ID: 264216 Sample Name: QRU2.exe Cookbook: default.jbs Time: 14:20:55 Date: 13/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report QRU2.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 4 Signature Overview 5 AV Detection: 5 Spreading: 5 System Summary: 5 Data Obfuscation: 5 Malware Analysis System Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 Private 10 General Information 10 Simulations 11 Behavior and APIs 11 Created / dropped Files 11 Static File Info 24 General 24 File Icon 24 Static PE Info 24 General 24 Entrypoint Preview 25 Data Directories 26 Sections 26 Resources 27 Imports 27 Version Infos 27 Network Behavior 27 UDP Packets 27 Code Manipulations 28 Statistics 28 Behavior 28 System Behavior 28 Analysis Process: QRU2.exe PID: 6896 Parent PID: 5652 28 Copyright null 2020 Page 2 of 33 General 28 File Activities 28 File Created 28 File Written 29 File Read 30 Registry Activities 30 Key Value Created 30 Analysis Process: conhost.exe PID: 6904 Parent PID: 6896 31 General 31 Analysis Process: explorer.exe PID: 7004 Parent PID: 560 31 General 31 File Activities 31 Registry Activities 31 Analysis Process: shutdown.exe PID: 7068 Parent PID: 6896 31 General 31 File Activities 32 Analysis Process: conhost.exe PID: 7108 Parent PID: 7068 32 General 32 Analysis Process: SearchUI.exe PID: 5712 Parent PID: 800 32 General 32 File Activities 32 Registry Activities 33 Key Value Modified 33 Disassembly 33 Code Analysis 33

Copyright null 2020 Page 3 of 33 Analysis Report QRU2.exe

Overview

General Information Detection Signatures Classification

Sample QRU2.exe Name: CChhaannggeess aauutttoosstttaarrrttt fffuunncctttiiioonnaallliiitttyy oofff ddrrr…

Analysis ID: 264216 MChaaacchnhigiinneees L Laeeuaatrorrnnsiiitnnaggr t d dfeuetntteecccttittoiiioonnna flffiootyrrr sosafa mdrpp… MD5: 6b054a01128b7b… TMTrrraiiieecssh tittnooe dd Leeettteeaccrtntt sisnaagnn ddbebotoexxceetsiso anan nfdod r o osttthahemerrr…p SHA1: Ransomware 6eca71a8a448b5… Tries to detect sandboxes and other UTUrssieess stsohh udutettddtoeowcwtn ns...eaexnxede b tttoo x ssehhsuu ttatddnoodww onnt hooerrr r rrr… Miner Spreading SHA256: 76ac59be5102c1… YUYasareraas ddseehttueetccdttoeewdd n CC.eooxssettuu trroaa sAAhssusstedemowbblnlyy o LLroo r mmaallliiiccciiioouusss YYaarrraa ddeettteeccttteedd CCoosstttuurrraa AAsssseembblllyy LLoo… malicious

Most interesting Screenshot: Evader Phishing sssuusssppiiiccciiioouusss AYAVaVr papr rrdooecceteesscsst e ssdtttrr riCiinngogss t fuffooruaun nAdds ((s(ooeffftmtteenbn l yuu ssLeeo… suspicious

cccllleeaann

clean AAllVlllloo cpcaraottteceses s mse esmtroionrrrgyys ww fioiittthuh n aad w w(orrriiifttttee nww auattstccehh… Exploiter Banker

CACololonnctttaaiitinness ccmaaeppmaabboiiilrlliiyitttii ieewssi t tthtoo a dd ewetttreeitccettt vwviiirarrttttuucaah…

Spyware Trojan / Bot CCoonntttaaiiinnss llclooannpgga sbsllileleieteieppss t(((o>> ==d e 33t e mcitiin nv)))irtua Adware

CCrroreenaattatteeinss s CC lOonMg tsttaalesskek p ssscc h(h>ee=dd uu3llle em ooinbb)jjjeeccttt (((… Score: 60 Range: 0 - 100 CCrrreeaattteess aCa OpprrrMooc cteeassssk iiisnnc shsuuessdppueelenn ddoeebddje mcto o(…

Whitelisted: false CCrrreeaattteess ffafiiill leepssr o iiincnsesiisiddsee i nttthh seeu ssyypssetttenemde ddi iirrmreecoc… Confidence: 100% DCDereettteaectcettteesd df i plpeoosttt eeinnstttiiiadallel cc trrrhyyepp tttsooy ffsfuutnencmctttii ioodnnirec

EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function

FEFonouaunbndlde isiinn lldliiinneeebddu gnn oopppri viiinnilsesttgtrrrueucsctttiiioonnss (((llliiikkeelllyy… Startup MFoaauyyn ssdllle eineelppin ((e(eedvv anasosiiipvve ein lllosotoorpupscs)t))i otttoon shh ii(innlidkdeerlrry …

