sign in sign up
<<
Home , Favicon

ID: 210883 Sample Name: Faculty Evaluation copy.docx Cookbook: defaultwindowsofficecookbook.jbs Time: 18:16:28 Date: 25/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report Faculty Evaluation copy.docx 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 Spreading: 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Language, Device and Detection: 8 Malware Configuration 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 31 Contacted Domains 31 URLs from Memory and Binaries 31 Contacted IPs 32 Static File Info 33 General 33 File 33 Network Behavior 33 UDP Packets 33 DNS Queries 34 DNS Answers 34 Code Manipulations 35 Statistics 35 Behavior 35 Copyright Joe Security LLC 2020 Page 2 of 42 System Behavior 35 Analysis Process: WINWORD.EXE PID: 4072 Parent PID: 548 35 General 35 File Activities 35 File Created 36 File Deleted 36 File Written 36 Registry Activities 36 Key Created 36 Key Value Created 36 Key Value Modified 38 Analysis Process: iexplore.exe PID: 2076 Parent PID: 548 40 General 40 File Activities 40 Registry Activities 40 Analysis Process: ie4uinit.exe PID: 1400 Parent PID: 2076 40 General 40 File Activities 40 File Created 41 Registry Activities 41 Key Value Created 41 Analysis Process: iexplore.exe PID: 2328 Parent PID: 2076 41 General 41 File Activities 41 Registry Activities 41 Analysis Process: ssvagent.exe PID: 2200 Parent PID: 2328 42 General 42 Registry Activities 42 Disassembly 42 Code Analysis 42

Copyright Joe Security LLC 2020 Page 3 of 42 Analysis Report Faculty Evaluation copy.docx

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 210883 Start date: 25.02.2020 Start time: 18:16:28 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 31s Hypervisor based Inspection enabled: false Report type: light Sample file name: Faculty Evaluation copy.docx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113) Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winDOCX@8/74@6/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Browse link: ://forms.off ice.com/Pages/ResponsePage.aspx? id=bRxSfzcZckeIqGFsC0IQW7WLg fAJTvxJjwATNDVhHg9URTFZRkFEUUp ISTNUWElWSkNWOEczQkZGTy4u Scroll down Close Viewer Browsing link: https://go.microsoft.com/fwlink/p/? linkid=857875 Browsing link: https://go.microsoft.com/fwlink/? linkid=866263

Copyright Joe Security LLC 2020 Page 4 of 42 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 104.125.64.249, 52.109.76.79, 2.20.142.209, 2.20.142.220, 152.199.19.160, 52.142.114.2, 204.79.197.200, 13.107.21.200, 40.77.226.250, 52.114.132.74, 92.123.10.235, 23.210.249.93, 92.122.213.240, 92.122.213.194, 92.123.28.199, 92.122.213.247, 23.210.248.233 Excluded domains from analysis (whitelisted): assets.onestore.ms.edgekey.net, c-msn-com- nsatc.trafficmanager.net, c-bing-com.a-0001.a- msedge.net, cdn.forms.office.net.edgesuite.net, i.s- microsoft.com, i.s-microsoft.com.edgekey.net, a1449.dscg2.akamai.net, uhf.microsoft.com.edgekey.net, www.microsoft.com-c- 3.edgekey.net.globalredir.akadns.net, a1945.g2.akamai.net, e11290.dspg.akamaiedge.net, www.microsoft.com- c-3.edgekey.net, go.microsoft.com, mscomajax.vo.msecnd.net, prod.forms.office.com.akadns.net, pipe.prd.skypedata.akadns.net, statics- marketingsites-eus-ms-com.akamaized.net, img- prod-cms-rt-microsoft-com.akamaized.net, ieonline.microsoft.com, pipe.cloudapp.aria.akadns.net, www.bing.com, e10583.dspg.akamaiedge.net, uhf.microsoft.com, cs22.wpc.v0cdn.net, dual-a-0001.a-msedge.net, geo.vortex.data.microsoft.com.akadns.net, assets.onestore.ms.akadns.net, a1894.d.akamai.net, web.vortex.data.microsoft.com, c- s.cms.ms.akadns.net, c.s-microsoft.com, any.edge.bing.com, a-0001.a- afdentry.net.trafficmanager.net, pipe.skype.com, c.bing.com, privacy.microsoft.com, go.microsoft.com.edgekey.net, web.vortex.data.microsoft.com.akadns.net, c.s- microsoft.com-c.edgekey.net, e13678.dscg.akamaiedge.net, e11095.dspg.akamaiedge.net, az725175.vo.msecnd.net, db5.vortex.data.microsoft.com.akadns.net, privacy.microsoft.com.edgekey.net, e13678.dspb.akamaiedge.net, www.microsoft.com, browser.pipe.aria.microsoft.com, prd.col.aria.browser.skypedata.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 0 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Copyright Joe Security LLC 2020 Page 5 of 42 Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat

