Automated Malware Analysis Report For

ID: 321922 Cookbook: browseurl.jbs Time: 01:33:52 Date: 24/11/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d- 9eaf6a6d31f7/ 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 12 Created / dropped Files 12 Static File Info 20 No static file info 20 Network Behavior 20 Network Port Distribution 20 TCP Packets 20 UDP Packets 22 DNS Queries 23 DNS Answers 24 HTTPS Packets 25 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 29 Analysis Process: iexplore.exe PID: 2168 Parent PID: 792 29 General 29

Copyright null 2020 Page 2 of 31 File Activities 30 Registry Activities 30 Analysis Process: iexplore.exe PID: 4188 Parent PID: 2168 30 General 30 File Activities 30 Registry Activities 30 Disassembly 30

Overview

General Information Detection Signatures Classification

Sample URL: https://pub.lucidpres No high impact signatures. s.com/b893a5d3-a841-4b5 d-b94d-9eaf6a6d31f7/ Analysis ID: 321922 Most interesting Screenshot:

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 iexplore.exe (PID: 2168 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 4188 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2168 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 31 Hide Legend Behavior Graph Legend: ID: 321922 Process URL: https://pub.lucidpress.com/... Signature Startdate: 24/11/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values

www.lucidpress.com app.lucidpress.com started Number of created Files

Visual Basic

Delphi

iexplore.exe Java .Net C# or VB.NET

C, C++ or other language 2 84 Is malicious

Internet started

iexplore.exe

2 49

stats.l.doubleclick.net www.google.co.uk

108.177.15.157, 443, 49729, 49730 172.217.21.195, 443, 49733, 49734 5 other IPs or domains GOOGLEUS GOOGLEUS United States United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d-9eaf6a6d31f7/ 0% Virustotal Browse https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d-9eaf6a6d31f7/ 0% Avira URL Cloud safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link www.google.co.uk 0% Virustotal Browse

URLs

Source Detection Scanner Label Link https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe

Copyright null 2020 Page 7 of 31 Source Detection Scanner Label Link https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://js.hsleadflows.net/leadflows.js 0% URL Reputation safe https://analytics.lucid.app 0% Virustotal Browse https://analytics.lucid.app 0% Avira URL Cloud safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe hammerjs.github.io/ 0% Virustotal Browse hammerjs.github.io/ 0% Avira URL Cloud safe brandon.aaron.sh) 0% Avira URL Cloud safe https://www.preprodchart.com 0% Avira URL Cloud safe https://analytics.app.preprodchart.com 0% Avira URL Cloud safe https://analytics.app.preprodpress.com 0% Avira URL Cloud safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe https://analytics.lucidchart.eu 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation www.lucidpress.com 99.86.159.70 true false high app.lucidpress.com 54.85.236.27 true false high stats.l.doubleclick.net 108.177.15.157 true false high www.google.co.uk 172.217.21.195 true false 0%, Virustotal, Browse unknown d2pjrbs8oo6puz.cloudfront.net 13.226.169.4 true false high pub.lucidpress.com unknown unknown false high stats.g.doubleclick.net unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d-9eaf6a6d31f7/ false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://player.vimeo.com/api/player.js viewer[1].js.2.dr false high https://www.lucidpress.com viewer[1].js.2.dr false high viewer[1].js.2.dr false high https://my.atlassian.com/addon/new/com.lucidchart.onprem.co nfluence.plugins.lucid-onprem-confluence https://player.vimeo.com/video/ viewer[1].js.2.dr false high https://lucidpress.zendesk.com/hc viewer[1].js.2.dr false high viewer[1].js.2.dr false high https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v 3.2 https://www.youtube.com/embed/ viewer[1].js.2.dr false high www.amazon.com/ msapplication.xml.1.dr false high g.co/ng/security#xss viewer[1].js.2.dr false high https://js.hsleadflows.net/leadflows.js viewer[1].js.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe

https://www.lucidpress.com/favicon.ico?v=3 imagestore.dat.2.dr, b893a5d3-a841- false high 4b5d-b94d-9eaf6a6d31f7[1].htm.2.dr https://analytics.lucid.app viewer[1].js.2.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe momentjs.com/guides/#/warnings/add-inverted-param/ viewer[1].js.2.dr false high www.twitter.com/ msapplication.xml5.1.dr false high

Copyright null 2020 Page 8 of 31 Name Source Malicious Antivirus Detection Reputation https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d- {449ADF69-2E38-11EB-90E4-ECF4B false high 9eaf6a6d31f7/f12-Bridges-Rd-Melville-Sales-and-Ma B862DED}.dat.1.dr support.lucidpress.com viewer[1].js.2.dr false high https://d2pjrbs8oo6puz.cloudfront.net/b893a5d3-a841- b893a5d3-a841-4b5d-b94d-9eaf6a false high 4b5d-b94d-9eaf6a6d31f7/thumb-0.png 6d31f7[1].htm.2.dr https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d- {449ADF69-2E38-11EB-90E4-ECF4B false high 9eaf6a6d31f7/Root B862DED}.dat.1.dr https://www.google.%/ads/ga-audiences? ga[1].js.2.dr false URL Reputation: safe low URL Reputation: safe URL Reputation: safe URL Reputation: safe www.opensource.org/licenses/mit-license.php viewerDeps[1].js.2.dr false high momentjs.com/guides/#/warnings/js-date/ viewer[1].js.2.dr false high https://github.com/jquery/jquery/issues/2267 viewerDeps[1].js.2.dr false high https://lucidco.zendesk.com/hc viewer[1].js.2.dr false high https://www.lucidpress.com/business/pricing/index.html viewer[1].js.2.dr false high www.reddit.com/ msapplication.xml4.1.dr false high https://salesforce-api.lucidchart.com/ viewer[1].js.2.dr false high www.apache.org/licenses/LICENSE-2.0 viewer[1].js.2.dr, viewerDeps[1].js.2.dr false high www.linkedin.com/shareArticle?mini=true&title= viewer[1].js.2.dr false high momentjs.com/guides/#/warnings/zone/ viewer[1].js.2.dr false high www.nytimes.com/ msapplication.xml3.1.dr false high https://analytics.app.lucidchart.com viewer[1].js.2.dr false high viewer[1].js.2.dr false high https://d2slcw3kip6qmk.cloudfront.net/app/webroot/img/img_pl aceholder.png https://angular.io/ viewer[1].js.2.dr, viewerDeps[1].js.2.dr false high hammerjs.github.io/ viewerDeps[1].js.2.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://www.lucidpress.com/pages/cyber-monday-2017 viewer[1].js.2.dr false high brandon.aaron.sh) viewerDeps[1].js.2.dr false Avira URL Cloud: safe low momentjs.com/guides/#/warnings/dst-shifted/ viewer[1].js.2.dr false high https://d2slcw3kip6qmk.cloudfront.net viewer[1].js.2.dr false high d2pjrbs8oo6puz.cloudfront.net/b893a5d3-a841-4b5d- b893a5d3-a841-4b5d-b94d-9eaf6a false high b94d-9eaf6a6d31f7/thumb-0.png 6d31f7[1].htm.2.dr https://lucidchart.zendesk.com/hc viewer[1].js.2.dr false high g.co/ng/security#xss). viewer[1].js.2.dr false high https://www.lucidchart.com/pages/visio-stencils viewer[1].js.2.dr false high https://www.lucidchart.com viewer[1].js.2.dr false high https://stats.g.doubleclick.net/j/collect? ga[1].js.2.dr false high g.co/ng/security#xss) viewer[1].js.2.dr false high https://analytics.app.lucidpress.com viewer[1].js.2.dr false high https://angular.io/api/common/NgForOf#change- viewer[1].js.2.dr false high propagation https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d- {449ADF69-2E38-11EB-90E4-ECF4B false high 9eaf6a6d31f7/ B862DED}.dat.1.dr b893a5d3-a841-4b5d-b94d-9eaf6a false high www.lucidpress.com/img/branding/press_mark_512.png) 6d31f7[1].htm.2.dr https://www.preprodchart.com viewer[1].js.2.dr false Avira URL Cloud: safe unknown www.youtube.com/ msapplication.xml7.1.dr false high support.lucidchart.com viewer[1].js.2.dr false high https://my.matterport.com/show/?m= viewer[1].js.2.dr false high https://analytics.app.preprodchart.com viewer[1].js.2.dr false Avira URL Cloud: safe unknown https://analytics.app.preprodpress.com viewer[1].js.2.dr false Avira URL Cloud: safe unknown www.gnu.org/licenses/gpl.html viewerDeps[1].js.2.dr false high www.wikipedia.com/ msapplication.xml6.1.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe www.live.com/ msapplication.xml2.1.dr false high https://angular.io/license viewer[1].js.2.dr, viewerDeps[1].js.2.dr false high https://www.lucidpress.com/pages/edu-premium viewer[1].js.2.dr false high https://users.app.lucidchart.com viewer[1].js.2.dr false high https://analytics.lucidchart.eu viewer[1].js.2.dr false Avira URL Cloud: safe unknown momentjs.com/guides/#/warnings/min-max/ viewer[1].js.2.dr false high