Moaonyni itstoolerrsse pcce e(rerttavaaiinns irrveeegg ilisostotrrypy s kk)ee tyyoss h // i nvvadaleluur System is w10x64 Moonniiitttoorrrss cceerrrtttaaiiinn rrreeggiiisstttrrryy kkeeyyss /// vvaallluu…

QRU2.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\QRU2.exe' MD5: 6B054A01128B7OMBS8oS 5n vvBieteo9rrrrs2ssiii4o oc9nne0 trtt9otoaD sisn8tttr rr0iriinenCgg0 i mBst7aray3pp 9pkp)eiiinnyggs fff/oo vuuannldud … conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) POPEES fffviiillleer cscoionnttt aatoiiinn ss t srsittntrrragan nmggeae p rrrpeeissnooguu frrroccueenssd shutdown.exe (PID: 7068 cmdline: 'C:\Windows\System32\shutdown.exe' -r -t 0 MD5: 7PPAEE2 f2fiilFlee9 cc8ooFnn0ttaBaii7nnBss A sstEtrraEannFgg5eeF rEree1ss9oo6uu5rrcFcee0ss75A5E95) conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForcQPeEuVue e1frirr liiMiee ssDc ott5thhn:e etEa vvAinoo7sllluu7 sm7tDreea E niiinnEgfffoeAor rr7rme8as2aottEtiiiouo8nrnBc (e(4(nnsDaa7mC…7C33BBF8A4496) explorer.exe (PID: 7004 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D) SQSaaumerppiellees eethxxee ccvuuottliiuoomnn esst toionppfoss r wmwhhaiitlleieo npp rr(oonccaeem SearchUI.exe (PID: 5712 cmdline: 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cSSwaa5mnpp1lllehe 2 eetxxeyeeccwuutttyiiioo\Snne ssatttorocpphssU wwI.hehiixilllee 'p p-rrSrooeccreev…erName:CortanaUI.AppXa50dqqa5gqv4a428c

9y1jjw7m3btvepj.mca MD5: C4A9ACE9CDB9E5DB7CBA996CFA9EA7A2) SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … cleanup Sample file is different than original

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source Rule Description Author Strings Process Memory Space: QRU2.exe PID: 6896 JoeSecurity_CosturaAsse Yara detected Joe Security mblyLoader Costura Assembly Loader

Sigma Overview

No Sigma rule has matched

Copyright null 2020 Page 4 of 33 Signature Overview

• AV Detection • Spreading • Software Vulnerabilities • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Stealing of Sensitive Information

Click to jump to signature section

AV Detection:

Machine Learning detection for sample

Spreading:

Changes autostart functionality of drives

System Summary:

Uses shutdown.exe to shutdown or reboot the system

Data Obfuscation:

Yara detected Costura Assembly Loader

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Scheduled Scheduled Process Masquerading 1 1 OS Query Registry 1 Replication Archive Exfiltration Encrypted Eavesdrop on Through Task/Job 1 Task/Job 1 Injection 1 2 Credential Through Collected Over Other Channel 1 Insecure Removable Dumping Removable Data 1 Network Network Media 1 Media 1 Medium Communication Default Scheduled Boot or Scheduled Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Task/Job Logon Task/Job 1 Evasion 4 Memory Discovery 1 2 1 Desktop Removable Over Redirect Phone Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Disable or Modify Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Tools 1 Account Evasion 4 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At Logon Script Logon Script Process NTDS Process Discovery 2 Distributed Input Scheduled Protocol SIM Card Accounts (Windows) (Mac) (Mac) Injection 1 2 Component Capture Transfer Impersonation Swap Object Model

Copyright null 2020 Page 5 of 33 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Cloud Cron Network Network Obfuscated Files or LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 2 Secrets Discovery 1 Transfer Channels Device Size Limits Communication Replication Launchd Rc.common Rc.common Software Packing 2 Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 2 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Discovery 1 2 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 264216 Sample: QRU2.exe Process Startdate: 13/08/2020 Architecture: WINDOWS Signature Score: 60 Created File DNS/IP Info

Tries to detect sandboxes Uses shutdown.exe to Is Dropped Machine Learning detection and other dynamic analysis Yara detected Costura shutdown or reboot the started started started for sample tools (process name Assembly Loader system or module or function) Is Windows Process

Number of created Registry Values

QRU2.exe explorer.exe Number of SceraercahUtIe.edxe Files Visual Basic

1 11 7 152 Delphi 3 63

Java

192.168.2.1 .Net C# or VB.NET dropped unknown unknown C, C++ or other language

Is malicious

C:\Users\user\AppData\Local\...\QRU2.exe.log, ASCII started started Internet

Changes autostart functionality of drives

shutdown.exe conhost.exe

1

started

conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 33 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link QRU2.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe

Copyright null 2020 Page 7 of 33 Source Detection Scanner Label Link www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.apache.org/licenses/LICENSE-2.0 explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.fontbureau.com explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.fontbureau.com/designersG explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.fontbureau.com/designers/? explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.founder.com.cn/cn/bThe explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers? explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.tiro.com explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.goodfont.co.kr explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp

