325&s1=Test Get hash malicious Browse 52.209.241.224 https://jksfoodsandflavours.in/Kimberly/Stone Get hash malicious Browse 199.79.62.144 Zc6IOC19MA.exe Get hash malicious Browse 34.240.41.135 job_attach_n3s.js Get hash malicious Browse 47.90.201.224 su boleta de citaci#U00f3n (N#U00ba 00946745 ).vbs Get hash malicious Browse 186.147.55.19 unknown LTP&CRF-app-debug.apk Get hash malicious Browse 172.217.23.238 EFT_Receipt02182020003.html Get hash malicious Browse 43.255.154.109 en.k-meat.net/checkpoint/login- Get hash malicious Browse 157.7.188.130 submit/js/webmaill/index.php? [email protected] Copyright Joe Security LLC 2020 Page 10 of 63 Match Associated Sample Name / URL SHA 256 Detection Link Context MT PEGAS_ Ulsan EPDA CALCULATION_pdf.exe Get hash malicious Browse 208.79.232.22 Get hash malicious Browse 205.204.101.7 etrack05.com/track/click/eyJtYWlsbGlzdF9pZCI6IDAsICJ0YX NrX2lkIjogIiIsICJlbWFpbF9pZCI6ICIxNTgxOTUwMjgwMTMzX zk5NjEyXzI3MDU5Xzg3NDMuc2MtMTBfOV8xXzc1LWluYm9 1bmQwJGNvbnRhY3QuY2VudHJlQHN0b2NrbGFuZC5jb20uY XUiLCAic2lnbiI6ICJiYWQyZjViZDUyMmY4YTA1MWNmOTRj M2IzN2ZiOGI4MCIsICJ1c2VyX2hlYWRlcnMiOiB7IlNDLUN1c3 RvbS1ub2RlSWQiOiAiMTk2IiwgIlNDLUN1c3RvbS1vcmlnaW5 hbFRhc2tDb2RlIjogIjc2M2EwOTk3LTU4MjUtNGVkNi04YTFlL TdmMWM3MTZkOTFhOSIsICJTQy1DdXN0b20tY2hhbm5lbEl kIjogIjE5MyJ9LCAibGFiZWwiOiAwLCAidHJhY2tfZG9tYWluIjo gImV0cmFjazA1LmNvbSIsICJsaW5rIjogImh0dHAlM0EvL2h5Z 2lmdC5lbi5hbGliYWJhLmNvbS9wcm9kdWN0Z3JvdXBsaXN0 LTgwNDI3Mjc4Ny9BcHJvbi5odG1sJTNGc3BtJTNEYTI3MDA uaWNidVNob3AuODguMjEuMTQxYzYxOTZ1VU0zd0siLCAid XNlcl9pZCI6IDk5NjEyLCAib3ZlcnNlYXMiOiAiZmFsc2UiLCAiY 2F0ZWdvcnlfaWQiOiAxNzA5MDN9.html https://www.lstuffle.com/ Get hash malicious Browse 138.201.9.137 https://pankow-sharepoint- Get hash malicious Browse 159.65.176.129 directories.serviceonlinepartner.com/auth0//directories/login.p hp www.cgoogle.com Get hash malicious Browse 52.3.105.152 form.doc Get hash malicious Browse 104.31.68.30 Where are the female CEOs.docx Get hash malicious Browse 178.63.12.147 updated W-9.doc Get hash malicious Browse 162.241.95.113
Purchase Orders 206584, 206585 and 206586.exe Get hash malicious Browse 35.198.186.120 https://storage.googleapis.com/jjo00/dre.htm Get hash malicious Browse 162.241.65.229 passware kit forensic 2020.1_63859.exe Get hash malicious Browse 104.18.45.18 passware kit forensic 2020.1_63859.exe Get hash malicious Browse 104.18.45.18 https://vatorr.com/?a=-1&oc=4271&c=15325&s1=Test Get hash malicious Browse 52.209.241.224 https://jksfoodsandflavours.in/Kimberly/Stone Get hash malicious Browse 199.79.62.144 Zc6IOC19MA.exe Get hash malicious Browse 34.240.41.135 job_attach_n3s.js Get hash malicious Browse 47.90.201.224 su boleta de citaci#U00f3n (N#U00ba 00946745 ).vbs Get hash malicious Browse 186.147.55.19
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2020 Page 11 of 63 Startup
System is w10x64 iexplore.exe (PID: 4400 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 4372 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4400 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{265FEEA1-5250-11EA-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 39000 Entropy (8bit): 1.9204982617060486 Encrypted: false MD5: 47BDDC7851DCD24D33CBB2A87904E4D0 SHA1: 803D401A6AEC9FB6FB189B49F021581CFA3F7FD5 SHA-256: 158F622FE4EF701BD50B9C2E9E3DE2C29030137C6315F08ED82DD524269BBBCA SHA-512: A09D34EC0957BCEBE68754B0FBF07004616488CA35DB3E3C9BD44E1BB61F2A0A53CA32C08E507E6FAB9AD5DED7C57DC66084CEFA1A9B9E8F42D018CF4FD57 D04 Malicious: false Reputation: low
Copyright Joe Security LLC 2020 Page 12 of 63 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{265FEEA1-5250-11EA-AADB-C25F135D3C65}.dat Preview: ...... R.o.o.t. .E.n.t.r. y......