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 13.226.169.4 unknown United States 16509 AMAZON-02US false 99.86.159.70 unknown United States 16509 AMAZON-02US false 108.177.15.157 unknown United States 15169 GOOGLEUS false 172.217.21.195 unknown United States 15169 GOOGLEUS false 54.85.236.27 unknown United States 14618 AMAZON-AESUS false

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 321922 Start date: 24.11.2020 Start time: 01:33:52 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 1s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://pub.lucidpress.com/b893a5d3-a841-4b5d- b94d-9eaf6a6d31f7/ Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 19 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default

Copyright null 2020 Page 10 of 31 Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/26@7/5 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 104.108.39.131, 216.58.207.40, 216.58.210.4, 51.104.144.132, 152.199.19.161, 23.210.248.85, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, ssl-google- analytics.l.google.com, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ssl.google- analytics.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{449ADF67-2E38-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.853451979176572 Encrypted: false SSDEEP: 96:rJhZwZu2z9WHwtHEfHElMHpgOHpNHphfHpRsX:rJhZwZu2z9WQtkfklMJgOJNJhfJRsX MD5: 40348E7518C6A15AFB8500F8AED99AB1 SHA1: 8E48AE4B79D4D6F139E6A4CCB7991B1785773E98 SHA-256: B71A1571B60B5F3EC4037507B9B4F047C7BB4239287175D6B6E773C70D584C08 SHA-512: 912336EF87D38F7A25AE1AB1DCD5FB1C150C110A51377C9CFE563C0518EA42628B69C877FF283FFAE10A76BDD7E474F0F54E250B3FE36C3E025ED539DC4C02E 9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{449ADF69-2E38-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 27834 Entropy (8bit): 1.8423155464661707 Encrypted: false SSDEEP: 96:rqZdQ16DBSGXFjF2MkWxMEYLdeQdRfeHpiLRC7r:rqZdQ16DkGXFjF2MkWxMEYLIQXG7r MD5: 2AA6AFC7318889DF9E4DCB0956FA0B99 SHA1: C27875DEC64AFD1FBDF47EB0EFFBE3EC50025DCC SHA-256: 0DC993339C35AC4D19093606B918E0CB6002282C09F9ED5F37FEED360C40AB1B SHA-512: 250089750EDD2BFCE09B7F1562534D3382F1BA4107A1C06B96FA5B93EFCA0CDF0EBA5D32D7E8BB22EFFB00BF38E70F3A934043849738B4721509F3349815D4B9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{449ADF6A-2E38-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 16984 Entropy (8bit): 1.5656862841567873 Encrypted: false SSDEEP: 48:IwDGcprDGwpaiG4pQOGrapbSerGQpKYG7HpRHsTGIpG:r5ZdQS6ABSeFAjTH4A MD5: FB089F0AF7E33062DCE694B4EBF48AC9 SHA1: 9EE00C62C3E6015F7D4665979350F3FB6224C5D3 SHA-256: 474BBBBB7A61C3B72DD73C91382CF7479351CBCA9C3947AE7E0BA993A8205BA2 SHA-512: 94A7A29C389C6B210106762DC019BBB14BC340609F086334202DCD8BE8F34B1EC84B28DD168D4112848240D0D877306C212C484F769F95AEAAAF91230F7D51F6 Malicious: false Reputation: low

Copyright null 2020 Page 12 of 31 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{449ADF6A-2E38-11EB-90E4-ECF4BB862DED}.dat Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 656 Entropy (8bit): 5.12511625418154 Encrypted: false SSDEEP: 12:TMHdNMNxOEiMiMO4nWimI002EtM3MHdNMNxOEiMiMO4nWimI00ObVbkEtMb:2d6NxOrZj4SZHKd6NxOrZj4SZ76b MD5: CA5A8A9245876C06B7E60E763DA84ABC SHA1: F5F1B46EE11CF3B6EA45E6CE697BAAD341320997 SHA-256: 104B0078FC2D0484866B7A535B657B2910029490754DF67CF70434BBC5BBFD66 SHA-512: E733436BC162F7930E7C02AC1DDB460E9AAD61D606CD6CA1ABCC6A256878A8E3B6EEA3296BC47680726ED7F7B0E71BD73603BD2E3CF3E667486993908B1AB3 2B Malicious: false Reputation: low Preview: ..0x1b85bfc4,0x01d6c245< accdate>0x1b85bfc4,0x01d6c245....0x1b85bfc4,0x01d6c2450 x1b85bfc4,0x01d6c245..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 653 Entropy (8bit): 5.12360516306685 Encrypted: false SSDEEP: 12:TMHdNMNxe2kH+mH+mO4nWimI002EtM3MHdNMNxe2kH+mH+mO4nWimI00Obkak6Es:2d6Nxrx4SZHKd6Nxrx4SZ7Aa7b MD5: E8620648AA7EEEC53DEFC3C0155054FB SHA1: 6AE508FD518833C6721319CA99F3FAC5DA6B0EEF SHA-256: 623B1F4B50663BD73D03597F8C6C40005BF8D376E6F759F063E1C1A984450FEC SHA-512: 463AE158303034D0CE975C237C3A58A376A8DD73D1F6C067465D79707FEC3A506658C5233FEB93914E3872D8BCBF6A905B246F05B271CA8E3BA8FE689FEBE060 Malicious: false Reputation: low Preview: ..0x1b80fae8,0x01d6c2450x1b80fae8,0x01d6c245....0x1b80fae8,0x01d6c245 0x1b80fae8,0x01d6c245..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 662 Entropy (8bit): 5.144552299535707 Encrypted: false SSDEEP: 12:TMHdNMNxvL6OBM6OBMO4nWimI002EtM3MHdNMNxvL6OBM6OBMO4nWimI00ObmZEs:2d6Nxv+OJO94SZHKd6Nxv+OJO94SZ7mb MD5: 8187A1D7D51519CE3B5C33BF97E115A6 SHA1: 3B08C8DDE4FEF3F40897B7A9C5D1B37A8B13196A SHA-256: 0CC112147429F3A76370C7F63CFB3777BB06DD30BEAF70725D06C0C5755FB076 SHA-512: 46977F1A599563FE54AEBE2845575F0E8EE69FE7D79CB23A6060DD0E4FED611BA3FE2507E1F457F33C57F9F13CCF24E9946C535B110A43DFF4B884602160243D Malicious: false Reputation: low Preview: ..0x1b8821ff,0x01d6c245 0x1b8821ff,0x01d6c245....0x1b8821ff,0x01d6c2450x1b8821ff,0x01d6c245..

