ID: 182796 Cookbook: browseurl.jbs Time: 11:09:30 Date: 15/10/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report https://ziad-w-hammad-dot-yamm-track.appspot.com 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 39 Contacted Domains 39 URLs from Memory and Binaries 39 Contacted IPs 41 Public 41 Static File Info 42 No static file info 42 Network Behavior 42 Network Port Distribution 42 TCP Packets 42 UDP Packets 43 DNS Queries 44 DNS Answers 44 HTTPS Packets 44 Code Manipulations 44 Statistics 44 Behavior 44 Copyright Joe Security LLC 2019 Page 2 of 46 System Behavior 45 Analysis Process: iexplore.exe PID: 2676 Parent PID: 700 45 General 45 File Activities 45 Registry Activities 45 Analysis Process: iexplore.exe PID: 1860 Parent PID: 2676 45 General 45 File Activities 46 Registry Activities 46 Disassembly 46

Copyright Joe Security LLC 2019 Page 3 of 46 Analysis Report https://ziad-w-hammad-dot-yamm-track.appspot.com

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 182796 Start date: 15.10.2019 Start time: 11:09:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 21s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://ziad-w-hammad-dot-yamm- track.appspot.com Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.phis.win@3/189@2/28 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://sites.g oogle.com/site/scriptsexamples/ Browsing link: https://sites.g oogle.com/site/scriptsexamples/home/news Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables Browsing link: https://support.awesome- table.com/hc/en-us Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables/demos Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables/add-ons Browsing link: https://plus.go ogle.com/communities/117434057513505498243 Browsing link: https://sites.g oogle.com/site/scriptsexamples/customers Browsing link: https://support.awesome- table.com/hc/en-us/co mmunity/topics/115000043385 Browsing link: https://support.awesome- table.com/hc/en-us/articles/360000251129 Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables/terms-of-service

Copyright Joe Security LLC 2019 Page 4 of 46 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.108.44.35, 67.26.73.254, 67.27.234.126, 67.27.157.126, 8.248.115.254, 8.248.113.254, 216.58.201.78, 172.217.23.227 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, ssl.gstatic.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, sites.google.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.n et Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Threat Detection

Audio Threshold 48 0 - 100 false Phisher

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Copyright Joe Security LLC 2019 Page 5 of 46 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Process Web Service 1 Credential Process Application Data from Local Data Web Service 1 Remote Helper DLL Injection 1 Dumping Discovery 1 Deployment System Encrypted 1 Management Software Replication Service Port Monitors Accessibility Process Network Security Remote Data from Exfiltration Over Standard Through Execution Features Injection 1 Sniffing Software Services Removable Other Network Cryptographic Removable Discovery 1 Media Medium Protocol 2 Media

Copyright Joe Security LLC 2019 Page 6 of 46 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Drive-by Windows Accessibility Path Rootkit Input File and Windows Data from Automated Standard Non- Compromise Management Features Interception Capture Directory Remote Network Shared Exfiltration Application Instrumentation Discovery 1 Management Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials System Network Logon Scripts Input Capture Data Encrypted Standard Facing Firmware Order Hijacking Files or in Files Configuration Application Application Information Discovery Layer Protocol 2

Signature Overview

• Phishing • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Phishing:

Yara detected Audio Phisher

Networking:

Social media urls found in memory data

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Sample might require command line arguments

Spawns processes

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Uses new MSVCR Dlls

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

HIPS / PFW / Operating System Protection Evasion:

Copyright Joe Security LLC 2019 Page 7 of 46 May try to detect the Windows Explorer process (often used for injection)

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 182796 Process URL: https://ziad-w-hammad-dot-y... Signature Startdate: 15/10/2019 Created File Architecture: WINDOWS Score: 48 DNS/IP Info Is Dropped

Is Windows Process

Yara detected Audio started Number of created Registry Values Phisher Number of created Files

Visual Basic

Delphi iexplore.exe Java

.Net C# or VB.NET 26 87 C, C++ or other language

Is malicious started Internet

iexplore.exe

10 318

104.16.53.111 104.16.86.20 unknown unknown 27 other IPs or domains dropped United States United States

C:\Users\user\AppData\Local\...\Y827I32K.htm, HTML

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Copyright Joe Security LLC 2019 Page 8 of 46 No Antivirus matches

URLs

Source Detection Scanner Label Link www.mercadolivre.com.br/ 0% Avira URL Cloud safe www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.dailymail.co.uk/ 0% URL Reputation safe https://sites.gooRoot 0% Avira URL Cloud safe https://sites.goom/communities/117434057513505498243b-apps/awesome-tables/add- 0% Avira URL Cloud safe onib/query/?v=309 getbootstrap.com) 0% URL Reputation safe busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe https://sites.gooom/site/scriptsexamples/ailable-web-apps/mail-merge/Root 0% Avira URL Cloud safe www.etmall.com.tw/favicon.ico 0% URL Reputation safe it.search.dada.net/favicon.ico 0% URL Reputation safe search.hanafos.com/favicon.ico 0% URL Reputation safe googleappsdeveloper.blogspot.fr/2011/10/4-ways-to-do-mail-merge-using-google.html 0% Avira URL Cloud safe cgi.search.biglobe.ne.jp/favicon.ico 0% Avira URL Cloud safe ocsp.pki.goog/gts1o10 0% URL Reputation safe search.msn.co.jp/results.aspx?q= 0% URL Reputation safe buscar.ozu.es/ 0% Avira URL Cloud safe ocsp.pki.goog/gsr202 0% URL Reputation safe https://pki.goog/repository/0 0% URL Reputation safe https://support.awesome 0% Avira URL Cloud safe search.auction.co.kr/ 0% URL Reputation safe https://accounts.google.c 0% Avira URL Cloud safe www.pchome.com.tw/favicon.ico 0% Avira URL Cloud safe browse.guardian.co.uk/favicon.ico 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe google.pchome.com.tw/ 0% Avira URL Cloud safe www.ozu.es/favicon.ico 0% Avira URL Cloud safe search.yahoo.co.jp/favicon.ico 0% URL Reputation safe https://view-awesome-table.com/-KM9XJNLVJu3ztjveiMZ/view 0% Avira URL Cloud safe www.gmarket.co.kr/ 0% URL Reputation safe https://sites.gooom/site/scriptsexamples/available-web-apps/awesome-tablesRoot 0% Avira URL Cloud safe https://sites.gooom/site/scriptsexamples/available-web-apps/awesome-tables/terms- 0% Avira URL Cloud safe https://ziad-w-hammad-dot-yamm-track.appspot.com/Root 0% Avira URL Cloud safe search.orange.co.uk/favicon.ico 0% Avira URL Cloud safe www.iask.com/ 0% Avira URL Cloud safe service2.bfast.com/ 0% URL Reputation safe www.news.com.au/favicon.ico 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source Rule Description Author Strings C:\Users\user\AppData\Local\Microsoft\Windows\INet JoeSecurity_AudioPhisher Yara detected Joe Security Cache\IE\KSU5XQMC\Y827I32K.htm _1 Audio Phisher