Sample searches for specific file, try point organization specific fake files to the analysis machine Copyright Joe Security LLC 2020 Page 6 of 42 Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Valid Graphical User Winlogon Process Masquerading 1 Credential File and Remote File Data from Data Standard Eavesdrop on Remotely Accounts Interface 1 Helper DLL Injection 1 Dumping Directory Copy 1 Local Compressed Non- Insecure Track Device Discovery 3 System Application Network Without Layer Communication Authorization Protocol 1 Replication Service Port Accessibility Process Network System Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Monitors Features Injection 1 Sniffing Information Services Removable Over Other Application Redirect Phone Wipe Data Removable Discovery 1 2 Media Network Layer Calls/SMS Without Media Medium Protocol 1 Authorization External Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Remote Exploit SS7 to Obtain Remote Management Features Interception Capture Remote Network Exfiltration File Track Device Device Services Instrumentation Management Shared Copy 1 Location Cloud Drive Backups

Signature Overview

• Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Enumerates the file system

Networking:

Downloads files

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server Copyright Joe Security LLC 2020 Page 7 of 42 Writes ini files

Found graphical window changes (likely an installer)

Checks if Microsoft Office is installed

Uses new MSVCR Dlls

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Enumerates the file system

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 210883 Process Sample: Faculty Evaluation copy.docx Signature Startdate: 25/02/2020 Architecture: WINDOWS Created File Score: 0 DNS/IP Info Is Dropped

Is Windows Process

cdn.forms.office.net started started N u mber of created Registry Values

Number of created Files

Visual Basic

iexplore.exe WINWORDDe.ElpXEhi

Java

65 86 247.Net C#3 o1 r VB.NET

C, C++ or other language started started Is malicious

Internet iexplore.exe ie4uinit.exe

4 67 1 7

forms.office.com cdn.forms.office.net 4 other IPs or domains started

ssvagent.exe

6

Copyright Joe Security LLC 2020 Page 8 of 42 Simulations

Behavior and APIs

Time Type Description 18:19:08 API Interceptor 2x Sleep call for process: ie4uinit.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link assets.onestore.ms 0% Virustotal Browse

URLs

Source Detection Scanner Label Link https://privacy.microsom/Pages/ResponsePage.aspx? 0% Avira URL Cloud safe id=bRxSfzcZckeIqGFsC0IQW7WLgfAJTvxJjwATNDVhHg9URTFZ https://fooft.com/en- 0% Avira URL Cloud safe US/privacystatement#mainnoticetoendusersmoduleTvxJjwATNDVhHg9URTFZRkFEUUpISTNUW https://raw.githubusercontent.com/stefanpenner/es6-promise/master/LICENSE 0% Virustotal Browse https://raw.githubusercontent.com/stefanpenner/es6-promise/master/LICENSE 0% URL Reputation safe https://privacy.micros 0% URL Reputation safe amsul..io/pickadate.js 0% Virustotal Browse amsul.github.io/pickadate.js 0% URL Reputation safe www.youradchoices.ca/fr 0% Virustotal Browse www.youradchoices.ca/fr 0% URL Reputation safe www.nielsen-online.com/corp.jsp?section=leg_prs&nav=1#Optoutchoices 0% URL Reputation safe https://focom/en- 0% Avira URL Cloud safe us/servicesagreement/default.aspxoendusersmoduleTvxJjwATNDVhHg9URTFZRkFEUUpISTNUWEl fontello.comiconsRegulariconsiconsVersion 0% URL Reputation safe https://www.microsoft. 0% Virustotal Browse https://www.microsoft. 0% URL Reputation safe amsul.github.io/pickadate.js/date.htm 0% Virustotal Browse amsul.github.io/pickadate.js/date.htm 0% Avira URL Cloud safe www.youradchoices.ca 0% Virustotal Browse www.youradchoices.ca 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Copyright Joe Security LLC 2020 Page 9 of 42 Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2020 Page 10 of 42 Startup