Copyright null 2020 Page 13 of 31 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 647 Entropy (8bit): 5.152652972221837 Encrypted: false SSDEEP: 12:TMHdNMNxiLLO4nWimI002EtM3MHdNMNxiLLO4nWimI00Obd5EtMb:2d6Nx74SZHKd6Nx74SZ7Jjb MD5: 94843472563FAB6394B0A04E63D12707 SHA1: 292AC555A292BD85E6D3AC5FE8D936A08F8A0F37 SHA-256: A7401F41D29D6C735CD31448F51E1270089E3341C7EC40A04A5F55C0A7119904 SHA-512: 2EC3192BAEC0221E64EFFE1846E28413208E4D473A2B56E957C20D6394317E99C489DD1D4B2ECD119D695738F0AD248602F0782B98A8AD87764B37EC98041965 Malicious: false Reputation: low Preview: ..0x1b835d48,0x01d6c2450x1b835d48,0x01d6c245....0x1b835d48,0x01d6c2450x1b835 d48,0x01d6c245 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 656 Entropy (8bit): 5.155924468020619 Encrypted: false SSDEEP: 12:TMHdNMNxhGw6OBM6OBMO4nWimI002EtM3MHdNMNxhGw6OBM6OBMO4nWimI00Ob8V:2d6NxQJOJO94SZHKd6NxQJOJO94SZ7YV MD5: 294524EED3F8F0CA977BB5A75EBEB58F SHA1: F34F5CC8508EB66EE4500A26AA03D52F94CED54E SHA-256: 693D7510249A1966AA74DFF69096AA2454D563E90FB2B5C2D4C4FCCE708837C5 SHA-512: 4FD9F65D75E4A89749D0A751F0758691344C0841958E3E3C8E6D397434F116750DF8F947F3515ED688B3DA71FC86F409268FF795576CFC63C555FAAC1EB3B76E Malicious: false Reputation: low Preview: ..0x1b8821ff,0x01d6c245< accdate>0x1b8821ff,0x01d6c245....0x1b8821ff,0x01d6c2450 x1b8821ff,0x01d6c245 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 653 Entropy (8bit): 5.128428450186428 Encrypted: false SSDEEP: 12:TMHdNMNx0niMiMO4nWimI002EtM3MHdNMNx0niMiMO4nWimI00ObxEtMb:2d6Nx0iZj4SZHKd6Nx0iZj4SZ7nb MD5: 3457DB02820F2BF6097BD1F73ACD9423 SHA1: 39B659D6246CA344EFF0B52DFD5EED12419FC5F1 SHA-256: 46530D2BCD4420421CB7386F7281AE4109F9B34E365D27DB6BDDC5A51E1AD580 SHA-512: C35A4C4FA1085BBD61D12847011E7BE7BBE85300C096AF65FD8F1DADC91813195E5EB7FAA3EFB246E74B08F1F4C8C4A91290A43BEE06AA4BDD043A722FC8D3 90 Malicious: false Reputation: low Preview: ..0x1b85bfc4,0x01d6c245 0x1b85bfc4,0x01d6c245....0x1b85bfc4,0x01d6c2450x1 b85bfc4,0x01d6c245 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 656 Entropy (8bit): 5.165539955452236

Copyright null 2020 Page 14 of 31 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Encrypted: false SSDEEP: 12:TMHdNMNxxiMiMO4nWimI002EtM3MHdNMNxxiMiMO4nWimI00Ob6Kq5EtMb:2d6NxcZj4SZHKd6NxcZj4SZ7ob MD5: FB7E5BA1325E5B55204BE0B94BD27AFE SHA1: 4CB769BC66317DEB270DB2CC7F32A2D4EB521465 SHA-256: FD4006F38B9AD435B79F2514C2DA74E9D731C35E43DA4FE218285EF29571BCBB SHA-512: C2B729E7822643E1AC5627D129D29840406EC108B66D64382D91E98F9971DD3B91244095E998D5B8845DAE3CFEC39C3D4563A697083BD3B0DDF4B8E2E5A3997D Malicious: false Reputation: low Preview: ..0x1b85bfc4,0x01d6c245< accdate>0x1b85bfc4,0x01d6c245....0x1b85bfc4,0x01d6c2450 x1b85bfc4,0x01d6c245 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 659 Entropy (8bit): 5.153238733284809 Encrypted: false SSDEEP: 12:TMHdNMNxcLLO4nWimI002EtM3MHdNMNxcLLO4nWimI00ObVEtMb:2d6NxJ4SZHKd6NxJ4SZ7Db MD5: 4A1BA62139F51847DE2EC33F6864E010 SHA1: E0DE59D2736EA10D60562F90F9D78930EC309C6F SHA-256: C71AA569A0BF4C143533571C7ED0BE69FB8F5C73101B30898321DF89B106BE4F SHA-512: 1AF11FECB09ED360C28D11376962AE25DBFA929B8E21AB548AD400063A1DE8D0755C88EC1237791C4E4CDE25CF0AB1D3EB88C69FB7CFEDC534214BEA9A1D4 076 Malicious: false Reputation: low Preview: ..0x1b835d48,0x01d6c245 0x1b835d48,0x01d6c245....0x1b835d48,0x01d6c2450x1b835d48,0x01d6c245..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 653 Entropy (8bit): 5.137934952201708 Encrypted: false SSDEEP: 12:TMHdNMNxfnLLO4nWimI002EtM3MHdNMNxfnLLO4nWimI00Obe5EtMb:2d6Nxu4SZHKd6Nxu4SZ7ijb MD5: 9BBC8950825035D4DFF2A74AD45D3105 SHA1: 94308D83BE269CED3C0DBFDA0B38D54859E736B8 SHA-256: 832BBCB0B916E66728A3C0D67B0EF5C30DAB2CE55EA23B2E4E981C9CE7AB2D42 SHA-512: 5364EA6F7E31B93EC41ED32E0C0DE89C3E9D9E58B11894E2118F09AA8C49AC62C6DC31D185AED3668737515CBDB48136E5298BF9D68874465DE288A8A4E0EBB 0 Malicious: false Reputation: low Preview: ..0x1b835d48,0x01d6c245 0x1b835d48,0x01d6c245....0x1b835d48,0x01d6c245 0x1b835d48,0x01d6c245..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Category: modified Size (bytes): 879 Entropy (8bit): 6.799764997144541 Encrypted: false SSDEEP: 24:p3Em/6DduFFFFC/mA0j3CFAqTaqrrSFFFFFFFac2E:p3Em/6DduFFFFXAwCrHruFFFFFFFak MD5: 21715683C848868E2B769887493F3CFE SHA1: 4232FDFEF8F1ACA2F4B9F5E33DDA7C2DEB17BB62