Memory Dumps

No yara matches

Copyright Joe Security LLC 2019 Page 9 of 46 Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 10 of 46 Startup

System is w10x64 iexplore.exe (PID: 2676 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 1860 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2676 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\support.awesome-table[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 19707 Entropy (8bit): 5.275581086451053 Encrypted: false MD5: CDF65E7F819680744CDD4F497C6A551E SHA1: 90CC1AA8678055D63057D7E943D67F380B1CF607 SHA-256: 6C3AFB400AD0DCF714B3FBC8651AD9DEA196F98B4406A0B3A30ABFE397490EE3 SHA-512: 7568BDB7E314170670B642B04F67D21081AC7F9002DC67F8E2066AFE2CC2791085C13CED34D87EBA07F755612F8DDDD85D6EBFCC355CE4BC874F1C5B7817F24 A Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 11 of 46 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\support.awesome-table[1].xml Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\D1YBPPLZ\www.youtube[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 6088 Entropy (8bit): 5.118445903599979 Encrypted: false MD5: C40D5332A5573597B3ACB9C8666D6F4F SHA1: 11BE21AD2E6895C9719624358CF004C80EFC815A SHA-256: C4E6BFCB910F56747DE59FF9DC692AC9E3A17681191B526DA4C9A1F58BBB88BD SHA-512: ABBD69A49E377A506D4F91F2EDD672B0157649FB735732C911125F0A3834724D66003883DBC1A8563AAE18D26B1EFEC4C7EB10A4D7B640CE590599C2FCF66565 Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{136E7FAF-EF77-11E9-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 39000 Entropy (8bit): 1.916947100937897 Encrypted: false

Copyright Joe Security LLC 2019 Page 12 of 46 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{136E7FAF-EF77-11E9-AADB-C25F135D3C65}.dat MD5: E53CA52DD0404155F37E66E6519BCA76 SHA1: 28680FE7CA3B2E019C9D4F6C30612F8564CB40DB SHA-256: BD4107A2A4A56210D290BBECF028D21F5C05C4E70BE28015B57B344B0A450A1A SHA-512: AABD63FAE86B0B2285078ACDDDC240937D2959A5699CC219EC51D6C79A544107B6FE943F94DC739ABB762B53F02503AA61E52915E8BF12EC281E9ADF5CF1975 9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{136E7FB1-EF77-11E9-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 320554 Entropy (8bit): 3.2913093235198225 Encrypted: false MD5: 0D15A470824AB29A3D5D0B230B37107F SHA1: EF29D886A784A64AF5D8A9662AF03B516F206D5F SHA-256: 6366FCF743CA3950EA6C477D473D9E0F8F1CEA88F5D907A7BD83CA61D453C8F7 SHA-512: 56508C7855E255AC1BAE98F59F6ED1FB2508D0AE8D2E5D846E895E6431CE98BEE940BB7AC7CAFF2E28232F2FFDF0113DA732022A28EBF6ABF0BB4267DF13E0 9F Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1D354BCA-EF77-11E9-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.586355632109999 Encrypted: false MD5: 6E1F33C50833F5BDA83E90C7F6BDDC16 SHA1: E013F2321EA3E16EC7D4168084B258552F6BD8D0 SHA-256: 5F46704E42E26EE46470249F2FFF6D0228C230EAA00FC48BD940E470C4F1DF2D SHA-512: 8DE6F88FD9390C95D67D8CA87F8D9123FEC9B3A954C790657B9501BD2B85850C0D8A0715B0D2E773124EB3CA343CC5F40F65673542A57B5FA42C4E34CC8C9C02 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.084888757128884 Encrypted: false MD5: E6F45D28192C8F735C67927EF3F11C99 SHA1: 374DCDA5BE41D6043D58E06CF84540B7B7A8C0D8 SHA-256: 73A50345BC216246CCDDA279FAC98C702769E72B23BFF69533A6E183B65E956A SHA-512: 0726B139FB247AF28E45E5D869C84B8232207C6BF166AFD2E2680687CB331D15627BB62EA36B864296C273D000A4C8BA31473E084C0E295568BE21A6204A8009 Malicious: false Reputation: low Preview: ..0xea3b6866,0x01d58383< accdate>0xea3b6866,0x01d58383....0xea3b6866,0x01d583830 xea3f8e6b,0x01d58383..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Copyright Joe Security LLC 2019 Page 13 of 46 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Entropy (8bit): 5.094421732611357 Encrypted: false MD5: 5EFFE2235304D77834F1FE94121B54AF SHA1: A329E072EA5A5B0089C9D7AFD6E5A8CE89BEBD64 SHA-256: FE800ECE085CAA65BEA38DA65E4E6309487D39B9A93B106A709FAEBCA8A018A2 SHA-512: 12CE316BC3E89369BAF76B92D93F97C07540944BA6552D2C557F908BC49130E1A74C86F7A1628132DEAA838A7A4028349A952DF9D7C17EB946B0628EE5A2E724 Malicious: false Reputation: low Preview: ..0xea00ff98,0x01d583830xea00ff98,0x01d58383....0xea00ff98,0x01d583830xea151143,0x01d58383..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.093016388840607 Encrypted: false MD5: 6EDA53145662196F4489073ACDD71E53 SHA1: 2DD3A13972EB88DEC7F12B9CB97C42D71453ABA3 SHA-256: 1327E770CEB60BFE35E3BDB70CD72A776EF4B237EE51C124F830ED1919986728 SHA-512: 10C68DFCC2D6E99B036A423CD5F1FD0124BD92C1295C178925E358FDE2FF5FCAAC3F3948E580C86452B3885D9E8038C10EEA7BFACF779195E12E600DCD6E0D2 3 Malicious: false Reputation: low Preview: ..0xea46e86e,0x01d58383 0xea46e86e,0x01d58383.. ..0xea46e86e,0x01d583830xea4c5eae,0x01d58383..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.123151534448937 Encrypted: false MD5: E5BA206C68E4B5CA05CE53BDE7F08474 SHA1: 540F13C2E8E18631C43B0C0A1943D01917D690BC SHA-256: C3926A85C87FD937FE203D388740DC751ABB7BF21CCC8709A13CEAC2F8E13AF5 SHA-512: 081186E1D2FB0AE86AF5477ECE7629CF4C3D6DA6DAE097225394E3E1A626CFB346A041DA8092BA9516E4CC051F51CA131C79EF66B3F3424D619200C773E23D9B Malicious: false Reputation: low Preview: ..0xea277af9,0x01d583830xea277af9,0x01d58383....0xea277af9,0x01d583830xea2b6 a4f,0x01d58383 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.092579257291384 Encrypted: false MD5: DE466CAC9E6FE194D8407D78E080A4EA SHA1: 62BA92AC6C07FBC8AA8C403F299F2E12606FCD09 SHA-256: 1115534A5CB612663C4437E61179E865F5141D2A45A58FDB643E884C82AB0590 SHA-512: 5007EDA2FB96366E274717E8F1177AB02575872E52F17432B7124666B5E85E03F5AA1697727044E1526406D8A3F3A09DFA10F584144C50A255B9457A278F091C Malicious: false Reputation: low Preview: ..0xea4f80ac,0x01d58383< accdate>0xea4f80ac,0x01d58383....0xea4f80ac,0x01d583830 xea50c90b,0x01d58383 ..