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{265FEEA3-5250-11EA-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 45906 Entropy (8bit): 2.6884241761914742 Encrypted: false MD5: 9842AD39FD35703D8DC2FD8617825752 SHA1: C9F7A3412C18CE026FA3D9F98F06D3D41CB94439 SHA-256: 20121C97CFF92B9AB97F18184B2E034FE1061C37EA9ED44C58BD216DB353F07D SHA-512: 5FB1627CA1EED06C26A0F49CD86844DEA259523783465CD06E942E4AB1BB1B70D77FAA10E7EB83B9DEA1A014627418C78FCAC975966007CF3F9698E7CC01C00 B Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{301F24F4-5250-11EA-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.5866747591936181 Encrypted: false MD5: A3816960B4C857B4A56B169E7B2E413C SHA1: F6C303C5DF4CA477CD41302A7ECC80B043CD9990 SHA-256: 8C990D502D04B6FE597B930147A95F8BC4BE2EF853322C0338E26A47BABBDFA7 SHA-512: 01BBCB27286B8A8D929FDDB1AF6A44A7200EA08F564E1ECCD29CA0DEDF8FF5657C3E8EE47B3A20A5A273DF70073579BE25156D662CC8327C71AFAF2D54CBC DAD Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.107541610585272 Encrypted: false MD5: 3E4D357EF74C879F0C1069122DD2EB68 SHA1: C6626F5170A23BD626A212F67E5FAAE1B4C3E2DD SHA-256: 731FFC0D06B081AD175B41F696245EFED6FEF83EE5C6A5AE4E89D2559CD8FD14 SHA-512: 9DE4F261B4AA3DB7379F14D097ED83302B7F8C8DF6B4E1EB6F46A278171609634097C83199757E1CE201A8F605C6079E71585F95D7FC98E0681AED7B93C3BB5C Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.123994896886213 Encrypted: false MD5: 3CECE980C2A77C8C478F4E925C4378E1
Copyright Joe Security LLC 2020 Page 13 of 63 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml SHA1: BBEF0D31743D3095C66CECEB227D940ECBE9ABBA SHA-256: D9F8007B002F4A0F5CF88AFC0BE567D83BA8D459B82C2B93BE54254E14766B06 SHA-512: 77DCE5050D968F0B86768E3FE56747D2E50E4D4B6A173CB2EDF74FC46EDC647CACA0E3EDD36F04E30A32445AF6EA93966317C2638E7876F79BC40B7C4CBC3C 58 Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.082325066120237 Encrypted: false MD5: AB110E1F860EFC2FA55CF6E01FA8A094 SHA1: 1BCDAFC4DAC16956322A5F6B3EC05079D5905162 SHA-256: C518C584BDE21FEA081BFB2D39E980C475A8DB5911553B4D57A547EA3AF4632C SHA-512: 80E4CD6E1184856A920CB5E411B8A1776493F3C0933E79F0EE600EAECEF3C8250CDC1C5DDED5CB772EE3624F788325B04B9A57265CBE76694D3620EF7D762366 Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.088993522626798 Encrypted: false MD5: BA01891FEF8DD1D93E2A4C54EAE48FE7 SHA1: 84771CF87082195DBA2559033A05B5B7B867777D SHA-256: 154525DB708C5DFBED649C637D98F4E597C2675130E000A4F286A09E33C8E9D7 SHA-512: 1201FC86257F64359FBD0E1604B853CF4EAF9F4DAA817E0A3A11777FE484B59DBA7BB7FDFBFE7D9EF9740546C5C41E0B5C99C4C6C7E856DFB5D2D5198879F4B F Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.10736188087525 Encrypted: false MD5: 39B26E3C3E910FC2AEFA47F9E6A6E6CB SHA1: 38B9334AD95E7507408E5E907EFACE6FCC43DA0B SHA-256: 7A71590B5DD456DA6022DFDCFBE273D51B5CD22E39220849FEDF5EFC847D286F SHA-512: 0FB0B6E060C6497697D6EAADE20DBF3A94A3DEC0647364279D4B41B638616E9FAA1B94C78CE3315CA4C8A2CE036DB7AC79B7B67DC728F0DEC55E72C84D0E38 3E Malicious: false Reputation: low Preview: ..