Copyright null 2020 Page 15 of 31 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat SHA-256: 68E6DECAA882414480775FDFEB41562AD54BEB51061D76488AEDCB2863F06648 SHA-512: 42A347B9B375BC19D6C0F8DF54FB8F417D5C12258C43A6740996D38813CB636A35F5020C7E5E72EB01691AD2574310F7606A57663B9E2F85343723F1542F15B9 Malicious: false Reputation: low Preview: *.h.t.t.p.s.:././.w.w.w...l.u.c.i.d.p.r.e.s.s...c.o.m./.f.a.v.i.c.o.n...i.c.o.?.v.=.3...... PNG...... IHDR...`...`...... w8....pHYs...... sRGB...... gAMA...... a.....IDATx...A+.Q....7EI...(R ,...... X..X.Z.4+..de.|...1..$3Q...D.s...S.s....>.....9g.do.E...... 1....1....1....1....1...... [email protected].{P.k.C.Z;ds`\.M-....2M.50.. 4^..9....b.|...... !d...1S.O$in..x. .9...@G...... M=...... (...$...... M=N...... BgF...|..)g{A..=\.:.....`....`....`....`....`....`....`....`....`....`....`....`...>..;4)..:...>?0\...W...... 2..#.....`H...A.B6..qT.|<..E...... @....`....+.\.k..`.^. .X>.h:.n..'9..J... <.K.(.GE.z.z...4...... #'V.....1..4...8..8.Py.J...s^.$~..we..K..O.1....1....1....1....1....1....1....1....1...... 6...b.}\... .IEND.B`.`...`...... _...... _....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ga[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Category: downloaded Size (bytes): 46274 Entropy (8bit): 5.48786904450865 Encrypted: false SSDEEP: 768:aqNVrKn0VGhn+K7U1r2p/Y60fyy3/g3OMZht1z1prkfw1+9NZ5VA:RHrLVGhnpIwp/Y7cnz1RkLL5m MD5: E9372F0EBBCF71F851E3D321EF2A8E5A SHA1: 2C7D19D1AF7D97085C977D1B69DCB8B84483D87C SHA-256: 1259EA99BD76596239BFD3102C679EB0A5052578DC526B0452F4D42F8BCDD45F SHA-512: C3A1C74AC968FC2FA366D9C25442162773DB9AF1289ADFB165FC71E7750A7E62BD22F424F241730F3C2427AFFF8A540C214B3B97219A360A231D4875E6DDEE6F Malicious: false Reputation: low IE Cache URL: https://ssl.google-analytics.com/ga.js Preview: (function(){var E;var g=window,n=document,p=function(a){var b=g._gaUserPrefs;if(b&&b.ioo&&b.ioo()||a&&!0===g["ga-disable-"+a])return!0;try{var c=g.external;if(c &&c._gaUserPrefs&&"oo"==c._gaUserPrefs)return!0}catch(f){}a=[];b=n.cookie.split(";");c=/^\s*AMP_TOKEN=\s*(.*?)\s*$/;for(var d=0;d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\style[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines, with no line terminators Category: downloaded Size (bytes): 429481 Entropy (8bit): 5.294660680081011 Encrypted: false SSDEEP: 3072:iT+j1Pg7X69+AOZUnzgIgHZhbRefQfaH8c8Rr4TNbtiPk02toZ4nj:bfQfaU4uZ4nj MD5: 24769303760CB8B141C35D6480775BFE SHA1: B306C8037548EDDE0BFB243F30FCFDCF248B4851 SHA-256: 7F3DF99C7F4A283C3A986C8D137F1461B9133B7A6105D4A3BFF16ADEE51648AE SHA-512: 83777B700D2AA3349AC79AB410A3F5A90CFD2BFB443D20363050929DF4E9C5F4375B4709981EA50EADB500F8EF7B547817D65806C8859AA7E8F8C8FEED6D3D24 Malicious: false Reputation: low IE Cache URL: https://pub.lucidpress.com/7125e763-4bff-4687-ae7c-847cd24d2ea1/style.css Preview: .lucid-growl{position:relative;width:200px;background:#1071e5;color:#fff;border:1px solid #0d59b5;border-radius:2px;margin-bottom:4px;font-size:12px}.lucid-growl .close,. lucid-ubergrowl .rSide .close{background:#fff;font-size:10px;cursor:pointer;vertical-align:top}.lucid-growl .close{position:absolute;right:-4px;top:-4px;height:16px;width :16px;-webkit-box-sizing:border-box;box-sizing:border-box;border:1px solid #0d59b5;border-radius:50%;color:#0d59b5;text-align:center;line-height:14px;padding-bo ttom:1px}.lucid-ubergrowl,.lucid-ubergrowl .lSide,.lucid-ubergrowl .rSide{position:relative}.lucid-growl .close:before{content:'.'}.lucid-growl .message{margin:8px 10px;line- height:1.4}.lucid-growl .message a{color:#fff}.ubergrowl-container{left:0;right:0;text-align:center}.lucid-ubergrowl{display:inline-block;vertical-align:top;height:27px;white-s pace:nowrap;color:#fff;margin-bottom:4px;font-size:12px;font-weight:700}.lucid-ubergrowl div{height:27px}.lucid-ubergrowl .lSide,.lucid-ubergrowl .me

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\viewerDeps[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Category: downloaded Size (bytes): 255779 Entropy (8bit): 5.548989456371099 Encrypted: false SSDEEP: 6144:xO4kyQQya98Hr+E4Ov08762Mz18psfLzWaGuXBWgKYDx:TlXzuKzGMd MD5: 0C75F33A9D78EA314EF28580A8299682 SHA1: 2FDBAEDDE197133FF7378723E1252168D4B4920B SHA-256: 1346C90628A3E2B03CADED53880DD95D7F40940315080A632AE9D5BA7E8A36AD

Copyright null 2020 Page 16 of 31 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\viewerDeps[1].js SHA-512: FAE2D8A622EC993A95EA6BA242EE108249F2C0BD677AA5C21BD155F6BBDF1696081893F3F90D16B6B4B5024985C7F4BCBCDAE0A2A9BC281D858C200DAC4428 21 Malicious: false Reputation: low IE Cache URL: https://pub.lucidpress.com/7125e763-4bff-4687-ae7c-847cd24d2ea1/viewerDeps.js Preview: /*! jQuery v2.1.4 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license.*.* HELLO LUCID: This file has been patched to resolve this bug: https://github.com/jquery /jquery/issues/2267.* The master branch of jquery has the same fix applied to it so upgrading should be OK */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefin ed"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.4" ,n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jq uery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:f

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\app-banner[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Category: downloaded Size (bytes): 951 Entropy (8bit): 4.892688444401544 Encrypted: false SSDEEP: 12:gKRzP3DsEZyW5e9fWORnJYYaGWutm4HNV0FofgiBpUdTdigqacDHZtbViWj:dkOe97JJYYNHtm4aofgiBpbDH/bnj MD5: F84FA4AD7B35BC1E13F6B79E4BC08F4D SHA1: 88F9A86674FDF3198FF66045BF656DE7D381B662 SHA-256: FB9ABB6AE9383EF9A1694AE3E0EC28B139E0059AD71500DD5A9359A065B469C9 SHA-512: 164C1D6EAB64ED9A0BD5FE7B27D6851B73EA2AF6CF3B89472F22B8302E6E8C83F98AAFC8DDCCA04074ACAA84A94048C5C58C76EE1F2A3F0E29A36FD5182812 55 Malicious: false Reputation: low IE Cache URL: https://app.lucidpress.com/css/apps/press/viewer/app-banner.css Preview: .app-banner{position:absolute;top:0;left:0;right:0;width:auto;height:64px;padding:10px;background:#f2f2f2;border-bottom:#ccc solid 1px;font-family:Helvetica,Arial,sans-se rif}.app-banner-close{position:absolute;display:block;top:0;left:0;bottom:0;width:30px;height:auto;margin:0;padding:0;border:none;-webkit-appearance:none;font-size:20px;t ext-align:center;line-height:84px;color:#5d646f}.app-banner-icon{position:absolute;left:30px}.app-banner-info{position:absolute;left:104px;font-size:12px;line-height:16px ;color:#999;padding-top:8px}.app-banner-info strong{font-weight:400;font-size:14px;color:#000}.app-banner-info em{font-style:normal;color:#333}.app-banner-actio ns{float:right}.app-banner-action{float:left;height:48px;margin-top:8px;margin-left:10px;line-height:48px;padding:0 16px;background:#f8f8f8;border:1px solid rgba(0,0,0,.1 );border-radius:6px;color:#00c2a8;font-size:18px;text-transform:uppercase}.app-banner-action:active{opacity:.5}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\i18n[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Category: downloaded Size (bytes): 3322 Entropy (8bit): 5.439910857565113 Encrypted: false SSDEEP: 96:mVUli5yxoZONeWmZ/ie8LSOE2Il81Go1K:pxyONej/isOEH61K MD5: C229F6AE1BC277658A2E387FFE0380D2 SHA1: 20574BBC14D78F8B6EB82A9BA93BE07E23CA4585 SHA-256: E288698182B7EF77D043470E4C108068F55D704EAFD8C1F59EA48E9980B1D151 SHA-512: B5377D4C8F8BAE75CB1057981A09FA224737C3212DB2F791E020DAF2BCBCBF5370EE28B3219A760C1DED8C5043747E533376A5728E9524F090FD90A4CD3500E2 Malicious: false Reputation: low IE Cache URL: https://pub.lucidpress.com/7125e763-4bff-4687-ae7c-847cd24d2ea1/i18n.js Preview: ;(function(){var g=/&/g,h=//g,m=/"/g,n=/'/g,q=/\x00/g,r=/[\x00&<>"']/;function t(a,b){var e={},c;for(c in a)e[c]=b.call(void 0,a[c],c,a);return e};function u(){this.data={} ;this.a="en";this.g=!1;this.f="";this.c=/\{(\S+?)\}/gm}this.i18n||(this.i18n=new u);u.prototype.setData=function(a,b){var e=this.data,c=typeof e;if("object"==c&&null!=e|| "function"==c)for(var f in a)e[f]=a[f];else this.data=a;this.a=b||"en"};u.prototype.getLanguage=function(){return this.a};u.prototype.setDebug=function(a,b){this.g=a;b&&( this.f=b.split("").filter(function(a){return/[\w \.!@#$%^&*\?]/.test(a)}).join(""))};.u.prototype.getInLocale=function(a,b,e,c){b=a+"--"+b;e=e&&t(e,function(b){return"num ber"==typeof b?new I18nFormattedNumber(b,a,{}):b instanceof I18nFormattedNumber?new I18nFormattedNumber(b.value,a,b.b):b});c=this.get(b,e,c);return c==b?null:c} ;.u.prototype.get=function(a,b,e){b=b||{};if("count"in b){var c=b.count;if("number"==typeof c||c instanceof I18nFormattedNumber){var f=a;var c=c insta