System is w7 WINWORD.EXE (PID: 4072 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D) iexplore.exe (PID: 2076 cmdline: 'C:\Program Files\\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750) ie4uinit.exe (PID: 1400 cmdline: 'C:\Windows\System32\ie4uinit.exe' -ShowQLIcon MD5: 184C8F06D073803490CDA3954C489A36) iexplore.exe (PID: 2328 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2076 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 2200 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new MD5: 0953A0264879FD1E655B75B63B9083B7) cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}. Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): 6.1480026084285395 Encrypted: false MD5: 9FB559A691078558E77D6848202F6541 SHA1: EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 SHA-256: 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 SHA-512: 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236 B

Copyright Joe Security LLC 2020 Page 11 of 42 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico Malicious: false Reputation: high, very likely benign file Preview: .PNG...... IHDR...... R....sRGB...... gAMA...... a.....pHYs...... o.d...-PLTE...... (..5..X..h...... J4.I...IIDAT.[c`..&.(.....F....cX.(@[email protected].(..2L....1.{.....c`]L 9.&2.l...I..E...... IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: data Size (bytes): 33282 Entropy (8bit): 3.193746727532429 Encrypted: false MD5: CF8989923D32BE396591758B343F4105 SHA1: 109F6DD880E11E054FBE77693F9C00C0C194EB79 SHA-256: 2A5097F198B6E99C227F7027C6BCE2E3C661EFBF364D15583AECFF6E9D64D662 SHA-512: 0D098261C2F665F877C7B82B6BAEC24721A01E7A8FDD735B6FDE4109910C49342A82A61D4D854B823CFDBA6EC0F3C5A388CF99730BAFACE1C7E3364849BF0D8 5 Malicious: false Reputation: low Preview: ...... >...... R.o.o.t. .E.n.t.r.y ...... F...... @...... 5.j.z.d.d.1.5.l.Z.k.1.f.e.x.0.2.O.b.d.p.d.2.k.o.L.f...... 8...... @.K .G.A.a.C.G.B.e.f.E.J.c.D.B.b.d.F.e.Q.M.B.X.P.F.S.T.I.B...... <...... @.H.A.e.Z.X.W.A.L.d.F.B.H.A.B.Y.E.R.A.S.b.C.P.P.A.D.f.B.B...... < ......