Copyright null 2020 Page 8 of 33 Name Source Malicious Antivirus Detection Reputation www.carterandcone.coml explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.sajatypeworks.com explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.typography.netD explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp https://taskscheduler.codeplex.com/ QRU2.exe, 00000000.00000002.24 false high 7749620.0000000012E81000.00000 004.00000001.sdmp, QRU2.exe, 0 0000000.00000002.247456342.000 0000003058000.00000004.0000000 1.sdmp www.fontbureau.com/designers/cabarga.htmlN explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.founder.com.cn/cn/cThe explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.galapagosdesign.com/staff/dennis.htm explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp fontfabrik.com explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.founder.com.cn/cn explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers/frere-user.html explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp https://aefd.nelreports.net/api/report?cat=bingaot SearchUI.exe, 00000006.0000000 false unknown 3.325681228.0000023820A38000.0 0000004.00000001.sdmp https://taskscheduler.codeplex.com/F QRU2.exe, 00000000.00000002.24 false high 7749620.0000000012E81000.00000 004.00000001.sdmp SearchUI.exe, 00000006.0000000 false high https://outlook.office365.com/autodiscover/autodiscover.json/v 3.323567728.000002380CF80000.0 1.0/ 0000004.00000001.sdmp www.jiyu-kobo.co.jp/ explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.galapagosdesign.com/DPlease explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers8 explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.fonts.com explorer.exe, 00000002.0000000 false high 2.528453507.000000000C8D6000.0 0000002.00000001.sdmp www.sandoll.co.kr explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.urwpp.deDPlease explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.zhongyicts.com.cn explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp www.sakkal.com explorer.exe, 00000002.0000000 false URL Reputation: safe unknown 2.528453507.000000000C8D6000.0 URL Reputation: safe 0000002.00000001.sdmp

Contacted IPs

Copyright null 2020 Page 9 of 33 No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 264216 Start date: 13.08.2020 Start time: 14:20:55 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 56s Hypervisor based Inspection enabled: false Report type: light Sample file name: QRU2.exe Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 18 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default

Copyright null 2020 Page 10 of 33 Analysis stop reason: Timeout Detection: MAL Classification: mal60.rans.spre.evad.winEXE@7/41@0/1 EGA Information: Failed HDC Information: Successful, ratio: 3.4% (good quality ratio 2.9%) Quality average: 70% Quality standard deviation: 32.5% HCA Information: Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe Excluded IPs from analysis (whitelisted): 23.54.113.104, 204.79.197.200, 13.107.21.200, 205.185.216.10, 205.185.216.42 Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a- msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a-0001.a-afdentry.net.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net Execution Graph export aborted for target QRU2.exe, PID 6896 because it is empty Execution Graph export aborted for target SearchUI.exe, PID 5712 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtCreateKey calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time Type Description 14:21:56 API Interceptor 965x Sleep call for process: explorer.exe modified

Created / dropped Files

Copyright null 2020 Page 11 of 33 C:\ProgramData\WRData\QRU.log Process: C:\Users\user\Desktop\QRU2.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 373 Entropy (8bit): 3.9862373921508554 Encrypted: false MD5: 71C0964C266D506D454D5A310E67CC89 SHA1: 3BC85EDE9438B4FEE89DD23CB8A794CD39C48E93 SHA-256: 0E0012362CD906B41EC1A1C042C6D1D27F3E12B97FAF74C7FABB3E76856A97F9 SHA-512: B0D9773E8CA38D5D147937FB53E83A83AC7940D0B3C50631105EF18D669C2888FF334BA25F5EA95430FD7E6E2540104EA534EA479863DD42B609E6E9D201C21C Malicious: false Reputation: low Preview: Webroot Qakbot/Emotet Removal Utility..Current User: user....======[Terminated Processes]======....c:\windows\explorer.exe....======[Registry Values]======...... ======[Scheduled Tasks]======...... ======[Script Files]======...... ======[Block Autoruns]======....Successfully blocked AutoRuns...