Copyright Joe Security LLC 2019 Page 14 of 46 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.077711025678502 Encrypted: false MD5: A3090FF5F8E7DBF7F532631196F125F4 SHA1: B4FA56E3D06FEDDA2449BFE9D8B48FF1EB1308E8 SHA-256: 82E78352A6098772A0EFD522674E97D2DE015A11AD7326A6CC8F988CF42603B0 SHA-512: 7732E2D34C477C259B6A30E7DE9EAFDD99F6B772004D9D7AD6CF88AAFA004FF4ACAC3C37E8F35F7632554A42C769E9FD0BE006678BF31FE063C518501A03FA4 3 Malicious: false Reputation: low Preview: ..0xea34abad,0x01d583830xea34abad,0x01d58383....0xea34abad,0x01d583830xe a3864e9,0x01d58383 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.141426172230267 Encrypted: false MD5: D5760D0DD7D12126ADA2E156C8B5800C SHA1: 768D8E6FB7A54A9253AFAAAB6597F02511641B78 SHA-256: 0F34B6C6CD43E9533967F55CFFBDD6766B0E2F017A4D183A6223C5189E64A95E SHA-512: 04721C3A74BBD96152E99653835A2246D9940F87950D40B9786B8BDBFD5DBFE12F9F932E4E710EE73D706591A85049AD01B7071D61056688933C2161FF790574 Malicious: false Reputation: low Preview: ..0xea2f1466,0x01d58383< accdate>0xea2f1466,0x01d58383....0xea2f1466,0x01d583830 xea331ae0,0x01d58383 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.06787669133913 Encrypted: false MD5: 3AE5C8DB3D4164D876A45FC9261A344F SHA1: 90C3687313D5E3AD9D88310F848C0DF7F11C19AF SHA-256: 420B050DFD0226059233312AB44812BF80A1EE0461CC4A71CD51B57ED27E6C45 SHA-512: B798FF05BAA219A1E464157668499A8CBE409DF0F9DAD276F7FABE3BBA0C7937EEB02E68199D7151B0B29D769B7E37FB4B77844DBCB98642C246515F5D7996F E Malicious: false Reputation: low Preview: ..0xea1b9efe,0x01d58383 0xea1b9efe,0x01d58383....0xea1b9efe,0x01d583830xea1eacd3,0x01d58383..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.078214956716433 Encrypted: false MD5: C98E6F44E45DF7B4FEFBBA40AE9F03B4 SHA1: 830FB9B489BC0BD57B8E53DAD6B697A3CB5411C3 SHA-256: F2A596D1EE0F877B878E851EFDF2FCF540207663121D534F4351CEBE9EBB7B41 SHA-512: 0FC4B088E2970D2B805D3E783A9C454E1426BA6D63BAABD052C239C95E3269C4BF10AD6524EA595A26E723EC9B0A8F157E38EA8E421F7807108427146F11E3F4 Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 15 of 46 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Preview: ..0xea22d88d,0x01d583830xea22d88d,0x01d58383....0xea22d88d,0x01d583830xea260cb3,0x01d58383..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 7421 Entropy (8bit): 4.337315499770048 Encrypted: false MD5: 41049A0837222EA07B9362E4E0791333 SHA1: 2B12AB889DFFBAC044440E43A80D84C6D83AD69F SHA-256: 3539D714C889BECE5CA6655063F7E2D0F2B6F8AEBADEB1C65BEA458CCC63D4DF SHA-512: AEF6BAFC3850E746BAB9FA161CC1690CA21681966E45564A98E05A0CB0F9F3B1C328FBE4F683B5269365DC243000329B7F5FEE6E72B87ABE76D7D2370BD82575 Malicious: false Reputation: low Preview: <.h.t.t.p.s.:././.z.i.a.d.-.w.-.h.a.m.m.a.d.-.d.o.t.-.y.a.m.m.-.t.r.a.c.k...a.p.p.s.p.o.t...c.o.m./.f.a.v.i.c.o.n...i.c.o.~...... h...... (...... 9...... GO..]h...... EK....{...... 08...... T1n...... 9?..HN..pu......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\1DYjij72AAU2GCdpII2fdRPtjJGxkdvFu5PtaURCL7FI[1].json Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators Size (bytes): 52781 Entropy (8bit): 4.611923414356826 Encrypted: false MD5: F3699FF6C7256D1024F9D88BF6F4D685 SHA1: CC3C621A2C5F97E2A262AA4276D0D7C0A4F495E9 SHA-256: 119F7539CAFCE18E4F8AB298A7AC69FA9F659998AFB8864A924F49FA014F649D SHA-512: 676E758E34858872408D8B7469642024B6C17132D1D5B1139CA123C67191FD05D45D72E30EA00D0FFCA78AEDD57F9D58A08579093AB0DFC8DCB2FD5424B9316B Malicious: false Reputation: low Preview: {. "spreadsheetId": "1DYjij72AAU2GCdpII2fdRPtjJGxkdvFu5PtaURCL7FI".}.{. "spreadsheetId": "1DYjij72AAU2GCdpII2fdRPtjJGxkdvFu5PtaURCL7FI".}.... . v16852 -->.. .. .. .. .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\1Ptsg8zYS_SKggPNyCg4TYFs[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 26284, version 1.1 Size (bytes): 103496 Entropy (8bit): 7.987844495281366 Encrypted: false MD5: AEE2E02B326A61BE1561FA6619AB5993 SHA1: F07563F0AFACE0EF48183DE2E5485FEA825D91F2 SHA-256: 5A11B302BEE0F45B9FB11E895B078B60BBDB63FFA86AE010047D101234333B09 SHA-512: CD89D73E3FC92D4D43C06A4317E61F0ED921086CB8D3E43675F86191C569270C1B9AF53CEFFADC242B217CF89C8DBA3C302CBF8800D73CFF70AE3764976A2D4 8 Malicious: false Reputation: low Preview: wOFF...... f...... `...... GPOS...l...x..4.s.,.GSUB...... W...t.4.0OS/2...<...Y...`..D.cmap...... v Hc.cvt ...@...`...... 7ifpgm...... C.o%gasp...... glyf...... F....V ~v.yhead..^`...6...6.6..hhea..^...."...$....hmtx..^....4...... loca..`...... @maxp..b...... 7..name..b...... S.f.post..dd...... E...xprep..f...... q...x.D...]A.D...S.m...m.m...9.p ..x@D.../.S...... `.....*...E4.....E..0.^.oB...qydg5Mj.3...h.l.I.&[.9..H%.J.."..r..'..Mr...".....P.UJ.^eU.UQ.\.T'.G.S;.!.D=...^./.7:....Yu~...... 1...-..~...a...SF..Tv.3m..8.H4..D$..A\....$$. .IJj..Ld&.Y.Fvr..\.&...O..R....(.(N.JR..T...NMjQ..4..-i...m.H'..n../...`.2...e....T.1.Y.c.+X.j..M.f/.8.!.p.c...... e.p..D%.}OQ..J....uj...i`...^`.}.R{..n....-N.(w..]>....."...... a..U..Wnr .N.$...~.P..r.A.....N..M..6.m..*,c.....V..}&.-~..s...enS...0.71y..K....>...xw..4.[Nu...<..-W.2Xax.....5N..y..[...K.S,T....s..3.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\65c537236f7dff13478fee39c5ceed5f79c8b06f[1].ico Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel Size (bytes): 4286 Entropy (8bit): 3.0094747965849207 Encrypted: false MD5: 323F252F99692F90EA0DB7DD0D4D25DF SHA1: 65C537236F7DFF13478FEE39C5CEED5F79C8B06F Copyright Joe Security LLC 2019 Page 16 of 46 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\65c537236f7dff13478fee39c5ceed5f79c8b06f[1].ico SHA-256: 82500E31B9C78A380C43EF32BB0DB6351EF98BC50DA64C130CA83036567C3318 SHA-512: 97133E71D5981B727FDB0F02344527E3590087D95BFF788567A92AF046B72D141D7BE632FD3E2C71AF6DF7ECFCDA933D9BD1F270AEBB5861CD5AB58803360486 Malicious: false Reputation: low Preview: ...... (...... @...... w...... A...... E...... k...... 6...... I...C...... 9...... &...... \...T...... W...... A......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\N52Sfrgsb-8t9Ab-N9m0hKxNhHviHlkLO8pA1CJxmT0[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 20210 Entropy (8bit): 5.556947965174922 Encrypted: false MD5: 062D7937454C6AD7C2E58A8661DA1724 SHA1: 5EBD725C1BB4119B18B0263134B658B1EF2101D1 SHA-256: 2350AB9D6926FC043DAFFA8DA49C0641A67949CAB166EB87FD784AFCEE5F82A6 SHA-512: 3DDDC426C9AC79B84FB6244BB568E5F24355748F78E8FA6F754C8631B9F89657808596225B6E7D3B1A9C280BD96E87B16DCCB5C9C52ED26861A2B656EA74EE14 Malicious: false Reputation: low Preview: /* Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t */Function('var W=function(p,F,E){if(F=typeof p,"object"==F)if(p){if(p in stanceof Array)return"array";if(p instanceof Object)return F;if((E=Object.prototype.toString.call(p),"[object Window]")==E)return"object";if("[object Array]"==E||"number" ==typeof p.length&&"undefined"!=typeof p.splice&&"undefined"!=typeof p.propertyIsEnumerable&&!p.propertyIsEnumerable("splice"))return"array";if("[object Functio n]"==E||"undefined"!=typeof p.call&&"undefined"!=typeof p.propertyIsEnumerable&&!p.propertyIsEnumerable("call"))return"function"}else return"null";else if("func tion"==F&&"undefined"==typeof p.call)return"object";return F},U=function(p,F){return"object"==(F=typeof p,F)&&null!=p||"function"==F},pa=function(){},a={},FB=function(p,F ,E,r,N){for(r=E=(F=[],0);rN?F[E++]=N:(2048>N?F[E++]=N>>6|192:(55296==(N&64512)&&r+1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\NewErrorPageTemplate[1] Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 1612 Entropy (8bit): 4.869554560514657 Encrypted: false MD5: DFEABDE84792228093A5A270352395B6 SHA1: E41258C9576721025926326F76063C2305586F76 SHA-256: 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 SHA-512: E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284F D Malicious: false Reputation: low Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #00 0000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt; ..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Y827I32K.htm