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\viewer[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Category: downloaded Size (bytes): 3123490 Entropy (8bit): 5.597228577439085 Encrypted: false SSDEEP: 49152:BQY2IHfpfoJKlVSgq9xE9MOixp6DTvbAubBOCXlTzE11O3o7:rpfoJFcPOl MD5: 66F4F599D1B51AE25E236558693D8119 SHA1: 5C6232F0B8B490C040B207C83494B3C361725203

Copyright null 2020 Page 17 of 31 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\viewer[1].js SHA-256: C6031F86F6485777A6192864A2C82999F31456A476D30C0BE07FB540CFF3341F SHA-512: 6FEA5E20F6D803E461EDB0B784B6C3DBD68F312771615ECA637AA10BC8E458025212227681067E89210012E1FC348865334A067A25101C17EEE30F9078CF21C1 Malicious: false Reputation: low IE Cache URL: https://pub.lucidpress.com/7125e763-4bff-4687-ae7c-847cd24d2ea1/viewer.js Preview: var vwr;function vwraa(a){var b=0;return function(){return b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\en[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines, with no line terminators Category: downloaded Size (bytes): 113466 Entropy (8bit): 4.9027627188676055 Encrypted: false SSDEEP: 1536:OptTLIQLjliIpMoY4xfcOGgk948gMtK1pu/L5:OpNLIYjlieY4OOG94tMtK1pu/L5 MD5: 64EDF02BC947CFFBA511A7E3E82A719A SHA1: 40C3E6FD212EF26D38755E497AEBF4AEAEE0AC20 SHA-256: 342533D7007E47B72420187A871FADD5961A13ED05862542281CB70E2E124744 SHA-512: EF5770F376711964F9CA39CE9B84AE26CEC5BECC2FF10B9EBA281114718DEED26C8B73441C39A102C06DFC9795F376FF6BC51CF8326A66643141B9C05B2E8E7 F Malicious: false Reputation: low IE Cache URL: https://pub.lucidpress.com/7125e763-4bff-4687-ae7c-847cd24d2ea1/en.js Preview: i18n.setData(JSON.parse("{\"actionpanel-layers-done\":\"Done\",\"admin-error-no-connection\":\"Could not connect to server. Check your internet connection.\",\"billing-info- countries-AC\":\"Ascension Island\",\"billing-info-countries-AD\":\"Andorra\",\"billing-info-countries-AE\":\"United Arab Emirates\",\"billing-info-countries-AF\":\"Afghanistan\ ",\"billing-info-countries-AG\":\"Antigua and Barbuda\",\"billing-info-countries-AI\":\"Anguilla\",\"billing-info-countries-AL\":\"Albania\",\"billing-info-countries-AM\":\"Armenia \",\"billing-info-countries-AN\":\"Netherlands Antilles\",\"billing-info-countries-AO\":\"Angola\",\"billing-info-countries-AQ\":\"Antarctica\",\"billing-info-countries-AR\":\"Arge ntina\",\"billing-info-countries-AS\":\"American Samoa\",\"billing-info-countries-AT\":\"Austria\",\"billing-info-countries-AU\":\"Australia\",\"billing-info-countries-AW\":\"Aruba \",\"billing-info-countries-AX\":\".land Islands\",\"billing-info-countries-AZ\":\"Azerbaijan\",\"billing-inf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\b893a5d3-a841-4b5d-b94d-9eaf6a6d31f7[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines Category: downloaded Size (bytes): 20616 Entropy (8bit): 4.890571335081208 Encrypted: false SSDEEP: 384:rZcMJuRX5CTIOzHyHixYp2hHX9aWLqUAZYbe/Tu1:tc38TIOOHie2h3hDze/Tq MD5: B39142F83732E617F8F488058FD770C3 SHA1: C20CADB89C786E2AF02925BBABB94C981AE53A75 SHA-256: 23BBDD49414AE2C645AD52AE7085BE24EC6DC4ADF986175973A003DBEDECAE48 SHA-512: 73FAA5C72CE93CC3AEBBC1D0730C867D640196BEADEF1A53A86E69BD2440E00CD1D5018E87D6245FC02A586C9DFA4348253BFFA5BAB2F0359B6CFD66DA4265 27 Malicious: false Reputation: low IE Cache URL: https://pub.lucidpress.com/b893a5d3-a841-4b5d-b94d-9eaf6a6d31f7/ Preview: ..... 12-Bridges-Rd-Melville-Sales-and-Marketing-Proposal ....... . . .....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\favicon[1].ico Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced Category: dropped Size (bytes): 757 Entropy (8bit): 7.028220010997942 Encrypted: false SSDEEP: 12:6v/7kE/6Ts/yPdJt2FFFFCedEmOaf85OhjL7HRoCoBP4OFlJxAqWnrPIPd7XSFF6:C/6DduFFFFC/mA0j3CFAqTaqrrSFFFFG

Copyright null 2020 Page 18 of 31 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\favicon[1].ico MD5: A6B3E320675A214FDA0A28F567AE1993 SHA1: E393FF070774BC3E792667BB1766D7A9558FB308 SHA-256: E15A61ED81758E453D4C7B439E5A3A3336FDE8AC3B01C07AD0280B36D5DB9F9C SHA-512: 1FD6BBEB14560787D751D4B2695BDD2B78A50BFD595B27B1A7C62654BE6EE1F72648B47F2EA9B0FE3570028361C0C40E2B64DC7ECD4281BA45DA607F0E335D9 1 Malicious: false Reputation: low Preview: .PNG...... IHDR...`...`...... w8....pHYs...... sRGB...... gAMA...... a.....IDATx...A+.Q....7EI...(R,...... X..X.Z.4+..de.|...1..$3Q...D.s...S.s....>.....9g.do.E...... 1....1....1....1....1...... [email protected].{P.k.C.Z;ds`\.M-....2M.50.. 4^..9....b.|...... !d...1S.O$in..x. .9...@G...... M=...... (...$...... M=N...... BgF...|..)g{A..=\.:.....`....`....`....`....`....`....`....`....`....`....`... .`...>..;4)..:...>?0\...W...... 2..#.....`H...A.B6..qT.|<..E...... @....`....+.\.k..`.^. .X>.h:.n..'9..J...<.K.(.GE.z.z...4...... #'V.....1..4...8..8.Py.J...s^.$~..we..K..O.1....1....1....1....1....1....1....1....1...... 6...b.}\....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\loading[2].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Category: downloaded Size (bytes): 821 Entropy (8bit): 4.934965949776017 Encrypted: false SSDEEP: 12:douwPRvos+y7BD5l/q5/A9HzD8xKTzD8xKRh3uhAuRhSlueAu0n:dDwhEKbZqle0kQkRhehHRhReH0n MD5: 878CF683397A2522AFA6120C708EAFEE SHA1: 4213687D5569FEBD69A49C162C98C52AAB3CADC7 SHA-256: 1DFA2D4931873638FC43750237D7618917356FAC471F0B5DB9098EB6D9CD6033 SHA-512: 933DCF405BE32A8024E723EFC90AC2E098CAE27EEE1630FF3A48C75796A3E73114E0EE63BB58A600B932905675993E875B5F8266D3059B786CC348E3F3C03EC1 Malicious: false Reputation: low IE Cache URL: https://app.lucidpress.com/css/apps/press/viewer/loading.css Preview: .loading-svg{width:0;height:0}.loading-dots{width:120px;height:20px;position:relative}.loading-dots div{background:#a9afb8;width:20px;height:20px;border-radius:50%;- webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0);position:absolute;left:0;-webkit-animation:slide 2s infinite ease;animation:slide 2s infinite ease}@-webkit-keyframes slide{5%,95%{-webkit-transform:translateX(0);transform:translateX(0)}45%,55%{-webkit-transform:translateX(100px);transform:translateX( 100px)}}@keyframes slide{5%,95%{-webkit-transform:translateX(0);transform:translateX(0)}45%,55%{-webkit-transform:translateX(100px);transform:translateX(100px)} }.loading-dots div:nth-child(2){-webkit-animation-delay:.15s;animation-delay:.15s}.loading-dots div:nth-child(3){-webkit-animation-delay:.3s;animation-delay:.3s}