Copyright Joe Security LLC 2020 Page 14 of 63 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.108816030608965 Encrypted: false MD5: 623A14B6B6BB76D73003F0A85BF2B03D SHA1: F8E1334F70ADEE327F62E44CA620B15C6DED928B SHA-256: B606166AD114E5C17814D6162C57126B7680A46D7BF0B6533E887CBC590BDF58 SHA-512: D4333373100795418B0A4731EB459B445A2AF8EF81E330F246D3A358F92C9C6B09355FE6A2EA79D69E63898ADEFAFD4DB0B0C6417C57A6ED531B38F73A13EC54 Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.117720823201403 Encrypted: false MD5: D8744FF59202839F4C743ACE1AAE4F28 SHA1: F1B76639B9FE4A00B113BED33BC50CDA6557246B SHA-256: 42C8188623724F45226400402040127BD60ED88B330630FB68EE9022D03AB65A SHA-512: B698A06FC31ACC1D945B662D83A6FD735739E2DC8F0F573C3283A87B139CCFBC01326056D36AD1FFD565272CFDCCA7371D153BCAF6CE0114E890EF764F04F12 5 Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.119698232910626 Encrypted: false MD5: 3AEC04538BBFD5FC5C6C8795A7ECE754 SHA1: FA4B9DCD04F1EC117F90FDCABDB82276361C7AED SHA-256: 7E5B9617857E4A5DE3701DCCAC5192CC80C120AF390012C1E72DEAF24B07EDA5 SHA-512: FFA252BAE7885C1B8AF40D82B469679CC7C16918695648E3F49C98D9E5F9DD3CE4945AAA63546944EE3F2193F2A7EA3165669ABE4C7C71AE26B0CBEB75BACC 41 Malicious: false Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.100365229830168 Encrypted: false MD5: 7DE5A5D709547D77020483551D3C3D77 SHA1: C79AC905B0CC26B55363E76D0EEFB95CD2556D45 SHA-256: E3E37A1EF450FEA969D4569ADC9CEC60336824138042C7F0C0A17608C0BF6623 SHA-512: F23744CE50175767E16C7554B2EC2592EFDD99D222F7240199390A293AFAA1936F6F1331ADA13788675CB113C592F68D7C18C5F7D7FA2A731605977107936EB5 Malicious: false
Copyright Joe Security LLC 2020 Page 15 of 63 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Reputation: low Preview: ..