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text Size (bytes): 192 Entropy (8bit): 4.620081112840498 Encrypted: false MD5: B7BF805ABE8C86CA16C1003851988186 SHA1: 73FFD7430A16B0BBC71EF7D6624995B877470EFB SHA-256: F397A5F5C7ABA4F380224188BC072E5540E1A7EF49F3BEE0BE0BFA23C14252BD SHA-512: D21210E948E3CBAF4C3CBAA61E99C9D157ABF741D44532A6D7EEC8111E4DD8F60983912D46578B29BED55546B1F21211728F04121E51BEF1F67F1BC145B8A95C Malicious: true Yara Hits: Rule: JoeSecurity_AudioPhisher_1, Description: Yara detected Audio Phisher, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Y827I32K.htm, Author: Joe Security Reputation: low Preview: . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\YAMM-draft-email-tracking2[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 972 x 439, 8-bit/color RGBA, non-interlaced

Copyright Joe Security LLC 2019 Page 17 of 46 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\YAMM-draft-email-tracking2[1].png Size (bytes): 122384 Entropy (8bit): 7.986123773678711 Encrypted: false MD5: 4E785FD48E13A563BBE16C7E4374C994 SHA1: 302A7E97C494F3C8747795364506FECC42A92B62 SHA-256: 303AAAF8381D94240296DE03A83A99F26477829D0542D3F5B095B7FFA771406F SHA-512: 71849AF8A709F5C9C07A0A04BFFF12970AAC7D88F681CC783D55371B3A9ED1AFDD7B81BBAB23590157D9E6A5B28FB78C8A7AA5FCE9FC13EB94D46FEB004AD AFA Malicious: false Reputation: low Preview: .PNG...... IHDR...... aR.E....sBIT....|.d... .IDATx...w|.U...... 5..'..B...... (...Re.u..e.]D..D..W)! .%[email protected].....$...... {.....3g...<....A..A..0222...o..A..A...c...... {!.. .B..U.F\..e...W_} ....5..A...f...3f..z..)....C. .. .0...... ~...... 9...U7.T.R...... dff..]..A...2.o..A..A..A..A.=...... T@...... P..0...... B.D.,...... T@...... P..0...... B.D.,...... T@...... P..0...... B.D.,...... T@...... P..0...... ].q...... n ...... *a...,...... $A._La.....F.6..w...ST.;[email protected]".u..C.`.`...._...).t....4.I..c.....F.Z.W...V.&.I..g...:..|..y ..d..5...P....!.....W..f....R.).....~.6mJJJ.n.....a.$I.|>""".T...... j...... D.,...... {.'...... |N%o...;)6.P.....t...L.:...o.;.|w..*WvK...u..>.0^.~_1.{.....U...'j.u?..=L..X.p.....8.[.AQn.|~..).&. ..y.w,O>..l.._..l.1..ShS.....)...... E.F#...IZ.b.N....l.,..l-i9.T.-....z../.F.b....?...{...... i...Mc.mX,._... ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\algoliasearch.zendesk-hc.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators Size (bytes): 143357 Entropy (8bit): 5.554544436949649 Encrypted: false MD5: 14DB1A9996C3C99CB639FA6689FD69AD SHA1: 14716ED38C500EA532995B926D1A346AF6ED5353 SHA-256: A4202E6B52155F123EAE57E83100FACB9AE4DA10AF7FB093B7E8723E033ED132 SHA-512: B31A2770659A30D58E186E1F625938B6F084CB37DB7E5D23E0AF8FE93E8E73E0894EEF7236A110DBC1F5A30794E1CCFFCB81C8C80435019F12824C28DBC0AB1 E Malicious: false Reputation: low Preview: /*!.* Algolia Search for Zendesk's Help Center v2.24.3.* https://github.com/algolia/algoliasearch-zendesk.* Copyright 2019 Algolia ; Licensed MIT.*/.!function(e){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=e();else if("function"==typeof define&&define.amd)define([],e);else{var t;t= "undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,t.algoliasearchZendeskHC=e()}}(function(){var e;return function e(t,n,r){function i(o,s){if(!n[o]){if(!t[o]){var u="function"==typeof require&&require;if(!s&&u)return u(o,!0);if(a)return a(o,!0);var l=new Error("Cannot find module '"+o+"'");throw l.code="MODULE_NOT_FOUND",l}var c=n[o]={exports:{}};t[o][0].call(c.exports,function(e){var n=t[o][1][e];return i(n?n:e)},c,c.exports,e,t,n,r)}return n[o].exports}for(var a="function"==typeof require&&require,o=0;o