C:\Users\user\AppData\Local\Temp\~DF25511792A6F75306.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 13029 Entropy (8bit): 0.48098816646603854 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9loIvF9loIt9lWIfwjpmfpr:kBqoIBHnjpepr MD5: F03C388974A270BC1BDAEDA773C1DDEB SHA1: 5D9F3493A6F6E2429A2500BE0D9F8AADAFF0A42C SHA-256: 52A01BBE31CF3757B545C8B6FF532420BA1EFBAB1C8055D4015920B938A902F8 SHA-512: 3B95F6B66AE83905B08E0582DAF9CA2086B478E432B110AEE2FFFEA582ABBBB29AB38D656463416F06115D229C2EA52A3AA9151363344CF621DCFDD5A86E085 1 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DF555C14DC1715C4C2.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 25441 Entropy (8bit): 0.27918767598683664 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab MD5: AB889A32AB9ACD33E816C2422337C69A SHA1: 1190C6B34DED2D295827C2A88310D10A8B90B59B SHA-256: 4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA SHA-512: BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6 Malicious: false Copyright null 2020 Page 19 of 31 C:\Users\user\AppData\Local\Temp\~DF555C14DC1715C4C2.TMP Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DF8890CE8213C06583.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 35531 Entropy (8bit): 0.5252716416256996 Encrypted: false SSDEEP: 48:kBqoxKAuvScS+zN/2SISnkHulWuG6NGWu+uwuLuLY0:kBqoxKAuvScS+zN/2d+dxfeHpiLR MD5: D8C4B5B2511ABC7BC1B6EB880C54A822 SHA1: 7229DE2A835CF79714CFC38A11A42DFDEB5BF673 SHA-256: 8809288CCC93FA0D197974FD25B22D5AB2ECF11B9C81B7137DBC9B1B54FC4A09 SHA-512: 05B56A2BE6DBDF5A3842C09218C379384646CBFBF8BA62DDD7A235F2F9940A3AC90D820031FB5D18C7DA86C24A1CF198240E5F30A6DFCAE3476EC91529E7AD2 6 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

Static File Info

No static file info

Network Behavior

Network Port Distribution

Total Packets: 89 • 53 (DNS) • 443 (HTTPS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Nov 24, 2020 01:34:40.639812946 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.640782118 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.654953957 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.655078888 CET 49718 443 192.168.2.3 13.226.169.4

Copyright null 2020 Page 20 of 31 Timestamp Source Port Dest Port Source IP Dest IP Nov 24, 2020 01:34:40.655653954 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.655790091 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.661433935 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.661853075 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.676439047 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.676835060 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.678833008 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.678877115 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.678915977 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.678997040 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.679042101 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.679049015 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.679482937 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.679526091 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.679563046 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.679620981 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.679685116 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.681914091 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.682085037 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.682634115 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.682743073 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.716389894 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.716517925 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.721930981 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.722011089 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.722101927 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.731543064 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.731592894 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.731626987 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.731656075 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.731764078 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.731803894 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.731827021 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.731872082 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.731957912 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.732004881 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.732572079 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.732588053 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.736752987 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.736783028 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.736874104 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.736902952 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.736934900 CET 49719 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.736969948 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:40.737029076 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.747483015 CET 443 49719 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:40.747533083 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150254011 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150309086 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150346994 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150393963 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150396109 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.150439978 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.150502920 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150523901 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.150547028 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150573969 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150602102 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.150650978 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.150840998 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.150938034 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.211112976 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.216084003 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.217801094 CET 49718 443 192.168.2.3 13.226.169.4

Copyright null 2020 Page 21 of 31 Timestamp Source Port Dest Port Source IP Dest IP Nov 24, 2020 01:34:41.217950106 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.218249083 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.226275921 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.231205940 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.232860088 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.233006001 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.233371973 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.249587059 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.249636889 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.249663115 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.249686956 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.249742031 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.249747992 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250353098 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250395060 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250431061 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250448942 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250468969 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250479937 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250482082 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250535965 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250718117 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250766993 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250791073 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250808954 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250835896 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250855923 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.250871897 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.250915051 CET 49718 443 192.168.2.3 13.226.169.4 Nov 24, 2020 01:34:41.251548052 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.251588106 CET 443 49718 13.226.169.4 192.168.2.3 Nov 24, 2020 01:34:41.251625061 CET 49718 443 192.168.2.3 13.226.169.4

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Nov 24, 2020 01:34:34.360903025 CET 63492 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:34.388154984 CET 53 63492 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:35.405327082 CET 60831 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:35.432553053 CET 53 60831 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:36.450607061 CET 60100 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:36.486357927 CET 53 60100 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:37.575202942 CET 53195 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:37.610918999 CET 53 53195 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:38.631156921 CET 50141 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:38.658376932 CET 53 50141 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:39.329911947 CET 53023 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:39.365828037 CET 53 53023 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:39.630536079 CET 49563 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:39.666315079 CET 53 49563 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:40.581027031 CET 51352 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:40.620006084 CET 59349 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:40.631961107 CET 53 51352 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:40.655533075 CET 53 59349 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:41.217138052 CET 57084 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:41.255160093 CET 53 57084 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:41.752461910 CET 58823 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:41.766283989 CET 57568 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:41.779525995 CET 53 58823 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:41.810156107 CET 53 57568 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:43.029671907 CET 50540 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:43.057028055 CET 53 50540 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:43.210253954 CET 54366 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:43.266561985 CET 53 54366 8.8.8.8 192.168.2.3