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\QRU2.exe.log

Process: C:\Users\user\Desktop\QRU2.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 509 Entropy (8bit): 5.264313281984991 Encrypted: false MD5: 1365846B9027022C4260D57D6DD744A6 SHA1: 36D18CEFCC6CA195BC631BCC0363C1B8E15C7FA5 SHA-256: 1D8ADC7BC49DCFAF32B435E7B494CAE580E2F4AF6DF838651342E4CDBDCDDBDF SHA-512: 0F1D8C806A946D688D4111C10EA4886D11BB441B152FE954C97881B85DE3AA961BD2852A03B6FECDBDFD23B9592C02F54DD5495A7ACC2F650E031CB37EC775F 1 Malicious: true Reputation: low Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly \NativeImages_v2.0.50727_64\System.ServiceProce#\5e91b88ac0255894c4e0248b14fc4649\System.ServiceProcess.ni.dll",0..3,"C:\Windows\assembly\NativeImages _v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\7b d854211c1e20d689061fca8fa60dd2\CustomMarshalers.ni.dll",0..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\-MbL01Zafno9DuyycmzvUckfEd0.br[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 34067 Entropy (8bit): 5.433931280459822 Encrypted: false MD5: ABB9C1933181B9ED9BC641F6BAE91076 SHA1: 16E2AE0828A2FAD82FCD2E6A152B61C78CD15BF3 SHA-256: AE0A985E3A77678C5EFAD4AD464A422C4EE2E9A5B827488A05C9C4B3C0969D25 SHA-512: C1DB479F474671CFD615F2EF076C969E3A2D6584C6B628865A112D5E536CD9651B692EA2BBCB65A19F3D81541C3E244EA216F075E342664C002F9A4589D4FC46 Malicious: false Reputation: low Preview: var __extends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function( n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.proto type,new r)}}(),AutoSuggest;(function(n){var t;(function(t){var r="NT",b="NF",i="https://substrate.office.com{0}/api/v1/",k=i+"events",h=i+"init",d=i+"suggestions?query=" ,g=i+"query",nt=i+"recommendations",c="SubstrateSearchService",tt="https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/{0}?Protocol={1}",u="AutoDi scoveryKey",l="3sflights",it="3sdebug",e="gwsflt.",rt="textdecorations",a="scenario",ut="setflight",ft="debug",v="entitytypes",et="1",ot="scopes",st="people.directorysear ch",ht="Authorization",o="Content-Type",ct="X-AnchorMailbox",lt="X-Client-Language",at="X-Client-LocalTime",y="Client-Request-Id",p="User-Agent",vt="X

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\1Sc1xMD1H-TxH7bw00Qx8pvuK5w[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: UTF-8 Unicode text, with very long lines, with no line terminators Size (bytes): 259420 Entropy (8bit): 5.362187915664963 Encrypted: false MD5: 08F7251EE3AF094242BF2E6A0392F45E SHA1: 60CC9990FD88B5CE203D2538E0F18FBC38867FCF SHA-256: 5320CEC0C1C48B5BE08E94EFB54177AA1F4AEAB1CE69A2D8E895182B1836C271 SHA-512: 12A09EB1232675E6E16D56AC96DB6F17DF405806007EF00C456B1A44C77B7ADBF28D4CEAD5A372D64970F144EB91DC750DF0301E057B28B243D6A9E093A726C B Malicious: false Reputation: low

Copyright null 2020 Page 12 of 33 C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\1Sc1xMD1H-TxH7bw00Qx8pvuK5w[1].js Preview: var ClientTestHooks,__spreadArrays,__extends,AutoSuggest;(function(n){var t;(function(t){function r(){if(i.hostingEnvironment==4)return 7;if(!n.isMiniSerpEnabled())return 0;var r=7;return t.config.allowAnswersToAutoOpenMiniSerp||(r&=-2),t.config.allowDNavToAutoOpenMiniSerp||(r&=-3),t.config.allowWebToAutoOpenMiniSerp||(r&=-5),r}var u=["::{679F85CB-0220-4080-B29B-5540CC05AAB6}","::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"],i=SearchAppWrapper.CortanaApp,f=function(){function f(){ this.refreshEntrypointApp()}return f.prototype.refreshEntrypointApp=function(){this.EntryPointApp=i.hostingEnvironment==3?1:t.config.forceSettingsAppExperience? 3:i.hostingEnvironment==6||t.config.webDesktopMode?5:i.hostingEnvironment==5||t.config.forceSantoriniExperience?4:i.hostingEnvironment==4?2:0},f.prototype.clear Defaults=function(){this.QfMode=0;this.PreviewPaneAvailable=!1;this.MiniSERPMode=0;this.AlwaysWide=!1;this.SearchBoxOnTop=!0;this.AllowKeyboardNavCycl ing=!0;this.AllowKeyboardNavOffCanvas=!1;this.Scop

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\5EljwgmtRWNm8n3c7QjFDgUL7zg[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: exported SGML document, UTF-8 Unicode text, with very long lines, with no line terminators Size (bytes): 201842 Entropy (8bit): 5.330088352805953 Encrypted: false MD5: CB81BD24CCBB8FF9B4BA2AFB4B5A0A0F SHA1: FC207E6A333ACE0620C825B4C4F4F6F93558D65C SHA-256: 972E5F1D8962E22AF8F35BE0340F2D79C7067AE8226449825540F4EFCDEFAEC6 SHA-512: AFB9DA20B7CD4D16D59F7F0FEFC677BF22884F02AA564C873C38765ACF00BAA6715E90800A40482BC74A6625C80582E754E43687CDDF22E223E9055BE4A1E3E D Malicious: false Reputation: low Preview: var __extends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function( n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.proto type,new r)}}(),__spreadArrays,AutoSuggest;(function(n){function f(t,r,u,f,e,o,s,h){i(t,r,u,function(t){var i=null;t.status==200&&(i=t.responseText?n.safeExecute(function() {return JSON.parse(t.responseText)},"JSON.parse"):{success:!0});f(i)},e,o,s,h)}function i(i,r,u,f,e,o,s,h,c){var l=c&&_w.XMLHttpRequest?new XMLHttpRequest:sj_gx(),v,a;t ry{l.open(u?"POST":"GET",i,!0)}catch(y){SharedLogHelper.LogError("fetchUrl",i,y);f&&f({responseText:"",contentType:"",status:-1,result:3});return}if(r)for(v in r)l.setReq uestHeader(v,r[v]);e&&(a=e.register(function(){return l.abort()},!1,"xhr abort"));n.config.useEventListeners?(l.addEventListener("load",func