C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Composite Document File V2 Document, Cannot read section info Size (bytes): 61952 Entropy (8bit): 1.1265994091402878 Encrypted: false MD5: 5D20AF96006A662F008CD8DB3C58E234 SHA1: 76A786061D6DB73F48F2EF13FD6CB2C98C23AD36 SHA-256: 0DD8EE7E252E7132347518C8DE1391565DB775F84A3E2C7E4E923AEBC2A8B0A4 SHA-512: 9CC387BCFEA35365F20669CC4FAEF0D323CB525E38124A28806CF2581DD14AD38AFE01D3CCC509A185AB45164DF605AE7DF09B71A370B80B0E8B01F84C73981 2 Malicious: false Reputation: low Preview: ...... >......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9ISBZ910\forms.office[1].xml Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 133 Entropy (8bit): 4.866819552773452 Encrypted: false MD5: 86EDFE29A4D0DB4E749164C01AEF0B04 SHA1: 53322E2ACC21DBA57BCD3732DDE067968C95942A SHA-256: E93B2FA82DB8F5C4EBFB39A3D8C8DAF169C20C58E6813E4CCA4EA96B8BD1D5B0 SHA-512: 4209A8048DED8CF6157ED135B65214942DCEF75C7C05343BF855E9DB62344A2A8435ECCDD70B12D3B0B05674A6DE67CD417E853576BE26E6F38A8AC81C4A7C5 7 Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDCEF431-57F2-11EA-B813-B2C276BF9C88}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 33368 Entropy (8bit): 1.8658861113771992 Encrypted: false MD5: AFBAF2AA3ABA94DF9A6F9185FED80526 SHA1: 5397F95C724671AEDCE313A45DED8FE50795640B Copyright Joe Security LLC 2020 Page 12 of 42 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDCEF431-57F2-11EA-B813-B2C276BF9C88}.dat SHA-256: 29FF411628EAF051A5049EB27C55F06047E90787A8654069FB3DAD39827983E7 SHA-512: E9110E97A752961C87FF234B9F252B5DD3908C3082A06EDF02643F910FE648E99EC875945BC2291DF1B68C20D005C2A25A559751ADFC0DAAE1A8E7FFAEF89A4C Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0524CE20-57F3-11EA-B813-B2C276BF9C88}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.5628027235633097 Encrypted: false MD5: 37A314C0D2FBBC6D2C7787360DCFB62B SHA1: 9445F27A12ADE36BD260595409DDD1B1189BFAAA SHA-256: C4A2BC948590C2BE5CFA1CE6CF66C91E82F4EE5E9B287D8FCF2366BF09235424 SHA-512: 76EBC9DB81772F68A7EEB231F87CBA9164A8A31199C1110FE0589551F8C1F58D6E7207F6E3CD3954A1CCA6A952EF60994BCF2FF834A52296F191C7868BE3F4DD Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EDCEF433-57F2-11EA-B813-B2C276BF9C88}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 57500 Entropy (8bit): 2.4468753328056176 Encrypted: false MD5: 5AFD3E2B48BB11D90F96CFFDDD4A3C21 SHA1: 49C5998D5D96AB5E894C062662BD4AE8401D41BF SHA-256: A2B2CE9B3EE5683380A951F1E75B7589D6FFC77FF8F69DC9BB329E46C5EF9BBC SHA-512: D5572455EAC0570AA413DAB0EC3E7B352584CA9BAB17625A012EA4539EDBC99E8388C32F96621BCF68530CE765410CFEE94EF445B1407E58CD03D470DF5C0A4 F Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 703 Entropy (8bit): 5.034347352799738 Encrypted: false MD5: BE59AA9314063379CDD14316F9F5FC81 SHA1: BC9A0E6BDCD609DD7EE65183A34D9AA3FD514BDE SHA-256: 655EEEF4BDD4685D1847D8D5C7FB71A8DE786ADE00935BD79B1EDEDCB219689D SHA-512: D338CC789550554BFFD82D5A8547D84B668DC0E8D960372CE46D83E1200BB67BE031EED323BE12E9EA64D450E327CA398FDFFA262B7FBA44EE05B330F6CFFF CC Malicious: false Reputation: low Preview: ..0xb50b57a0,0x01d5ebff0xb50b57a0,0x01d5ebff....0xb50b57a0,0x01d 5ebff0xb50b57a0,0x01d5ebff..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\bltowdk\imagestore.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: data