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\awesome-table.zendesk[1].json Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 621 Entropy (8bit): 5.006910906059243 Encrypted: false MD5: DB8AEE1EFB38B59651747B32F49DFCD4 SHA1: F23718AE1458C8123A3CB57A4150E1237BFE47DB SHA-256: 02EBBF677D60C36D84CB0896D7125234DD6CB5B9094E6FE13550A598E9F320E1 SHA-512: 6EE909016E171BE2874B260B469BC2642C3F0A4CD818CAA6EDA795196714EBFFCC71A1F11D92968DC86A90A7BEB02D0AD0E3DD11312458552630A299461F1674 Malicious: false Reputation: low Preview: {"products":[{"name":"web_widget","id":"awesome-table.zendesk.com","features":["help_center","ticket_submission"],"url":"https://ekr.zdassets.com/compose_produc t/web_widget/7d33f2314bee5951ee40f14fac74ae5351ab5bfb?features%5B%5D=help_center\u0026features%5B%5D=ticket_submission"}]}{"product":"web_widget","ver sion":"latest","assets":{"scripts":[{"src":"https://static.zdassets.com/web_widget/latest/runtime.483bd48a747fe40486dc.js"},{"src":"https://static.zdassets.com/web_widget /latest/common_vendor.0ef4dce3e47ae0dc91d4.js"},{"src":"https://static.zdassets.com/web_widget/latest/web_widget.d50d042c3bc35cb0eaab.js"}]}}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bootstrap.min[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 121200 Entropy (8bit): 5.0982146191887106 Encrypted: false MD5: EC3BB52A00E176A7181D454DFFAEA219 SHA1: 6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68 SHA-256: F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C SHA-512: E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F2210769B7DA88E4E002C7B0BE3B72154EBF7CBF01A795C8342CE2DAD368BD6351E956195F 8B Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 18 of 46 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bootstrap.min[1].css Preview: /*!. * Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin: 0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align :baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font- size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bootstrap.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 84281 Entropy (8bit): 5.283690597187542 Encrypted: false MD5: B1E5CDFA801DA37F51EA9404A97E83C1 SHA1: 48BB63F77B78CFE122A3790781B8E0FCE25270A5 SHA-256: B7921CC58ACC8B0953E880EB9400E80D1A1A3C8162862D2828B33DFCBC8322C4 SHA-512: 8AEA44C6499A0D675B2E378E72137A97367AA64A34EE3E5F0E91490594C47E80191226A6950538D15C68B528623A83FE9E90CD76070E3DCB24B8AB93D664995C Malicious: false Reputation: low Preview: /*!. * Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under the MIT license. */.if("undefined"==typeof jQuery)throw new Error ("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}(jQuery),+function(a){"use strict";function b(){var a=document.creat eElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for( var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=fu nction(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bouton_subscribe[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 200 x 30, 8-bit/color RGBA, non-interlaced Size (bytes): 1484 Entropy (8bit): 7.81031721574497 Encrypted: false MD5: BA427F1E8F3A5DB8B5233D0EEBFF2F2F SHA1: B6BCCC58EFE9FF0D7ED138C78CF36213C4E9E577 SHA-256: ED1CC696FC83879877C22DBA2A93B8AA1A4DB119E719700B031A304AAF944A9B SHA-512: 7B6D798AEC5AEDB6C4A6A17C855A54FFCABC48EB949065B4E1777F8F200BAC4903597418F1D98F7ABEFB3BFE377FC2FB33E83E83341BBC73978F2C3C4D3B15 50 Malicious: false Reputation: low Preview: .PNG...... IHDR...... i?Q.....sBIT....|.d.....IDATx..mH[W....^_...E.Z...... ).(Z..1[aCp[.t..+E.ec2.pl.b). ...n...!....d.E..2..N...tT.v....9..\....F...%..sO...... s.\...... $...(R..IR.1.G... D.0.)..@"..H.H$)...f.Z.O[.....-....H....Ni.E...v..V...de.GM}...g8*l...... n...n..0....vc.`j.499^9...Yr..j.O...... !.$..F..#$..c...pwf..P.p.q.W.d...8j.".n<6L[A.6.K..T..b.bp\..=TE.O.`..zC...... |.F.....?...3...qIo..F.[.v..WeL.+m.-..'48..&....S..8.D}.1F.u...Q._...... ]....{5..8.wr....wRA.'.Jz....`[email protected]...... X?|qI.R.....=.aa..|=d...... Uc...U.q.@.|.iCaC....2x'....\ ...%..j.\...9.sW.....3..ds..>U.P.L..z.DTZl.._.JB{....B.e..M..~\.V..R .0}].4...-.. .h8PBAR..._.ym..?.%E..O.SA..u..!..5x'.t}.....\..o....m._Q.....H.m^n.@...... p>z_Q.../}b.P2.].`>...6.w.hFhrr..6...... (C...... Z)W%.A;...... Z;SA. ...02...n;.#.../.p..j.eO>...... i.8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\collect[1].gif Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: GIF image data, version 89a, 1 x 1 Size (bytes): 3549 Entropy (8bit): 7.888897977396691 Encrypted: false MD5: BF9AAB557D2A9F2C5315C4A207FBFB86 SHA1: 6457733F13EB3ACDD9DFE87E528981FF23B49C2E SHA-256: C84E2F56A9E19C75A6F97F7571C2BD5126264C149B582BC8CCC6E6EF2AB5AB4F SHA-512: 4BA69CFBA481E9DFD1626B362C86A252C33B9EBD6F6A8C1A8502D73F8F9753DA346A40B42AF4C1CD98EF050F66F2D0FB1733DB1ED2F15C47899CE394009789B 5 Malicious: false Reputation: low Preview: GIF89a...... ,...... D..;GIF89a...... ,...... D..;GIF89a...... ,...... D..;.PNG...... IHDR...x...x.....9d6.....sBIT....|.d....+IDATx.._...... d....pz...:-...2.%!...M....B..=4._.^. ...."..t...... <.B!...... !...._.4k.`%..mc'....N.W.....n?...V...{....7.3...... R.B..9/_U.4..._...0P...A...... A...A.. ...P..U.]c.3|..%#0.....n..^..&(Q0....&C./p*%a...!.A....r.4.9.l..k9...... 3 ... ..4.9....P.-.S)..r....d.[... .^.jo.l.....{ ....J.1w5.vC...._...... 8...$...mE...n.o..8}=.b. ...KPdQ.&.H."..8.\.!.Bmz.....L...... _....:E..\.]...8..2 $....0...... R..Jy?$.f...$x\...kI.....u.E. sWfY_...f2..Cr.P.(..,./v.....l...e.C...}q.C.F....R...JI.../.{"H_..z....o..B.G:.4.%F..f.Z..?...... '...... _..N.A.....&.:...S.t..9...{>..gf...%U>.13k.C...... ,/...d.....l^x.Y{.6...X.....6..R.1#. =..l.T_....HQ...... %3'...m.....j{...... fi...... da.&..D.5.f...boz..JI.t..Q.&...... W.s.#....&qk.3...... L...... 3.8.&.Q.Y=....bka....[C8T..y... b'.:d..ZR..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\config[1].json Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 1152 Entropy (8bit): 4.765232400891889 Encrypted: false