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\7R0G7oU6dud4ATPcUU06UO75ePw[1] .css Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: UTF-8 Unicode text, with very long lines, with no line terminators Size (bytes): 69033 Entropy (8bit): 5.221656673306774 Encrypted: false MD5: B15D13B1F241E81727A98CF804B93113 SHA1: 729E2BEB066D4F0D86B9DFCCF931462DB767E736 SHA-256: A9D647BD8F8641BFCED9078A3D9C22EBC44C90AD79DDAB2249CA8526BE239C71 SHA-512: 961C91A96CA03F36758B50CB286852E7376571BFF5C2421DD2329E9BEE6BF8E925130EE50950F93053B42ABC23B8318A695AF48EAEF223458FA8ABA9AC16FD90 Malicious: false Reputation: low Preview: .rewardsBadge,.wideByDefault .scopesList .scopeTile:not(.selectedScope){color:rgba(0,0,0,.6)}.wideByDefault .scopesList .scopeTile:not(.selectedScope):hover{col or:#000}.filterIcon:focus{height:48px;width:46px}body[dir] .filterIcon:focus{margin-top:2px}body[dir='ltr'] .filterIcon:focus{margin-right:2px}body[dir='rtl'] .filterIcon:focus{mar gin-left:2px}.searchScopes .scopeTile{cursor:default;position:relative;align-items:center}.searchScopes a:hover{background-color:rgba(0,0,0,.1)}.scopesList{height:52px;bo rder-bottom:1px solid rgba(0,0,0,.1);display:flex}.scopesList .scopeTile:focus{height:48px}body[dir] .scopesList .scopeTile:focus{padding:0 14px;margin:2px 2px 0}.scopesL ist .scopeTile,.scopesList .scopeTile:active{height:51px;display:flex}body[dir] .scopesList .scopeTile,body[dir] .scopesList .scopeTile:active{padding:0 16px;margin:0}.sc opesList .scopeTile.selectedScope:focus{height:48px}.scopesList .scopeTile.selectedScope,.scopesList .scopeTile.selectedScope:active{height:52px}.scop

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\8hRsu9RXyJK71Ev1LywFHOSyrBA[1] .css Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 66706 Entropy (8bit): 6.002697192790408 Encrypted: false MD5: 8473C579115E62C923616DEF92734EB3 SHA1: 4CDAD4B833FD5C8C7A51C1B7A1B71422DBD8F0C0 SHA-256: A06467FB94912FCCAED030FA0C4FB1113FF03DCE0D73ABF3A47059B64DAC3108 SHA-512: 051452073C4D6C520ADA8619B63B41E5B31EC3F2E342A18B7842708B8A87B056C5E5AD1FE001867A0011CAA7123AE0FEBEB72DDD66B443E03905FBB0EF3A165 F Malicious: false Reputation: low

Copyright null 2020 Page 13 of 33 C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\8hRsu9RXyJK71Ev1LywFHOSyrBA[1] .css Preview: @font-face{font-family:"Cortana MDL2 Assets";src:url(data:application/font-woff;base64,d09GRgABAAAAAMMEAA8AAAABY8gAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAABPUy8yAAABWAAAAEcAAABgSk1/HFZETVgAAAGgAAACBQAABeCBXolxY21hcAAAA6gAAAS4AAAHarIOh8ZjdnQgAAAIYAAAACAAAAAqCdkJr2ZwZ20AA AiAAAAA8AAAAVn8nuaOZ2FzcAAACXAAAAAMAAAADAAIABtnbHlmAAAJfAAArzIAAT4iq+sVR2hlYWQAALiwAAAANQAAADYUBbNYaGhlYQAAuOgAAAAeAAAAJ CI8G3pobXR4AAC5CAAAAUkAAAVQ3yOawmxvY2EAALpUAAACtAAAArSe3envbWF4cAAAvQgAAAAgAAAAIAJHBQxuYW1lAAC9KAAABToAAAvzOvuAfnBvc3QAA MJkAAAAEwAAACD/UQB3cHJlcAAAwngAAACJAAAA03i98g542mNg5ghnnMDAysDBOovVmIGBURpCM19kSGMS4mBl5WJkYgQDBiAQYEAA32AFBQYHBobv3RxgP oRkAKtjgfAUGBgAq2sHLQB42hXJUxQYBgAEwclf2qa2bdu2bdu2bdu2bdu2bTtlur15734WAwz4fwYZPHCIgWGoMHQYJqqD+mHDcGH4MEIYMYwURg6jhFHDa GH0MEYYM4wVxg7jhHHDeGH8MEGYMEwUJg6ThEnDZGHyMEWYMkwVpg7ThGnDdGH6MEOYMcwUZg6zhFnDbGH2MEeYM8wV5g7zhHnDfGH+sEBYMCw UFg6LhEXDYmHxsERYMiwVlg7LhGXDcmH5sEJYMawUVg6rhFXDamH1sEZYM6wV1g7rhHXDemH9sEHYMGwUNg6bhE3DZmHzsEXYMmwVtg7bhG3Dd mH7sEPYMewUdg67hF3DbmH3sEfYM+wV9g77hH3Df