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\animate.min[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 51485 Entropy (8bit): 5.087336392814623 Encrypted: false MD5: 81C90D6E6F4B3030A6B6DE88273799F4 SHA1: 5D3EDAF7CF0E1E9B8FA1FC32C8015C35C4B6C5E8 SHA-256: 6DCAB98E09788384B163B9F72475E1EEE33449F69327362C47F942F2D2EB34C2 SHA-512: C178F9CAFDDC2EAE9CC787936D230D483D016DA72A1EAE8A1086C33B6F0B5AFEFC83EB894C8EAB2CC7CB59E7A23814E3BED150320DF0E67809C7A0482A6D6 90E Malicious: false Reputation: moderate, very likely benign file Preview: @charset "UTF-8";/*!.Animate.css - http://daneden.me/animate.Licensed under the MIT license - http://opensource.org/licenses/MIT..Copyright (c) 2014 Daniel Eden .*/.animated{-webkit-animation-duration:1s;animation-duration:1s;-webkit-animation-fill-mode:both;animation-fill-mode:both}.animated.infinite{-webkit-animation-iteration- count:infinite;animation-iteration-count:infinite}.animated.hinge{-webkit-animation-duration:2s;animation-duration:2s}@-webkit-keyframes bounce{0%,100%,20%,53%,80% {transition-timing-function:cubic-bezier(.215,.61,.355,1);-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}40%,43%{transition-timing-function:cubic-be zier(.755,.050,.855,.060);-webkit-transform:translate3d(0,-30px,0);transform:translate3d(0,-30px,0)}70%{transition-timing-function:cubic-bezier(.755,.050,.855,.060);-webk it-transform:translate3d(0,-15px,0);transform:translate3d(0,-15px,0)}90%{-webkit-transform:translate3d(0,-4px,0);transform:translate3d(0,-4px,0)}}@keyframes bou nce{0%,100
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\cart-fragments.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 2940 Entropy (8bit): 4.991535514511927 Encrypted: false MD5: 3518C9CF4786D55C48E6B318CDF3C8DE SHA1: EE13E5307A87355B9C35AA2E2907F642839A80CF SHA-256: BED0BD033705C33F1742D8FAB2BFED8E945567319FD00E529838392ECA49EAC0 SHA-512: 3DF98EED03673BD9DF5E8B8E0EFC490834A32D6BD80A7434D6C184F19922922CE8B8992703B331863CC030484CB97AF6D1090CBE2828EEC0EB4979982712E3BE Malicious: false Reputation: moderate, very likely benign file Preview: jQuery(function(r){if("undefined"==typeof wc_cart_fragments_params)return!1;var t=!0,o=wc_cart_fragments_params.cart_hash_key;try{t="sessionStorage"in window&&n ull!==window.sessionStorage,window.sessionStorage.setItem("wc","test"),window.sessionStorage.removeItem("wc"),window.localStorage.setItem("wc","test"),window.lo calStorage.removeItem("wc")}catch(f){t=!1}function a(){t&&sessionStorage.setItem("wc_cart_created",(new Date).getTime())}function s(e){t&&(localStorage.setItem( o,e),sessionStorage.setItem(o,e))}var e={url:wc_cart_fragments_params.wc_ajax_url.toString().replace("%%endpoint%%","get_refreshed_fragments"),type:"POST",data: {time:(new Date).getTime()},timeout:wc_cart_fragments_params.request_timeout,success:function(e){e&&e.fragments&&(r.each(e.fragments,function(e,t){r(e).replaceW ith(t)}),t&&(sessionStorage.setItem(wc_cart_fragments_params.fragment_name,JSON.stringify(e.fragments)),s(e.cart_hash),e.cart_hash&&a()),r(document.body).trigge r("wc_fragments_refreshed"))},error:func
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\header-builder[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 105741 Entropy (8bit): 5.000038127967828 Encrypted: false MD5: B67727344CA220FB490BB5F4762B5D4E SHA1: BA34F9BFFE0F9D7E78B36D1E1AA2C7803FE57616 SHA-256: 5D900DFBBD62825D394080B615B9BC2612525ABB68051052B0B9BBB813AE5632 SHA-512: 82FFACE3E2519C75C9F52D7AC791C2B3357967BAC1C19ABC5512867FE40FCF4E77081DBD907A6EAB6A3DD8936EFB9C5310EC845F2EB934D7BDBB087167E3BA 44 Malicious: false Reputation: low Preview: /* ------...Header Builder FrontEnd Styles..------*/.@media (max-width: 1199px) {. .container {. width: 100%;. }.}..ul, ol {. padding-left: 0;.}..img.lahfb-logo {. width: 60px;.