Copyright Joe Security LLC 2019 Page 19 of 46 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\config[1].json MD5: 5FC39B5025F2E2632022E011AB810C6D SHA1: 5F00B7B81228FF002C98D990FE42ED94EB634E34 SHA-256: 9AE591CFF3EA2F2CC4D24B2D3155DCA5D459855D5AC8413BFF13B626001DBF09 SHA-512: D04A75AB501AC0FFDDC11B61C4202A2A99D59DF3F660A489C21EE21A6B1394EA06586A636A4B0CE00C89B6FB97674AAA632C291DF0B0FAAA91EFC5B9BA62A C83 Malicious: false Reputation: low Preview: {"locale":"en-US","hideZendeskLogo":true,"brand":"Awesome Table","brandCount":1,"hostMapping":"support.awesome-table.com","color":"#009688","textColor":"#ffffff ","position":"left","embeds":{"helpCenterForm":{"embed":"helpCenter","props":{"color":"#009688","position":"left","contextualHelpEnabled":true}},"ticketSubmissionForm":{" embed":"submitTicket","props":{"color":"#009688","position":"left","attachmentsEnabled":true,"maxFileSize":20971520,"nameFieldEnabled":true,"nameFieldRequired": true}},"launcher":{"embed":"launcher","props":{"color":"#009688","position":"left"}}}}{"locale":"en-US","hideZendeskLogo":true,"brand":"Awesome Table","brandCount":1,"hos tMapping":"support.awesome-table.com","color":"#009688","textColor":"#ffffff","position":"left","embeds":{"helpCenterForm":{"embed":"helpCenter","props":{"color ":"#009688","position":"left","contextualHelpEnabled":true}},"ticketSubmissionForm":{"embed":"submitTicket","props":{"color":"#009688","position":"left","attachmentsEnabl ed":true,"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\d58834ad84e185f4cb2a4afca384c74d2ed4d326[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 6932 Entropy (8bit): 5.414087753317414 Encrypted: false MD5: 7E89710870D29FBD776C5055BB64B112 SHA1: 715027D79C4FAC7467FD501F2E68FC57EBFB2283 SHA-256: CE81EEEF0ED1C0C69A54432B631F9A5D0F3312B6F03EB52699E5AFF3ED4EAEE1 SHA-512: DC26B2070FE87A781A896B3CD72731269175206AA17BBB92DEC2C37E8484900196BF4E9BB42D99A7F2C2D1BCA6A786BF249BE87E921BDC875C88E096EDFFB2F B Malicious: false Reputation: low Preview: ..let trs;..let availability = [];..let filters = [];....$(document).ready(function() {...$('#example-getting-started').multiselect({....onChange: function(element, checked) {..... filterTable();....}...});..});...... window.onload = function() {...//get data from availability...trs = document.querySelectorAll('tr');...... for (var a = 1; a < trs.length; a++) {....av ailability.push(trs[a].children[2].innerHTML.split(","));....for (var i = 0; i < availability[a - 1].length; i++) {.....availability[a - 1][i] = availability[a - 1][i].trim()....}...}...... //get url p arams...if (window.location.href.split("?")[1]) {...... var params = window.location.href.split("?")[1].split("#")[0].split("&")[0].split("=")[1].replace("%20", " ").split(",");....var chec kboxes = document.querySelectorAll('.checkbox > input');....for (a = 0; a < checkboxes.length; a++) {.....if (params.indexOf(checkboxes[a].value) > -1) checkboxes[a].clic k()....}...... }...... filterTable();..};...... function hide(row) {

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\demos[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines Size (bytes): 35839 Entropy (8bit): 5.31516125750374 Encrypted: false MD5: EF21B95C12C05FDC989E140EAB00664E SHA1: 93F570EA023F00666BE7AC8368EEF2EA72149D9C SHA-256: 4E2AFB02E55FEA71FADF03EBCD88CA5BAF9DD32D08A7806FC5F03E24BFF1CDD7 SHA-512: CDA4B427CF37B1A547D3509966FDEC71013F6AA3BAA770D3A6078E8A8ED06749E5DAE01A2D7A53F259922134FFA734B308384EAC45E1D01737C6C11B8ED6334 7 Malicious: false Reputation: low Preview: .....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\.lp[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text Size (bytes): 422 Entropy (8bit): 5.435616208765852 Encrypted: false MD5: D4BC445691E63A38B980297A6D8429BC SHA1: 56CEA3FC6D5F75888FFF81D46F37ACDF00C62C60 SHA-256: 5B0462D25B4010FB51A4EA76CCC432FBE5D7B2A5CA7C31C26C6CE28A6BA1F153 SHA-512: 86C7E5213054ECD0958B9C4334DC6BAD7E27D35033421317303D7F39833A2FE3B9D8A41F5577A62EFCE163753DFFF7BBBAC69CB8184DDC00853543350F774E85 Malicious: false Reputation: low Preview: .function pLPCommand(c, a1, a2, a3, a4) {.parent.window["pLPCommand1"] && parent.window["pLPCommand1"](c, a1, a2, a3, a4);.}.function pRTLPCB(pN, data) {.parent.window["pRTLPCB1"] && parent.window["pRTLPCB1"](pN, data);.}. pLPCommand('start','2608058','u5ANqpSLX4');.pRTLPCB(0,[{"t":"c","d":{"t":"h","d": {"ts":1571130687735,"v":"5","h":"s-usc1c-nss-253.firebaseio.com","s":"phxHuNPnokUtTAmnoW29dssgnrboQ0OC"}}}]);.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\89vHrABUEbM[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines Size (bytes): 48987 Entropy (8bit): 5.736018811814512 Encrypted: false MD5: 300B5B02667B028A8D46C0EC22E3461A SHA1: F11A238D9D509AAF0A6D226E1379050DF670489D SHA-256: 8534589D3D55FBEFADB6E8AD1E0A6C558FBA923C7720B5218752678A6E770123 SHA-512: F996BB03F43F7BBD4BA606C785BE3D880F16AD6C5DD3AAE79C5366AE837CCBCD5699B4468749E6AA1242D6049C0F1C07676D19B9C1169470FE4D7947249E50F E Malicious: false Reputation: low Preview: ... .. .... ....