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\BBDBvk5AokRBwrox4FNOb3dTd1E[1] .css Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 7671 Entropy (8bit): 5.15245035345059 Encrypted: false MD5: A1F32F25C7C924B918EA54A86670D731 SHA1: F1BF7CB5ADDF0C4BCED58D661137A1F0ACD257C5 SHA-256: 6B58339F9240E372FA046E985DA0D0C5A17B679F27FF3058D6EBD4CD515CA874 SHA-512: 5ACEFCAB3062051BD538CCF57EBCBB0BC9FCF11C12768EC7559B2ADA84F871299CE2C93B2400807F362578AD2C0F31AFF5CFE925C2FB259A7FFD24CC498435 ED Malicious: false Reputation: low Preview: body #fbpgdg{color:#000;font-family:'Segoe UI',Arial,Helvetica,Sans-Serif;font-style:normal;font-variant:normal;font-weight:normal;background-position:inherit;display:ini tial;cursor:pointer;line-height:15px}body{position:static}body[dir]{margin:0}#fbpgdg,#fbpgdg *{box-sizing:content-box}#fbpgdg h2{font-weight:bold;-webkit-margin-before:.8 3em;-webkit-margin-after:.83em;font-size:1.3em;line-height:15px}body[dir] #fbpgdg h2{margin:10px 0 10px 0}#fbpgdg h3{font-weight:bold;font-size:1.17em;display:b lock}#fbpgdg .fb-t-small{font-size:13px}#fbpgdg .fbctgcntsdk,#fbpgdg .container{-webkit-margin-after:0}body[dir] #fbpgdg .fbctgcntsdk,body[dir] #fbpgdg .container{margin- bottom:0;margin-top:10px}body[dir='ltr'] #fbpgdg .fbctgcntsdk,body[dir='ltr'] #fbpgdg .container{padding-left:0}body[dir='rtl'] #fbpgdg .fbctgcntsdk,body[dir='rtl'] #fbpgdg .container{padding-right:0}#fbpgdg .fbctgctlsdk{list-style:none;display:list-item}body[dir] #fbpgdg .fbctgctlsdk{margin:10px 0 10px 0}#fbpgdg a{text-decorati

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\BkCFSCgkW-Wh02pJlYudqkJYDas[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: ASCII text, with very long lines Size (bytes): 19209 Entropy (8bit): 5.349287611959815 Encrypted: false MD5: E26B1923B5D32CF0A8A3F92633D87CF3 SHA1: 45DABDD4EEC124EE0CD0D73C860FCCEF84A7FB2E SHA-256: 1B2F435351A37AACDBC9677D859AB808F51F2F32B612AC27DC85738B44191C70 SHA-512: 0CBEEC66F562CD54970302FA39412B85E295CC6F4BF0B2CF5F870CA3ADE0B57F1DBA938E5267B451F87099C4EFAD35C2E814AC57D8DAD67326F51E961B102F4 F Malicious: false Reputation: low Preview: /*!DisableJavascriptProfiler*/.var BM=BM||{};BM.config={B:{timeout:1e3,delay:750,maxUrlLength:300,sendlimit:20,maxPayloadSize:7e3},V:{distance:20},N:{maxUrlLeng th:300},E:{buffer:30,timeout:5e3,maxUrlLength:300},C:{distance:50}},function(n){function ot(){if(!document.querySelector||!document.querySelectorAll){y({FN:"init",S:"Quer ySelector"});return}v={};f=[];g=1;d=0;k=0;e=[];o=0;s=!1;var n=Math.floor(Math.random()*1e4).toString(36);t={P:{C:0,N:0,I:n,S:kt,M:i,T:0,K:i,F:0}};ri()}function dt(n,t){var r= {};for(var i in n)i.indexOf("_")!==0&&(i in t&&(n[i]!==t[i]||i==="i")?(r[i]=t[i],n[i]=t[i]):r[i]=null);return r}function gt(n){var i={};for(var t in n)n.hasOwnProperty(t)&&(i[t]=n[t]);return i}function tt(n,t,i){if(!s){y({FN:"snapshot",S:n});return}i=i||yt;t=t||!1;var r=w()+i;it(e,n)===-1&&e.push(n);t?(st(),ht(t)):r>o&&(st(),k=sb_st(ht,i),o=r)}function y(n){var f={T:"CI.Box ModelError",FID:"CI",Name:ut,SV:ft,P:t&&"P"in t?p(t.P):i,TS:r(),ST:l},u,e;for(u in n)f[u]=n[u];e=p(f);ct(e)}function st(