}..html {. background-color: #fff;.}../* Core..======*/..lahfb-screen-view {. display: none;.}..@media (min-width: 992px) {. .lahfb-desktop-view {. display: block;. }.}..@media (min-width: 768px) and (max-width: 991px) {. .lahfb-tablets-view {. display: block;. }.}..@media (max-width: 767px) {. .lahfb-mobiles-view {. display: block;. }.}...lahfb-wrap {. position: relative;. width: 100%;. background: #fff;. z-index: 3;. ove rflow: initial !important;.}../* transparent header */..transparent-header-w .lahfb-wrap {. position: absolute;. top: 0;. background: transparent;.}...transparent-header-w #last udio-header-builder .lahfb-row1-area {. background: transparent !important;.}..@media (min-width: 9
Copyright Joe Security LLC 2020 Page 16 of 63 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\jquery.blockUI.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 9566 Entropy (8bit): 5.419210789126146 Encrypted: false MD5: 81B2BE18696C4DFE620F7B6D0D75A566 SHA1: 0C3CD7BDF58A65B07E17BE39CFE4E386571BB4BD SHA-256: 120AAF6681CA6D34A40C559779F0A0038582A79FCE1B868FF901C94D27C89C72 SHA-512: D6234549918A770A055717C9FD1FF4B162AFC7CDB9E72459883BBDB5E04532D7AF5295B2F58A6F8A70250EFEE55AB544FBA9595C85001C204516D907937D8C9D Malicious: false Reputation: moderate, very likely benign file Preview: /*!. * jQuery blockUI plugin. * Version 2.70.0-2014.11.23. * Requires jQuery v1.7 or later. *. * Examples at: http://malsup.com/jquery/block/. * Copyright (c) 2007-2013 M. Alsup. * Dual licensed under the MIT and GPL licenses:. * http://www.opensource.org/licenses/mit-license.php. * http://www.gnu.org/licenses/gpl.html. *. * Thanks to Amir- Hossein Sobhi for some excellent contributions!. */.!function(){"use strict";function e(e){function t(t,n){var s,h,k=t==window,y=n&&n.message!==undefined?n.message:unde fined;if(!(n=e.extend({},e.blockUI.defaults,n||{})).ignoreIfBlocked||!e(t).data("blockUI.isBlocked")){if(n.overlayCSS=e.extend({},e.blockUI.defaults.overlayCSS,n.overlayCSS|| {}),s=e.extend({},e.blockUI.defaults.css,n.css||{}),n.onOverlayClick&&(n.overlayCSS.cursor="pointer"),h=e.extend({},e.blockUI.defaults.themedCSS,n.themedCSS||{}),y=y= ==undefined?n.message:y,k&&p&&o(window,{fadeOut:0}),y&&"string"!=typeof y&&(y.parentNode||y.jquery)){var m=y.jquery?y[0]:y,g={};e(t).data("blockUI.his
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\js_composer_front.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 20601 Entropy (8bit): 5.267359634831153 Encrypted: false MD5: 5A627237805BA8FDE358E571C3333197 SHA1: B7365A7674259F505DC10E24E1B06C7E64555ED1 SHA-256: 43CDF46F331FEC5BA92E402E3D5CAD473099892CBDAFCA02E607CD03705104BF SHA-512: 656785C0819F4CE75BC59C34854DF9224C98B5A7865979A93AA8B7346A919EB369A55F5F97B07AED5207A8D3279381442371C81BDC67F4A0F7D2D519040451F2 Malicious: false Preview: /*!. * WPBakery Page Builder v6.0.0 (https://wpbakery.com). * Copyright 2011-2019 Michael M, WPBakery. * License: Commercial. More details: http://go.wpbakery.c om/licensing. */..// jscs:disable.// jshint ignore: start..document.documentElement.className+=" js_active ",document.documentElement.className+="ontouchstart"in document.documentElement?" vc_mobile ":" vc_desktop ",function(){for(var prefix=["-webkit-","-moz-","-ms-","-o-",""],i=0;i C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\kaydet[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text Size (bytes): 5924 Entropy (8bit): 5.08939893221424 Encrypted: false MD5: 8B1EDB634B501329068AD600DEDCAAF9 SHA1: 50C4EFE0FCA6793510AAF0F56481C833A9FD0244 SHA-256: 1941C48028458A87DA33702E01E7EA27BB49D424283B45D266EF52F9529230FA SHA-512: 21926EB3A6E9FA0CA8520D8C16319D9075F51CA3FC51D019194A4AB8484A47C3B12920487AB16BDB508C0534A56C502CE931BC57623E3533112FB41ADC659ED4 Malicious: false Preview: ..