.... Error title -->.. ..

.. .. C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\photo[1].jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: [TIFF image data, little-endian, direntries=1, software=Google], baseline, precision 8, 68x68, frames 3 Size (bytes): 22648 Entropy (8bit): 7.61023319421193 Encrypted: false MD5: 97A238EBE88B54F663E6E92C8B710B2E SHA1: 9FBB7A3BFE401E009D859D8335743BA90F6F7E56 SHA-256: B81848F630529DCD4180C5A76CC609EA03F290EFF3C38E344A0EF8AA8822DAD1 SHA-512: 12676C3AD2729466EC059BC84ADBF141EBC47DE05D1306675A12DEDCD0E3CE79FEF40A85FFC194B56027E8534B07BB35C7AAAB89C76162919F63893D312186F5 Malicious: false Reputation: low Preview: ...... JFIF...... *Exif..II*...... 1...... Google...... D.D...... D...... !1Q."Aa.q.#$2BRb.....3r....&67CSUs...... D...... !1..AQ..aq.."2.....Rbr..#$36BST...4Cs...... ?..;(Q..W....%._.+...9..:.... .6..l..d...I.EJ....LnY...N....O..7Y.93...... 1=.D%(S{.6C.r>v..?...f).I.{..v <..I.cg.I(p.....'...v(.>>w.k..j-.M.....r;.s.....<..".&.bI.....'n.A.s..w/.?..F.y<`...... P..E..n+.'...n7O..{....G6..Z..c.. b...Z....N./.SQ...3..V.s...... g.#.9...AJ.....p.x...a..bW....ff..I.....}..a..MI(fL6P.O`.....1mo.5$..../x..J...|H...x.5...J..c5...M.f....+..&...h8.(...... +(Q.t.^...... 4w.!...e .e"..G...... q...;).%. ....`.....Sh..1.q..6D*H...... [email protected]....^...[.02.^...f.}.w...Iw.,.q...m5 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\runtime.483bd48a747fe40486dc[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines Size (bytes): 2045133 Entropy (8bit): 5.498232598528126 Encrypted: false MD5: C83BCB19F07CECE5D62D4FE4B2250DDD SHA1: B5DE3FE6A4C7AB844300D13693B0776987720955 SHA-256: 7AC798827BC8445872157575E160C49B2A10DBBD84A9A36A6D0621072BBB7CF5 SHA-512: 31C8D69A643DA04A7C7EE2E0FB067B2933DC4B99C5A61782B6E9CF342DB113C3E5BAB2DDB3DC1444E42279B1ECE9C535613042EBAC300AF1F5966365B5756E4 D Malicious: false Reputation: low Copyright Joe Security LLC 2019 Page 36 of 46 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\runtime.483bd48a747fe40486dc[1].js Preview: !function(e){function t(t){for(var n,i,a=t[0],c=t[1],f=t[2],s=0,p=[];s C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\settings[1].json Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 782 Entropy (8bit): 5.362407758871472 Encrypted: false MD5: 6864B4A34B542575B4C227495CDFB782 SHA1: 714B6C2C6ED6949E33887C9AFB74E7742FD2913C SHA-256: 9C46A298916765E6996BAE94C9F704B996BB2F2D9F08C275BE98CC58D596D4BE SHA-512: 670A2B3AD2FF4E4A44FC6410D7F881F317CD6E12D829EFD33895DB4D355B63485C2075A9E9A0202BECC24A9760E7FD1BA66636376EBD13195CD6A6315FC560E2 Malicious: false Reputation: low Preview: {"ISpublicSpreadsheet":true,"backgroundColor":"white","categoryCaption":"insideFilter","codeAnalytics":"","customCSS":"","dateFormat":"dd/MM/yyyy","displayOrder":" {\"d\":\"v\",\"e\":[\"filters\",\"chart\"]}","download":false,"errorMSG":"","mapHeight":"500px","mapRegion":"world","maxCardWidth":"100%","minCardWidth":"160px","numbe rOfColumns":2,"numberOfRows":3,"pageSize":"5","queryOpt":"SELECT%20A%2CB%2CC%2CD%2CG%2CH%2CF%20WHERE%20E%20%3D%20%22Awes ome%20Table%22%20ORDER%20BY%20F%20DESC","range":"A1:H","rangeTemplate":"Template Doc!A1:B2","scriptProxy":"","sheet":"Articles","url":"https://docs.go ogle.com/spreadsheets/d/1p0-pScVwUdH3QJETe0sMBlv5XAIF53mzM_lQ9CZMILk/edit?usp=sharing","viewName":"ZENDESK [Script Examples] - News for AT D ocumentation","visualizationType":"Cards"} C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\snippet[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines Size (bytes): 383243 Entropy (8bit): 5.587310089268342 Encrypted: false MD5: 8E1B2E0B2A3401C68F9341F0E7817D94 SHA1: 53D317828E88911D9DB7568C996CD176C262E2E1 SHA-256: 9FCD61B3811E6E9B9018A05553FFC2EBF3B763133BE365D415498DE547811E37 SHA-512: 909F27B38963E02979CE36F22A520BC4B295DE6550198A1A34322C798DFE2595792EC3BDF6B732E2AAFC013D694571982AB855078945DAB835496674FEBE36E0 Malicious: false Reputation: low Preview: !function(e){var t={};function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}n.m=e,n.c=t,n.d=function(e,t,r) {n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:r})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStrin gTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esMo dule)return e;var r=Object.create(null);if(n.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var o in e)n.d(r,o,function(t){return e[t]} .bind(null,o));return r},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.pr ototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=0)}([function(e,t,n){var r=n(1);!function(e,t){if(!r.isDefined(e)){var n=r.setupGlobalApiQueu C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\videoplayback[1].m4a Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ISO Media, MPEG v4 system, Dynamic Adaptive Streaming over HTTP Size (bytes): 66292 Entropy (8bit): 7.894566707014099 Encrypted: false MD5: F62CE14774BFC0CC23BCA3E308EF4421 SHA1: 3950DDA219C3A9EAE98C467D8127F18644308751 SHA-256: 50469322FCA787423CBF0D91012C1DB34680F82FD24EF974B27372EF59D1DE0A SHA-512: 4FABE55E22B0FEB1D606776161109257725A507A6069EF41D7712EAE45E5F89D95988E2185638BD5F47C83080E5F2215521CD6450AE0D94D6921309A09F3B4B7 Malicious: false Reputation: low Preview: ....ftypdash....iso6mp41...8moov...lmvhd...../G../G....D.G...... @...... (mvex... trex...... trak...