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br [1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: low Preview: 1

Copyright null 2020 Page 14 of 33 C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\DDUHuV5jYO3bWixTxzPVUzOJb8k[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: UTF-8 Unicode text, with very long lines, with no line terminators Size (bytes): 1130197 Entropy (8bit): 6.263936705146027 Encrypted: false MD5: B0008AAB339004C35E103A8A4187C037 SHA1: 026DF1D863593FE4AD22F82DFDAA0030189C2C12 SHA-256: 5D0BAD9EF5A5E5F27F93A55BAB8DC05847D037FA038BEBAF99E8B0FF330F49F3 SHA-512: 195197ECF713A2A73C0CCA32BF5318398CF93A259EEB2A464695883F9593DE83E52D736E7491C0154971C3EF45C12B38AA6890B5C47CEC805BD79E87B0424384 Malicious: false Reputation: low Preview: (function(n,t){function i(n,t){return LocStringManager.register({uiCulture:n,name:"CortanaQF",namespace:"WindowsSearchBox"},{AcknowledgeFlyoutText:t[0],ActionsS ection:t[1],AddingScopeNarratorText:t[2],AddingScopeNarratorTextAll2:t[3],Album:t[4],App:t[5],Artist:t[6],Author:t[7],BestMatch:t[8],BestMatchFor:t[9],Build:t[10],Cancel: t[11],Clear:t[12],CommandGroup:t[13],Company:t[14],Content:t[15],ContextMenu:t[16],ControlPanelAnnotation:t[17],CopyFullPath:t[18],CortanaAnnotation_Email:t[19] ,CortanaGroup:t[20],DesktopAppAnnotation:t[21],DirectNavSuggestion:t[22],DismissBingImage:t[23],DismissFlyout:t[24],DismissUpsell:t[25],EdgeUpsellButtonMessage: t[26],EdgeUpsellButtonMessageInstalled:t[27],EdgeUpsellButtonMessageSpartan:t[28],EdgeUpsellMessage:t[29],EdgeUpsellMessageHome:t[30],EdgeUpsellMessag eHome2:t[31],EdgeUpsellMessageHome3:t[32],EdgeUpsellMessageHomeInstalled1:t[33],EdgeUpsellMessageHomeInstalled2:t[34],EdgeUpsellMessageHomeInstalled3: t[35],EdgeUpsellMessageHomeSpartan:t[36],EdgeUpsel

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\Dae9F3uWr1j96ciQZxvUiMLiQ20[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 6584 Entropy (8bit): 5.431678053520003 Encrypted: false MD5: BD7AE7C3176D8081B60F1107A59E2E0A SHA1: 0DA7BD177B96AF58FDE9C890671BD488C2E2436D SHA-256: 69A4F680A4A443E28D84769ABBBCDC1A64F24117E2B477B49DF0E6CFD5A83FCC SHA-512: 0145288AB1C74C45790C7ABCA7B0AA6A0E8C09AB05FC5B9A0AB858BE1B6E302F043EE5DA81C57158BE48A1700D63E9567C8D5DD56ED021508622F81A1D99D16 8 Malicious: false Reputation: low Preview: /** @license React v16.1.1.. * react.production.min.js.. *.. * Copyright (c) 2013-present, Facebook, Inc... *.. * This source code is licensed under the MIT license found in the.. * LICENSE file in the root directory of this source tree... */..'use strict';(function(p,l){"object"===typeof exports&&"undefined"!==typeof module?module.exports=l():"fun ction"===typeof define&&define.amd?define(l):p.React=l()})(this,function(){function p(a){for(var b=arguments.length-1,c="Minified React error #"+a+"; visit http://faceboo k.github.io/react/docs/error-decoder.html?invariant\x3d"+a,e=0;erefs=v;this.updater=c||w}function x(a,b,c){this.props=a;this.context=b;this.refs=