Copyright Joe Security LLC 2020 Page 13 of 42 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\bltowdk\imagestore.dat Size (bytes): 44126 Entropy (8bit): 3.6716737423977674 Encrypted: false MD5: E669C9368501FFB583ADF932783AF442 SHA1: FC3E33F1E267E5FBF71660B56591ECEDAE89CE3B SHA-256: 08DD9C99D169F3C7CB4BB77C6FB534DFA5CFFB43675962CCA050145EEAC4E747 SHA-512: 444D36B3A9B89BBDEA74681373758D52DEC007FA132E2C6C4957B9895EC5FDFC8D78C67F9AA967E27F86D369900D334A16A94430337499830FB7B7532511F9AC Malicious: false Reputation: low Preview: ...... 5.h.t.t.p.s.:././.c.d.n...f.o.r.m.s...o.f.f.i.c.e...n.e.t./.f.o.r.m.s./.i.m.a.g.e.s./.f.a.v.i.c.o.n...i.c.o...... (...... @...... pl..pl..pl..pl..pl.. pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl...... pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl...... pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl...... ZV..ZV..ZV..ZV..ZV..ZV..ZV..ZV..^Z..pl..pl..pl..pl...... |x ..pl..pl...... QN..QN..QN..QN..QN

C:\Users\user\AppData\Local\Microsoft\Windows\\Content.IE5\H8RJ8DQE\25-62ce5c[1].js Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 131191 Entropy (8bit): 5.223903929075712 Encrypted: false MD5: EB8EFB52C7B8FCFE15AD7C2408E85A10 SHA1: F292F6E4F32AA7CB43003ADDFC6C95A8FE772AAB SHA-256: 1162512BA0DA9FBCE694589B9BA5BC5A8E27B877D1434DC8BCFF2575D3623586 SHA-512: 743D686E353FB8D38F59DCE1D2AB38FA9CB8602F1F6E8ACE35E80342100404595B9362CF7D8A13FAD25A3F6D7876CEE1C8C12DD8F3B765C2B5B4795A129D132 A Malicious: false Reputation: moderate, very likely benign file Preview: (function(){/**. * @license almond 0.3.3 Copyright jQuery Foundation and other contributors.. * Released under MIT license, http://github.com/requirejs/almond/LICENSE. */ .var requirejs,require,define,__extends;(function(n){function r(n,t){return w.call(n,t)}function s(n,t){var o,s,f,e,h,p,c,b,r,l,w,k,u=t&&t.split("/"),a=i.map,y=a&&a["*"]||{};if(n){ for(n=n.split("/"),h=n.length-1,i.nodeIdCompat&&v.test(n[h])&&(n[h]=n[h].replace(v,"")),n[0].charAt(0)==="."&&u&&(k=u.slice(0,u.length-1),n=k.concat(n)),r=0;r0&&(n.splice(r-1,2),r-=2);n=n.join("/")}if((u||y)&&a){ for(o=n.split("/"),r=o.length;r>0;r-=1){if(s=o.slice(0,r).join("/"),u)for(l=u.length;l>0;l-=1)if(f=a[u.slice(0,l).join("/")],f&&(f=f[s],f)){e=f;p=r;break}if(e)break;!c&&y&&y[s]&&(c =y[s],b=r)}!e&&c&&(e=c,p=b);e&&(o.splice(0,p,e),n=o.join("/"))}return n}function y(t,i){return function(){var r=b.call(arguments,0

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\RE1Mu3b[1].png Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced Size (bytes): 4054 Entropy (8bit): 7.797012573497454 Encrypted: false MD5: 9F14C20150A003D7CE4DE57C298F0FBA SHA1: DAA53CF17CC45878A1B153F3C3BF47DC9669D78F SHA-256: 112FEC798B78AA02E102A724B5CB1990C0F909BC1D8B7B1FA256EAB41BBC0960 SHA-512: D4F6E49C854E15FE48D6A1F1A03FDA93218AB8FCDB2C443668E7DF478830831ACC2B41DAEFC25ED38FCC8D96C4401377374FED35C36A5017A11E63C8DAE5C4 87 Malicious: false Reputation: high, very likely benign file Preview: .PNG...... IHDR...... J...... tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp..... ...... DIDATx..\ ..UU.>.7..3....h.L..& j2...h.@.."...... `U...... R"..Dq.&.BJR 1.4`$.200...l...... wg.y.[k/