\tkhd...../G../G...... G...... @...... 8mdia... mdhd...../G../G....D.G..U...... -hdlr...... soun...... SoundHandler.....minf...$dinf....dref...... url ...... stbl...[stsd...... Kmp4a...... D.....'esds...... @...... stts...... stsc...... stco...... stsz...... smhd...... sidx...... D...... mf...... m...... ks...... l...... m...... k...... m*...... lc...... l%...... l...... moof....mfhd...... traf....tfhd...*...... tfdt...... trun...... $...l...m...l...... h...s...{...l...Z...M ...K...S...S...a...... S...U...U...V...c...U...^...f...h..._...p...|...... I...V...V...Z...X...a C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\videoplayback[2].m4a Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 132003 Entropy (8bit): 7.9680470407103305 Encrypted: false MD5: E31DF389645B5DA4E0980CADED6441CC Copyright Joe Security LLC 2019 Page 37 of 46 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\videoplayback[2].m4a SHA1: 3C9EC51E7D5E12A4C0625CD972D2134732D2C966 SHA-256: 3D7FDE8B8937434FB9F163D6370311F737DDF52B9AFD1C474C605A874F76F318 SHA-512: 0762535358D931C16A3AC24C0E61C7DF7E306A3AFEFED346F6776B887F71C4DFB6B468259BF2550FE6C4ED9C8E83E52F5FA06B4CFBE85FBA2DEBBC2BD0690C 11 Malicious: false Reputation: low Preview: ..L;1.1...y..m...=.w....a..QC.*iOHl....Rxe...ih.H. ....z=l/!.....d...,x...... T.p...... l...... 'Po..{.`.u..J....p..d..I.Yv.."..J.e.|...x@z._... :...... b.....~7H.b..p/..h.&.C..}.....,2....(...t..N+R. 6TC.^...;fz.x.).r....p.:.g..~.....*)[hz.Q...h.Y3..Y..v.,...Dk...hfU2G....$..r...e...fm..'w.M...".I....QS.u:..U..Gj..M(r.a.t>3.&ts'G.Z}.5.Vz.G\i....y..+..T...-AB1..0i....d...N+...-.<...... [.!...... "...... !l...... c-i...TP. p..#5...o..e...,s5M...0.j...../4.U..:.A.$^..?..f..t{..%@..:....kG.T;.j.*...,.'.Z....m<./.U.....le....4.....5..].d...... 2.[/.\.'.]..8IY1.:..w.=7.z...... V.).l.u...\...... ~..I/.y.... .T]../..$}3.p.=V.6../..M.E].A.Vq...... m=.hv...\.}..7...7oF...F..q.e.Y...r....-l...... d..!...c.A.P&...A.....XB..[*H..A?;.....N...... l..J$..)_8I....c...1.?.#[email protected].}..o.*f....S..`u..2...r..s|IU.e...... Vv.t`P..U...<.%[email protected]@.L.J.H..!&b.gW.5...MS.p..%..N.J..a.@Ka.%...<}>[email protected]...... ;...ZRepV.....^..D=W C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\videoplayback[3].m4a Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 213433 Entropy (8bit): 7.974534400365289 Encrypted: false MD5: 716071C096235344C24983EA2B1D59B5 SHA1: D6AB5AA4E65BCB720876A50313D27AB827F0061C SHA-256: 9086DEEB5D6C104DDFA851FAFF53613A695136B2756287F69F2BD43967723A3F SHA-512: F6566A2320D3DAAC8B1B84B33CCA3CA1545CEBBFD9460244B16B84B25B58D41A40D74C43FA81A6D89A7E8A2A1C702C99BFE0D6663549AD943CFECAFC4A1FD 8AF Malicious: false Reputation: low Preview: .2vY?+...... 8...LN....!...... a.....@T.(...R.0.>..HR..FN9...... :...5..2o...{..r0...c.!...j..b....*|.G11..]?0..&}5v.l..]Yh....$.....'...06..K.n<...Q.Un.-.l.5Y2.s.c.vTi[..'uL.G.o....*....y[I.%V...lZ.l.e. ..$.j...,/.-.K.."..<.T..$.Q.%.od.._.S2U<.\j.m.".>..:.J)....Y.hIX.E.rN..X...c.D...... V..T.D"..&,.....D....%.....H.(..,.r..-..E.#.o...t./...*...... H....E...... ~$.".d".../..g%*_SP..A[.l...Z..}B.w.` @.898L...k&r.!.....b@.. .q...h....J....i.#.....D.#...s...#Qb...... }..L.?..{X<.._...I.E...x....#.X...... q.p.".&.7#L....:[email protected]{D...... Z...... j\..O-..@...{..y.o...v.S.<>..[.....3.YGwh...... S.hG.g.e.d...&.N!KC..2.3....+$.....w.._NQ4..M>...{.6&T.0.M^RV.E.....[:...W.....B.EE..Ze.K..'.T.).."...... C8.4..R....U,..,.3uQ.d..h....c.R...... /_.y...... 0.h?.....(..X.!....0.F$...a...X. ...R..[,..b...... 3Dj.~I..x#f.Q....U.C2.....#...... u...x.....\..V.]..)V.Qxk..Uq.*.[..w..\.A. ..)...... #....P&...+...... >s.Z.*..Zh..P../. [email protected].$..I....7p. C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\view[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, CR, LF line terminators Size (bytes): 21237 Entropy (8bit): 5.605254297187362 Encrypted: false MD5: 66C8C3CED4D965B38B50DD9EE1D5FD36 SHA1: F1A3C61FF64D6A397BBE64D4764592756EF920C9 SHA-256: 775C213D18835BFE6A309C09EE4B191EEDF840B278B7CD7CF843DF5ECBDE11C7 SHA-512: F70779E52CFD7017FD990034BE8EC1D292B84966FF670B540327E67BFB82983406E693E37D5CB8D1D420A7C73A2C7CF7CE267A181F5977463AC1A57F31BBC25B Malicious: false Reputation: low Preview: window.awesomeTable={settings:{location:"site",mode:"view",version:"309"}} C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\115000043385[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with very long lines Size (bytes): 5208 Entropy (8bit): 5.128691438288365 Encrypted: false MD5: 0F207D6B31FE229A22EBB753BC3B40EE SHA1: 180908EC58B364F31F85DBA80679CA7D4E6AFF4D SHA-256: 0F4A1BB4947C60419C1C3AC0CA196DD8A5A7930F20957080B8CB3CCB9854783E SHA-512: E06AD0BC6A84F2D12BFA0A1089C7EAA3F7D71CC278779767CD2F23DB45951839A6483B2AC8FF5C3E97BB2C80AB93FBB583DC4B25B47B8AF0C23BF7B09A1DE7 58 Malicious: false Reputation: low Preview: watch?v=7EeqPTjK38s" target="_blank">Video Tutorial. . . Status Page. . . . . . . . ...... / -->.. . . ..