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\HkpLvsXkCMkluzD--i9_Hl9v67o[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 94820 Entropy (8bit): 5.395085534401416 Encrypted: false MD5: 95029A2B8ED04C57F44599682E9CE9C6 SHA1: 1E4A4BBEC5E408C925BB30FEFA2F7F1E5F6FEBBA SHA-256: 15EDF8C630F285A9B9D9033D867F4FB1D5288AD3BE707F31FB3BF7EDFA54EAEA SHA-512: 3C1F3EAA0E2D26D8CF854714E4BA4AF36B102D7AA8CE4138734406BABCD54DC3002EE31A3540009EA7E2C8C8DC3C8CB2CE6E753F410E6C3A0EF055A1E362A6 08 Malicious: false Reputation: low Preview: /** @license React v16.1.1.. * react-dom.production.min.js.. *.. * Copyright (c) 2013-present, Facebook, Inc... *.. * This source code is licensed under the MIT license found in the.. * LICENSE file in the root directory of this source tree... */../*.. Modernizr 3.0.0pre (Custom Build) | MIT..*/..'use strict';(function(ea,l){"object"===typeof expor ts&&"undefined"!==typeof module?module.exports=l(require("react")):"function"===typeof define&&define.amd?define(["react"],l):ea.ReactDOM=l(ea.React)})(this,fun ction(ea){function l(a){for(var b=arguments.length-1,c="Minified React error #"+a+"; visit http://facebook.github.io/react/docs/error-decoder.html?invariant\x3d"+a,d=0;d< b;d++)c+="\x26args[]\x3d"+encodeURIComponent(arguments[d+1]);b=Error(c+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings.");..b.name="Invariant Violation";b.framesToPop=1;throw b;}function oa(a,b){return(a&b)===b}function Qc(a,b){if(Rc.hasOwnProperty(a)||2

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\I60R-6LmQnXHOc3nUq4KJ5Ip_6M.br [1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: UTF-8 Unicode text, with very long lines, with no line terminators Size (bytes): 65350 Entropy (8bit): 5.128695096226057 Encrypted: false MD5: 5975A6D3C3B68EDCA9B960A43DC5EF43

Copyright null 2020 Page 15 of 33 C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\I60R-6LmQnXHOc3nUq4KJ5Ip_6M.br [1].js SHA1: 1C9F6D039B0261C4FA35C343A8B9BFD8543078BA SHA-256: 8A446DC6226DA7F4811688C3CDBA3ECABEB7F4FE921EEE4C968604814E4F39AF SHA-512: 1C554FBC7666941459A4E47675ED34084AADEFA1511738818AB8C96FFC6BCB65A2D7246ED2C616335E966A136D403E77320D53211C4DB9BB9C31DB32A645F326 Malicious: false Reputation: low Preview: var __assign,__extends,__spreadArrays,AutoSuggest;(function(n){var t;(function(n){function t(){for(var t,r,u,n,f,e=[],i=0;i0?t.join(" "):null}function i(n){return ThresholdUtilities.getU rlParameter(location.search,"isTest")?n:undefined}n.ViewData={};n.classNames=t;n.whenTestHooks=i})(t=n.View||(n.View={}))})(AutoSuggest||(AutoSuggest={}));__ext ends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function(n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.prototype,new r)}}(),fun ction(n){var t;(function(n){var t=function(n){function t(){return n!==null&&n.apply(this,arguments)||this}return __extends(t,n),t.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\I7DSmWQb5QdqJ0B6ayO7Nkk66TY[1].js Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: UTF-8 Unicode text, with very long lines Size (bytes): 52394 Entropy (8bit): 5.526155534722049 Encrypted: false MD5: 852839F77B1AC1E0EF6482B99C255795 SHA1: F6EF34E9A51DC91F23F6DC022418B0197991A7CD SHA-256: C5738834336316476D57198BDFD9CE24003AD59A1002B79974B275AA60CA3CC8 SHA-512: FB0F5A9124D25F6F7ABC2271CC5819AE2FD143FA396D2312688A31EFA75509F475794426CB1DDA0EF3EB5EBFEC8182C675827143C502A1C7FE4358909517676C Malicious: false Reputation: low Preview: var __spreadArrays,CoreUtilities,LoggerModule,VisibilityChangeHelperModule,ShowWebView,HitHighlightingParserImpl,DataSourceLayoutManager,ThresholdDiag nosticsProd,FailedPromise,ThresholdUtilitiesM2;_w.EventsToDuplicate=[];_w.useSharedLocalStorage=!1;define("shared",["require","exports"],function(n,t){function s(n,t) {for(var r=n.length,i=0;i

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\XY3VI6XR\2\Init[1].htm Process: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File Type: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators Size (bytes): 146561 Entropy (8bit): 5.937950709090177 Encrypted: false MD5: AC09E2595ED22AF61E977119010711A0 SHA1: 431CBD7191037149CF8A1BED2948F90254497C66 SHA-256: 0B6EA2317141B2D95637D0B96242D750B27D4CBEAAEE90FF7E867798A6CCAA67 SHA-512: 8A753E5E89B1E7A96620290D9EA423C998C8B1C0544445209042FB2E099FDEA67131D130B3CF852DBD0C00895ED69D9912EE01E0631AFE2FDC3AD5FC572CC19 D Malicious: false Reputation: low Preview: pc-->