Copyright null 2020 Page 22 of 31 Timestamp Source Port Dest Port Source IP Dest IP Nov 24, 2020 01:34:43.542211056 CET 53034 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:43.577660084 CET 53 53034 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:43.706751108 CET 57762 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:43.742225885 CET 53 57762 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:43.847558022 CET 55435 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:43.893431902 CET 53 55435 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:45.095530033 CET 50713 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:45.139273882 CET 53 50713 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:46.409342051 CET 56132 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:46.436625004 CET 53 56132 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:47.221952915 CET 58987 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:47.249237061 CET 53 58987 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:57.239329100 CET 56579 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:57.277318001 CET 53 56579 8.8.8.8 192.168.2.3 Nov 24, 2020 01:34:57.655355930 CET 60633 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:34:57.693285942 CET 53 60633 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:00.353945971 CET 61292 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:00.381298065 CET 53 61292 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:09.414671898 CET 63619 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:09.442204952 CET 53 63619 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:09.867691040 CET 64938 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:09.905234098 CET 53 64938 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:10.244364023 CET 61946 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:10.271586895 CET 53 61946 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:10.430588961 CET 63619 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:10.457853079 CET 53 63619 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:11.366257906 CET 61946 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:11.393706083 CET 53 61946 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:11.445861101 CET 63619 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:11.473217964 CET 53 63619 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:12.368280888 CET 61946 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:12.395770073 CET 53 61946 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:13.509880066 CET 63619 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:13.537133932 CET 53 63619 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:14.383127928 CET 61946 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:14.410459995 CET 53 61946 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:17.508275032 CET 63619 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:17.535738945 CET 53 63619 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:18.399003029 CET 61946 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:18.426419973 CET 53 61946 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:24.549639940 CET 64910 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:24.587275028 CET 53 64910 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:24.627690077 CET 52123 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:24.680993080 CET 53 52123 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:24.861870050 CET 56130 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:24.913316965 CET 53 56130 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:24.999224901 CET 56338 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:25.036837101 CET 53 56338 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:25.363210917 CET 59420 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:25.398879051 CET 53 59420 8.8.8.8 192.168.2.3 Nov 24, 2020 01:35:25.650302887 CET 58784 53 192.168.2.3 8.8.8.8 Nov 24, 2020 01:35:25.685797930 CET 53 58784 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Nov 24, 2020 01:34:40.581027031 CET 192.168.2.3 8.8.8.8 0xc16d Standard query pub.lucidp A (IP address) IN (0x0001) (0) ress.com Nov 24, 2020 01:34:41.217138052 CET 192.168.2.3 8.8.8.8 0x61aa Standard query www.lucidp A (IP address) IN (0x0001) (0) ress.com Nov 24, 2020 01:34:41.766283989 CET 192.168.2.3 8.8.8.8 0x789d Standard query app.lucidp A (IP address) IN (0x0001) (0) ress.com Nov 24, 2020 01:34:43.542211056 CET 192.168.2.3 8.8.8.8 0x3905 Standard query stats.g.do A (IP address) IN (0x0001) (0) ubleclick.net Nov 24, 2020 01:34:43.847558022 CET 192.168.2.3 8.8.8.8 0x13a0 Standard query www.google A (IP address) IN (0x0001) (0) .co.uk Copyright null 2020 Page 23 of 31 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Nov 24, 2020 01:34:57.239329100 CET 192.168.2.3 8.8.8.8 0x4963 Standard query www.lucidp A (IP address) IN (0x0001) (0) ress.com Nov 24, 2020 01:34:57.655355930 CET 192.168.2.3 8.8.8.8 0x7d6e Standard query app.lucidp A (IP address) IN (0x0001) (0) ress.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Nov 24, 2020 8.8.8.8 192.168.2.3 0xc16d No error (0) pub.lucidp d2pjrbs8oo6puz.cloudfron CNAME IN (0x0001) 01:34:40.631961107 ress.com t.net (Canonical CET name) Nov 24, 2020 8.8.8.8 192.168.2.3 0xc16d No error (0) d2pjrbs8oo 13.226.169.4 A (IP address) IN (0x0001) 01:34:40.631961107 6puz.cloud CET front.net Nov 24, 2020 8.8.8.8 192.168.2.3 0xc16d No error (0) d2pjrbs8oo 13.226.169.69 A (IP address) IN (0x0001) 01:34:40.631961107 6puz.cloud CET front.net Nov 24, 2020 8.8.8.8 192.168.2.3 0xc16d No error (0) d2pjrbs8oo 13.226.169.97 A (IP address) IN (0x0001) 01:34:40.631961107 6puz.cloud CET front.net Nov 24, 2020 8.8.8.8 192.168.2.3 0xc16d No error (0) d2pjrbs8oo 13.226.169.24 A (IP address) IN (0x0001) 01:34:40.631961107 6puz.cloud CET front.net Nov 24, 2020 8.8.8.8 192.168.2.3 0x61aa No error (0) www.lucidp 99.86.159.70 A (IP address) IN (0x0001) 01:34:41.255160093 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x61aa No error (0) www.lucidp 99.86.159.9 A (IP address) IN (0x0001) 01:34:41.255160093 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x61aa No error (0) www.lucidp 99.86.159.56 A (IP address) IN (0x0001) 01:34:41.255160093 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x61aa No error (0) www.lucidp 99.86.159.59 A (IP address) IN (0x0001) 01:34:41.255160093 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x789d No error (0) app.lucidp 54.85.236.27 A (IP address) IN (0x0001) 01:34:41.810156107 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x789d No error (0) app.lucidp 3.209.16.152 A (IP address) IN (0x0001) 01:34:41.810156107 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x789d No error (0) app.lucidp 54.144.101.159 A (IP address) IN (0x0001) 01:34:41.810156107 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x3905 No error (0) stats.g.do stats.l.doubleclick.net CNAME IN (0x0001) 01:34:43.577660084 ubleclick.net (Canonical CET name) Nov 24, 2020 8.8.8.8 192.168.2.3 0x3905 No error (0) stats.l.do 108.177.15.157 A (IP address) IN (0x0001) 01:34:43.577660084 ubleclick.net CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x3905 No error (0) stats.l.do 108.177.15.154 A (IP address) IN (0x0001) 01:34:43.577660084 ubleclick.net CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x3905 No error (0) stats.l.do 108.177.15.156 A (IP address) IN (0x0001) 01:34:43.577660084 ubleclick.net CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x3905 No error (0) stats.l.do 108.177.15.155 A (IP address) IN (0x0001) 01:34:43.577660084 ubleclick.net CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x13a0 No error (0) www.google 172.217.21.195 A (IP address) IN (0x0001) 01:34:43.893431902 .co.uk CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x4963 No error (0) www.lucidp 99.86.159.70 A (IP address) IN (0x0001) 01:34:57.277318001 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x4963 No error (0) www.lucidp 99.86.159.9 A (IP address) IN (0x0001) 01:34:57.277318001 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x4963 No error (0) www.lucidp 99.86.159.56 A (IP address) IN (0x0001) 01:34:57.277318001 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x4963 No error (0) www.lucidp 99.86.159.59 A (IP address) IN (0x0001) 01:34:57.277318001 ress.com CET

Copyright null 2020 Page 24 of 31 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Nov 24, 2020 8.8.8.8 192.168.2.3 0x7d6e No error (0) app.lucidp 54.144.101.159 A (IP address) IN (0x0001) 01:34:57.693285942 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x7d6e No error (0) app.lucidp 3.209.16.152 A (IP address) IN (0x0001) 01:34:57.693285942 ress.com CET Nov 24, 2020 8.8.8.8 192.168.2.3 0x7d6e No error (0) app.lucidp 54.85.236.27 A (IP address) IN (0x0001) 01:34:57.693285942 ress.com CET

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Nov 24, 2020 13.226.169.4 443 192.168.2.3 49719 CN=*.lucidpress.com CN=Amazon, Sat Apr Tue May 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:40.681914091 CN=Amazon, OU=Server CA OU=Server CA 1B, 04 04 49200-49199- 424db3a98c CET 1B, O=Amazon, C=US O=Amazon, C=US 02:00:00 14:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CEST CEST 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 16-23-24- ST=Arizona, C=US Technologies, Inc.", 2015 2025 65281,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US Nov 24, 2020 13.226.169.4 443 192.168.2.3 49718 CN=*.lucidpress.com CN=Amazon, Sat Apr Tue May 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:40.682634115 CN=Amazon, OU=Server CA OU=Server CA 1B, 04 04 49200-49199- 424db3a98c CET 1B, O=Amazon, C=US O=Amazon, C=US 02:00:00 14:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CEST CEST 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 16-23-24- ST=Arizona, C=US Technologies, Inc.", 2015 2025 65281,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US Copyright null 2020 Page 25 of 31 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US Nov 24, 2020 99.86.159.70 443 192.168.2.3 49721 CN=*.lucidpress.com CN=Amazon, Sat Apr Tue May 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:41.303957939 CN=Amazon, OU=Server CA OU=Server CA 1B, 04 04 49200-49199- 424db3a98c CET 1B, O=Amazon, C=US O=Amazon, C=US 02:00:00 14:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CEST CEST 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 16-23-24- ST=Arizona, C=US Technologies, Inc.", 2015 2025 65281,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US Nov 24, 2020 99.86.159.70 443 192.168.2.3 49722 CN=*.lucidpress.com CN=Amazon, Sat Apr Tue May 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:41.333827972 CN=Amazon, OU=Server CA OU=Server CA 1B, 04 04 49200-49199- 424db3a98c CET 1B, O=Amazon, C=US O=Amazon, C=US 02:00:00 14:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CEST CEST 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 16-23-24- ST=Arizona, C=US Technologies, Inc.", 2015 2025 65281,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US