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\app[1]. Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with CRLF, LF line terminators Size (bytes): 262641 Entropy (8bit): 4.9463902181496096 Encrypted: false MD5: 7C593B06759DB6D01614729D206738D6 SHA1: 0D4F76D10944933B8DDECFFE9691081439A77A3C SHA-256: F7D9FB0479DE843CF3FB0B78FC56BBB9E30BF0A238C6F79D9209FA8B22EFB574 SHA-512: EF91B610CF17A17AAFB48984B4403EF175EB86096E3F12E23AE8D4C7C96EF60ED14DA3F69721E095CD2ACE3F0A06190186D000992823814BB906F7FB3576C2C1 Malicious: false

Copyright Joe Security LLC 2020 Page 14 of 42 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\app[1].css Preview: @font-face {. font-family: "wf_segoe-ui_normal";. src: url("//i.s-microsoft.com/fonts/segoe-ui/west-european/normal/latest.eot");. src: url("//i.s-microsoft.com/fonts/segoe- ui/west-european/normal/latest.eot?#iefix") format("embedded-opentype"), url("//i.s-microsoft.com/fonts/segoe-ui/west-european/normal/latest.woff") format("woff"), url("//i.s -microsoft.com/fonts/segoe-ui/west-european/normal/latest.ttf") format("truetype"), url("//i.s-microsoft.com/fonts/segoe-ui/west-european/normal/latest.svg#web") format(" svg");. font-weight: normal;. font-style: normal; }..@font-face {. font-family: "wf_segoe-ui_light";. src: url("//i.s-microsoft.com/fonts/segoe-ui/west-european/light/latest.eo t");. src: url("//i.s-microsoft.com/fonts/segoe-ui/west-european/light/latest.eot?#iefix") format("embedded-opentype"), url("//i.s-microsoft.com/fonts/segoe-ui/west-euro pean/light/latest.woff") format("woff"), url("//i.s-microsoft.com/fonts/segoe-ui/west-european/light/latest.ttf") format("truetype

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\favicon[1].ico Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: MS Windows icon resource - 3 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel Size (bytes): 7886 Entropy (8bit): 3.973130033666625 Encrypted: false MD5: 9425D8E9313A692BB3F022E8055FAB82 SHA1: EDDCF3EA767D4C3042D01AC88594D7E795D8615C SHA-256: F2A1ABCF12EBD0F329E5B66B811B0BD76C8E954CB283CE3B61E72FBF459EF6F1 SHA-512: 93B3EB3C4CE385D80D4A8F6902355BBD156AC1AA20B8869AF05C8E714E90E74C5630BB8DE34D5B8FC9F876AC44BE314F3A2A08B3163295ADADBC6DD7B8D235 61 Malicious: false Preview: ...... 6...... h...f...(...... @...... pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl...... pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl...... pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl..pl...... ZV..ZV..ZV..ZV..ZV..ZV..ZV..ZV..^Z..pl..pl..pl..pl...... |x..pl..pl...... QN..QN..QN..QN..QN..QN..QN..QN..QN..c`..pl..pl..pl...... |x..pl..pl......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\favicon[2].ico Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): 6.1480026084285395 Encrypted: false MD5: 9FB559A691078558E77D6848202F6541 SHA1: EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 SHA-256: 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 SHA-512: 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236 B Malicious: false Preview: .PNG...... IHDR...... R....sRGB...... gAMA...... a.....pHYs...... o.d...-PLTE...... (..5..X..h...... J4.I...IIDAT.[c`..&.(.....F....cX.(@[email protected].(..2L....1.{.....c`]L 9.&2.l...I..E...... IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\jquery-1.11.2.min[1].js Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 95931 Entropy (8bit): 5.394232486761965 Encrypted: false MD5: 5790EAD7AD3BA27397AEDFA3D263B867 SHA1: 8130544C215FE5D1EC081D83461BF4A711E74882 SHA-256: 2ECD295D295BEC062CEDEBE177E54B9D6B19FC0A841DC5C178C654C9CCFF09C0 SHA-512: 781ACEDC99DE4CE8D53D9B43A158C645EAB1B23DFDFD6B57B3C442B11ACC4A344E0D5B0067D4B78BB173ABBDED75FB91C410F2B5A58F71D438AA6266D048D 98A Malicious: false Preview: /*! jQuery v1.11.2 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports =a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window: this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.2",m=function(a,b){return new m.fn.init(a,b)},n=/^ [\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArra y:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.pr evObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\override[1].css Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 1531 Entropy (8bit): 4.797455242405607 Encrypted: false MD5: A570448F8E33150F5737B9A57B6D889A SHA1: 860949A95B7598B394AA255FE06F530C3DA24E4E Copyright Joe Security LLC 2020 Page 15 of 42 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\override[1].css SHA-256: 0BD288D5397A69EAD391875B422BF2CBDCC4F795D64AA2F780AFF45768D78248 SHA-512: 217F971A8012DE8FE170B4A20821A52FA198447FA582B82CF221F4D73E902C7E3AA1022CB0B209B6679C2EAE0F10469A149F510A6C2132C987F46214B1E2BBBC Malicious: false Preview: a.c-call-to-action:hover, button.c-call-to-action:hover{box-shadow:none!important}a.c-call-to-action:hover span, button.c-call-to-action:hover span{left:0!important}...c-call- to-action:not(.glyph-play):after { right: 0!important;} a.c-call-to-action:focus,button.c-call-to-action:focus{box-shadow:none!important}a.c-call-to-action:focus span,button.c- call-to-action:focus span{left:0!important;box-shadow:none!important}...theme-dark .c-me .msame_Header_name {color: #f2f2f2;}...pmg-page-wrapper .uhf div, .pmg-page- wrapper .uhf button, .pmg-page-wrapper .uhf a, .pmg-page-wrapper .uhf span, .pmg-page-wrapper .uhf p, .pmg-page-wrapper .uhf input {font-family: Segoe UI, SegoeUI,Helvetica Neue,Helvetica,Arial,sans-serif !important;}..@media (min-width: 540px) {.pmg-page-wrapper .uhf .c-uhfh-alert span, .pmg-page-wrapper .uhf #uhf-g- nav span, .pmg-page-wrapper .uhf .c-uhfh-actions span, .pmg-page-wrapper .uhf li, .pmg-page-wrapper .uhf button, .pmg-page-wrapper .uhf a, .pmg-page-wrapper .uhf #meC

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\print-icon[1].png Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced Size (bytes): 173 Entropy (8bit): 5.970149697517944 Encrypted: false MD5: 023F5AC6E0114AF1F781BE5D3C956385 SHA1: C166284B8541F1DE32DC5C4DEC635C296BF85C98 SHA-256: 75D637BF6B6DFF2525095D0BE7E0C90F012BB118C2EF19099AFDCBC630ADFC79 SHA-512: DAFA49056E3D3014DB392410685CC05773C09938E2E700657727928EDCFF8EA2D7C769D377539C52DA70321B94F4E8F045F565EC51BC2B701D95BB3213CC2203 Malicious: false Preview: .PNG...... IHDR...... h6....tEXtSoftware.Adobe ImageReadyq.e<...OIDATx.b...?..0222`..jX..a5...D0.50...... k...... :...X=....'..(..I.....K...... IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8RJ8DQE\privacystatement[1].htm Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Size (bytes): 279638 Entropy (8bit): 4.7157970242430665 Encrypted: false MD5: CE3E862CB277291E07288F0C239C878E SHA1: 5AC1CDBBDE82F2D9F9B8D95AF86393887027E30A SHA-256: 6BC155FD7A4420679BB1C283CDD53895F23BEE82B097C1FE00CB9D5FB23CDD65 SHA-512: 75331A78620FF4B7DF93326E002E6FDAB1F34206202CB75CD564CD487C9099CD9408645FD709934AD673AB4C201E75D992AA1813D1BA087A8C689CF0F6A8B5A1 Malicious: false Preview: ...

Web Analytics