Copyright null 2020 Page 26 of 31 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Nov 24, 2020 54.85.236.27 443 192.168.2.3 49724 CN=app.lucidchart.com CN=Amazon, Thu Feb Sat Mar 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:42.054121017 CN=Amazon, OU=Server CA OU=Server CA 1B, 20 20 49200-49199- 424db3a98c CET 1B, O=Amazon, C=US O=Amazon, C=US 01:00:00 13:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CET CET 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 16-23-24- ST=Arizona, C=US Technologies, Inc.", 2015 2025 65281,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US Nov 24, 2020 54.85.236.27 443 192.168.2.3 49723 CN=app.lucidchart.com CN=Amazon, Thu Feb Sat Mar 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:42.157697916 CN=Amazon, OU=Server CA OU=Server CA 1B, 20 20 49200-49199- 424db3a98c CET 1B, O=Amazon, C=US O=Amazon, C=US 01:00:00 13:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CET CET 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 16-23-24- ST=Arizona, C=US Technologies, Inc.", 2015 2025 65281,29-23-24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034 CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US

Copyright null 2020 Page 27 of 31 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Nov 24, 2020 108.177.15.157 443 192.168.2.3 49729 CN=*.g.doubleclick.net, CN=GTS CA 1O1, Tue Nov Tue Jan 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:43.645706892 O=Google LLC, L=Mountain O=Google Trust 03 26 49200-49199- 424db3a98c CET View, ST=California, C=US Services, C=US 08:33:42 08:33:42 49188-49187- CN=GTS CA 1O1, O=Google CN=GlobalSign, CET CET 49192-49191- Trust Services, C=US O=GlobalSign, 2020 2021 49162-49161- OU=GlobalSign Root Thu Jun Wed 49172-49171-157- CA - R2 15 Dec 15 156-61-60-53-47- 02:00:42 01:00:42 10,0-10-11-13-35- CEST CET 16-23-24- 2017 2021 65281,29-23-24,0 CN=GTS CA 1O1, O=Google CN=GlobalSign, Thu Jun Wed Trust Services, C=US O=GlobalSign, 15 Dec 15 OU=GlobalSign Root 02:00:42 01:00:42 CA - R2 CEST CET 2017 2021 Nov 24, 2020 108.177.15.157 443 192.168.2.3 49730 CN=*.g.doubleclick.net, CN=GTS CA 1O1, Tue Nov Tue Jan 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:43.645920038 O=Google LLC, L=Mountain O=Google Trust 03 26 49200-49199- 424db3a98c CET View, ST=California, C=US Services, C=US 08:33:42 08:33:42 49188-49187- CN=GTS CA 1O1, O=Google CN=GlobalSign, CET CET 49192-49191- Trust Services, C=US O=GlobalSign, 2020 2021 49162-49161- OU=GlobalSign Root Thu Jun Wed 49172-49171-157- CA - R2 15 Dec 15 156-61-60-53-47- 02:00:42 01:00:42 10,0-10-11-13-35- CEST CET 16-23-24- 2017 2021 65281,29-23-24,0 CN=GTS CA 1O1, O=Google CN=GlobalSign, Thu Jun Wed Trust Services, C=US O=GlobalSign, 15 Dec 15 OU=GlobalSign Root 02:00:42 01:00:42 CA - R2 CEST CET 2017 2021 Nov 24, 2020 172.217.21.195 443 192.168.2.3 49733 CN=www.google.co.uk, CN=GTS CA 1O1, Tue Nov Tue Jan 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:43.951138973 O=Google LLC, L=Mountain O=Google Trust 03 26 49200-49199- 424db3a98c CET View, ST=California, C=US Services, C=US 08:38:15 08:38:15 49188-49187- CN=GTS CA 1O1, O=Google CN=GlobalSign, CET CET 49192-49191- Trust Services, C=US O=GlobalSign, 2020 2021 49162-49161- OU=GlobalSign Root Thu Jun Wed 49172-49171-157- CA - R2 15 Dec 15 156-61-60-53-47- 02:00:42 01:00:42 10,0-10-11-13-35- CEST CET 16-23-24- 2017 2021 65281,29-23-24,0 CN=GTS CA 1O1, O=Google CN=GlobalSign, Thu Jun Wed Trust Services, C=US O=GlobalSign, 15 Dec 15 OU=GlobalSign Root 02:00:42 01:00:42 CA - R2 CEST CET 2017 2021 Nov 24, 2020 172.217.21.195 443 192.168.2.3 49734 CN=www.google.co.uk, CN=GTS CA 1O1, Tue Nov Tue Jan 771,49196-49195- 9e10692f1b7f78228b2d4e 01:34:43.952105999 O=Google LLC, L=Mountain O=Google Trust 03 26 49200-49199- 424db3a98c CET View, ST=California, C=US Services, C=US 08:38:15 08:38:15 49188-49187- CN=GTS CA 1O1, O=Google CN=GlobalSign, CET CET 49192-49191- Trust Services, C=US O=GlobalSign, 2020 2021 49162-49161- OU=GlobalSign Root Thu Jun Wed 49172-49171-157- CA - R2 15 Dec 15 156-61-60-53-47- 02:00:42 01:00:42 10,0-10-11-13-35- CEST CET 16-23-24- 2017 2021 65281,29-23-24,0 CN=GTS CA 1O1, O=Google CN=GlobalSign, Thu Jun Wed Trust Services, C=US O=GlobalSign, 15 Dec 15 OU=GlobalSign Root 02:00:42 01:00:42 CA - R2 CEST CET 2017 2021 Nov 24, 2020 99.86.159.70 443 192.168.2.3 49738 CN=*.lucidpress.com CN=Amazon, Sat Apr Tue May 771,49196-49195- 37f463bf4616ecd445d4a1 01:34:57.320553064 CN=Amazon, OU=Server CA OU=Server CA 1B, 04 04 49200-49199- 937da06e19 CET 1B, O=Amazon, C=US O=Amazon, C=US 02:00:00 14:00:00 49188-49187- CN=Amazon Root CA 1, CN=Amazon Root CEST CEST 49192-49191- O=Amazon, C=US CA 1, O=Amazon, 2020 2021 49162-49161- CN=Starfield Services Root C=US CN=Starfield Thu Oct Sun Oct 49172-49171-157- Certificate Authority - G2, Services Root 22 19 156-61-60-53-47- O="Starfield Technologies, Certificate Authority - 02:00:00 02:00:00 10,0-10-11-13-35- Inc.", L=Scottsdale, G2, O="Starfield CEST CEST 23-65281,29-23- ST=Arizona, C=US Technologies, Inc.", 2015 2025 24,0 L=Scottsdale, Mon Thu Dec ST=Arizona, C=US May 25 31 OU=Starfield Class 2 14:00:00 02:00:00 Certification CEST CET Authority, 2015 2037 O="Starfield Wed Wed Technologies, Inc.", Sep 02 Jun 28 C=US 02:00:00 19:39:16 CEST CEST 2009 2034

Copyright null 2020 Page 28 of 31 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest CN=Amazon, OU=Server CA CN=Amazon Root Thu Oct Sun Oct 1B, O=Amazon, C=US CA 1, O=Amazon, 22 19 C=US 02:00:00 02:00:00 CEST CEST 2015 2025 CN=Amazon Root CA 1, CN=Starfield Mon Thu Dec O=Amazon, C=US Services Root May 25 31 Certificate Authority - 14:00:00 02:00:00 G2, O="Starfield CEST CET Technologies, Inc.", 2015 2037 L=Scottsdale, ST=Arizona, C=US CN=Starfield Services Root OU=Starfield Class 2 Wed Wed Certificate Authority - G2, Certification Sep 02 Jun 28 O="Starfield Technologies, Authority, 02:00:00 19:39:16 Inc.", L=Scottsdale, O="Starfield CEST CEST ST=Arizona, C=US Technologies, Inc.", 2009 2034 C=US

Code Manipulations

Statistics

Behavior

• iexplore.exe • iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 2168 Parent PID: 792

General

Start time: 01:34:37 Start date: 24/11/2020 Path: C:\Program Files\internet explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0x7ff6208c0000 File size: 823560 bytes MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596 Has elevated privileges: true

Copyright null 2020 Page 29 of 31 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: iexplore.exe PID: 4188 Parent PID: 2168

General

Start time: 01:34:38 Start date: 24/11/2020 Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2168 CREDAT:17410 /prefetch:2 Imagebase: 0x330000 File size: 822536 bytes MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly