ID: 144138 Cookbook: browseurl.jbs Time: 19:27:59 Date: 21/06/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report http://zikkurat.tk/dl/spooky.exe 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Networking: 7 System Summary: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 26 Contacted Domains 26 Contacted URLs 27 URLs from Memory and Binaries 27 Contacted IPs 28 Public 29 Static File Info 29 No static file info 29 Network Behavior 29 TCP Packets 29 DNS Queries 31 DNS Answers 31 HTTP Request Dependency Graph 33 Code Manipulations 33 Statistics 33 Behavior 33 System Behavior 33 Analysis Process: iexplore.exe PID: 2808 Parent PID: 696 33 General 33 Copyright Joe Security LLC 2019 Page 2 of 35 File Activities 34 Registry Activities 34 Analysis Process: iexplore.exe PID: 1604 Parent PID: 2808 34 General 34 File Activities 34 Registry Activities 34 Disassembly 35

Copyright Joe Security LLC 2019 Page 3 of 35 Analysis Report http://zikkurat.tk/dl/spooky.exe

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 144138 Start date: 21.06.2019 Start time: 19:27:59 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 3s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: zikkurat.tk/dl/spooky.exe Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 10 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.win@3/57@18/9 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: http://www.free nom.world/en/index.html Browsing link: http://www.freenom.world/en/free- my-device.

Copyright Joe Security LLC 2019 Page 4 of 35 Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 2.20.221.85, 209.197.3.15, 172.217.23.138, 205.185.208.52, 172.217.16.163, 172.217.22.46, 172.217.21.238, 172.217.18.174, 172.217.23.142, 216.58.206.14, 216.58.207.46, 172.217.16.174, 172.217.16.142, 172.217.22.78, 172.217.22.110, 216.58.210.14, 172.217.18.110, 172.217.21.206, 216.58.205.238, 216.58.206.4, 172.217.18.6, 172.217.22.118, 216.58.210.22, 172.217.16.214, 172.217.18.118, 172.217.23.182, 172.217.21.214, 172.217.23.150, 216.58.206.22, 216.58.207.54, 172.217.16.182, 216.58.208.54, 172.217.22.54, 216.58.210.10, 172.217.18.106, 216.58.205.234, 172.217.22.10, 172.217.18.170, 216.58.206.10, 216.58.207.42, 172.217.16.170, 216.58.208.42, 172.217.16.138, 172.217.22.42, 172.217.22.74, 152.199.19.161 Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, fonts.googleapis.com, cds.s5x3j6q5.hwcdn.net, www-google- analytics.l.google.com, fonts.gstatic.com, ajax.googleapis.com, ie9comview.vo.msecnd.net, googleapis.l.google.com, googleadapis.l.google.com, static-doubleclick- net.l.google.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, youtube-ui.l.google.com, go.microsoft.com, ytimg-edge-static.l.google.com, go.microsoft.com.edgekey.net, www.google.com, cds.j3z9t3p6.hwcdn.net, www.google- analytics.com, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 48 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Copyright Joe Security LLC 2019 Page 5 of 35 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors File System Credential File and Remote File Data from Local Data Standard Remote Helper DLL Logical Offsets Dumping Directory Copy 1 System Encrypted 1 Cryptographic Management Discovery 1 Protocol 2 Replication Service Port Monitors Accessibility Binary Padding Network Application Remote Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Window Services Removable Other Network Application Removable Discovery Media Medium Layer Media Protocol 3 Drive-by Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Standard Compromise Management Features Interception Capture Remote Network Shared Exfiltration Application Instrumentation Management Drive Layer Protocol 3

Copyright Joe Security LLC 2019 Page 6 of 35 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials System Network Logon Scripts Input Capture Data Encrypted Remote File Facing Firmware Order Hijacking Files or in Files Configuration Copy 1 Application Information Discovery

Signature Overview

• AV Detection • Networking • System Summary

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Networking:

Downloads files from webservers via HTTP

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Spawns processes

Found graphical window changes (likely an installer)

Uses new MSVCR Dlls

Behavior Graph

Copyright Joe Security LLC 2019 Page 7 of 35 Hide Legend Behavior Graph Legend: ID: 144138 Process URL: http://zikkurat.tk/dl/spooky.exe Signature Startdate: 21/06/2019 Architecture: WINDOWS Created File Score: 48 DNS/IP Info Is Dropped

Is Windows Process

www.freenom.link freenom.link Number of created Registry Values

Number of created Files started Visual Basic

Multi AV Scanner detection Delphi for domain / URL Java

.Net # or VB.NET

iexplore.exe C, C++ or other language Is malicious

Internet 7 84

started

iexplore.exe

3 97

photos-ugc.l.googleusercontent.com pagead46.l.doubleclick.net

172.217.18.97, 443, 49753, 49754 172.217.22.66, 443, 49744, 49745 18 other IPs or domains unknown unknown United States United States

Simulations

Behavior and APIs

No simulations

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link zikkurat.tk/dl/spooky.exe 19% virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link zikkurat.tk 5% virustotal Browse

URLs

Copyright Joe Security LLC 2019 Page 8 of 35 Source Detection Scanner Label Link pagawa.com 0% virustotal Browse pagawa.com 0% Avira URL Cloud safe zikkurat.tk/dl/spooky.exe 19% virustotal Browse zikkurat.tk/dl/spooky.exe 0% Avira URL Cloud safe www.freenom.linspooky.exek/en/index.html?lang=enRoot 0% Avira URL Cloud safe zikkurat.tk/dl/spooky.exeRoot 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 9 of 35 Startup

System is w10x64 iexplore.exe (PID: 2808 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 1604 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2808 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\0QZMDP18\www.youtube[1]. Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 3393 Entropy (8bit): 5.087175688113238

Copyright Joe Security LLC 2019 Page 10 of 35 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\0QZMDP18\www.youtube[1].xml Encrypted: false MD5: DF5E01092D17625A0276589B1AEA8EA8 SHA1: 773A75B256F052655B65A3E252E605E75E76CC73 SHA-256: 77AFD2C9DC9992E00CB38EEAD5F9FEA168505291872D14F3F2045409F5F6F81D SHA-512: 5744EC03E14CA8746043A29A582E6A0F199A5029F80E521001F808339AFC9DE78D9D91DEFE1F0666AAD1DA365444E432BC1503475BD0E0CA4C43468A13500AEA Malicious: false Reputation: low Preview: ..0x54a66963,0x01d528a2< accdate>0x54a66963,0x01d528a2....0x54a66963,0x01d528a20 x54a66963,0x01d528a2..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 661 Entropy (8bit): 5.178070309244653 Encrypted: false MD5: 5771F181ADBC7BAC570E44F05DEA7F45 SHA1: DEABD0F9A572A653EF785F26126966CA3DF91D95 SHA-256: ECA12C77EDB8094AFD0F6D6FC8C95245E1824B243A45CC5B79FF68B964034D69 SHA-512: AF12CAB62D87AEA4DC5B40451A995E64377121B087B750AFF8F7E247FD54D118D7DA9133B30A5EB9BB301ACDA4E6E86536AFE723255442BA159D4F6218229B7 E Malicious: false Reputation: low Preview: ..0x548862b9,0x01d528a20x548862b9,0x01d528a2....0x548862b9,0x01d528a20x548d4e07,0x01d528a2..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 670 Entropy (8bit): 5.143792487877664 Encrypted: false MD5: C4531E2CDFB5BFF49D6044D9F39FE290 SHA1: 3B91496782F131183A68E8E3C4AE7C03FF2A3805 SHA-256: AC5869EBF3509C198CFA29419ECD147BC5D9553EEFCA813DAA68D5C677BEC01E SHA-512: 9FF9BFCFC6D3A62D275F7931747DBCBFC51C91C2611A7D717B98C7F1167F45DF33E7A74D343D26B55FE64B5524EEA856DA816ABC051726E5DFF080FD2B5151A 3 Malicious: false Reputation: low Preview: ..0x54a9248d,0x01d528a2 0x54a9248d,0x01d528a2.. ..0x54a9248d,0x01d528a20x54a9248d,0x01d528a2..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 655 Entropy (8bit): 5.149813495635855 Encrypted: false MD5: 6C1C5582B1D85141B065547DB3318A33 SHA1: 93FDEDFCFA650614A75F9EC6CF498173D0A60780 SHA-256: 610999F51EE8F7E1BA0738B23346B34A64FE5C9E022FBCABEFD0B872728FB2B7 SHA-512: 117807BCCC4D334C15E21285DC086EC58D72D8F2568126D79F8899D12F262185E6EB182C3C0C151B20CC2D129C7BFCC79B48DB4B6417D7CA7C162431BF89F9DF Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 12 of 35 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Preview: ..0x5499d1f7,0x01d528a20x5499d1f7,0x01d528a2....0x5499d1f7,0x01d528a20x5499d 1f7,0x01d528a2 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 664 Entropy (8bit): 5.149768530196451 Encrypted: false MD5: 6FC832E03F91384B2A40740951AA3D7F SHA1: 507C11D462A42DB5855338CFD2E8B55D9F684719 SHA-256: 1B70C7599F2A8A5ED90E69467A1AED0010703E5CEDC1B2F619B76A7B523DA2C1 SHA-512: AA950B20DA23D94E413E5389D2CC83101F053C48BC9AD7DB42C351D86F618C6F0D108E5BCA53379233F716E6C6F861511E40EBC131AA93E28BF04EEAF2DBDF9 3 Malicious: false Reputation: low Preview: ..0x54abd9c2,0x01d528a2< accdate>0x54abd9c2,0x01d528a2....0x54abd9c2,0x01d528a20 x54ae61ef,0x01d528a2 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 661 Entropy (8bit): 5.094534095436767 Encrypted: false MD5: 1B2CA65CAD365E7086078A75405DA808 SHA1: C7C3A1A519B73C30E88C7800A83138D700F088FF SHA-256: 33621D8BA8019B74CA0065F4A6F6DC3E5C71963F73E95686F9AD3C52A47DAB47 SHA-512: 118EBEA2A78525BC06D3AABE0C39893E2D7FD586E1C6E1121009467E183C5466A2ECF84E8D8E5075EDCE6F60577E18C50385152D16DA759D31A3C104576B1228 Malicious: false Reputation: low Preview: ..0x54a157de,0x01d528a20x54a157de,0x01d528a2....0x54a157de,0x01d528a20x5 4a3e0db,0x01d528a2 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 664 Entropy (8bit): 5.168560288988883 Encrypted: false MD5: 1AF9689F9A28FE2A7570DA63EAF733D9 SHA1: AB0D6CDB9C6B9641F97C484B3264225CEC965B52 SHA-256: EB997648F38717EB8A266237B9D84152D1D7518DD983C123F01382A68AA5349B SHA-512: 1697901EC674515D479E005E8773C2A1904DFD7EE9E1D76CE4393354682F7757E0234D535B9ADB03A38685AA62B912FB61C91BF893D342868F256FAFD75EA8CE Malicious: false Reputation: low Preview: ..0x549c59f8,0x01d528a2< accdate>0x549c59f8,0x01d528a2....0x549c59f8,0x01d528a20 x549ee2f3,0x01d528a2 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 667 Entropy (8bit): 5.15640369066614 Encrypted: false MD5: 901EB74A5EDEF256A7917159A81DCA88 SHA1: 4FCED284F93B54AE417503DFC2543598A41258C9

Copyright Joe Security LLC 2019 Page 13 of 35 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml SHA-256: AC0F8408B70974AE43A3801F179822F64111F215EFF9AF0AE407CE1F33EEC2D6 SHA-512: 34B123503BF71E52ADC6FCA96D2ABF20B40CD30E35BB339FD06F0484CC07D25EAD00CE111DAEC933616DA742696C802036B2B6B592FEE23271EBF1F6E35DD4 B2 Malicious: false Reputation: low Preview: ..0x549224fb,0x01d528a2 0x549224fb,0x01d528a2....0x549224fb,0x01d528a20x549224fb,0x01d528a2..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 661 Entropy (8bit): 5.156077484367923 Encrypted: false MD5: FE4A7C403D3E789762A3FE1B219AA481 SHA1: BF2C079BE57C651D364219A5FC9DCBCA2F33219A SHA-256: E5BF495F38CF2A97138B9682C7772DA36A4E205720A98BE2002669BA607E5642 SHA-512: B308C91C93D09754A41A3766E17D9A5994B07D51BC30CA1A3955E39F29CE568913BA72616A0DCCA4715DB6611DDCA35BFEBF33F6D6D9DE4A0C9DF1948196E67 F Malicious: false Reputation: low Preview: ..0x549487b5,0x01d528a20x549487b5,0x01d528a2....0x549487b5,0x01d528a20x54971063,0x01d528a2..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\typalil\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 4664 Entropy (8bit): 5.116159656668926 Encrypted: false MD5: 7344EAB98D5A62CD36328DB622DA0FF5 SHA1: 7BD74E5CAD8B3AB94B8AEF693520CB29AB1BB3AC SHA-256: 24306558CA8C502D954C41A07DF9D336127DA2EEA83CFB5125A6C7C458E85DBE SHA-512: 17127CCB96BCF27A2081F8B57710A70CE87FEA30B03EB020A717E6424DB2B9B49BA01F64F2E757E179926BE989F2E133926315116648681BDC9C2690D07DC058 Malicious: false Reputation: low Preview: ..h.t.t.p.:././.z.i.k.k.u.r.a.t...t.k./.f.a.v.i.c.o.n...i.c.o...... h...... (...... zNF.\'..o@7...... i...... %.!...... >...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... qa...... <...... XQ.W"..l=4...... <...... 0...... <.....yJBZpB:.Y&..h7/.l@GY...... E...I[.!...... [.....]( .[)!._-%.\)!.Q.&...... #...1....|RM.g7/.[( .g7/.sJO..9...-..;...[.9..$.."..7...,...... e3+.Z'..o@8...... k:2.Z'..f5-.|QI...zs...... bZhc1).[( .Z&... ke......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\KFOjCnqEu92Fr1Mu51S7ACc6CsI[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 21564, version 1.1 Size (bytes): 82928 Entropy (8bit): 7.977153847628526 Encrypted: false MD5: A62375240962C0C9273EBCDCE0D9A88C SHA1: D029C7A2BF487A16A451F90434F37E82E86A0043 SHA-256: 60C2AD941C3E639752B36A579549CD519780464F96C128FC82C71EEF7D7A8BF2 SHA-512: 13485AAF22510F2E3530E0B303DE5066DD9BF1C62C6A0A5234AE6176358A6503C6BD1483369E5D68DE193580E3BC32E28FB14185EC68B794E87B66BF28B172C1 Malicious: false Reputation: low Preview: wOFF...... T<...... GDEF...... G...d....GPOS...... GSUB...... 7b..OS/2...... Q...`t.#ycmap...4...... L....cvt ...... \...\[email protected]...... $.gasp...t...... glyf...... @...p.N..Hhdmx..M(...f...... head..M....6...6...vhhea..M...."...$....hmtx..M....k...... 3.loca..PX...... G.*"maxp..R4...... name..RT...... !.>gpost..S0...... a.dprep.. SH...... X9..x...1..P...... [email protected])..w...... Y.e.u.m.C.s...x.h.~R....R.....2.x...pfK.G...1.c>..`9..m<+;..m.x...bg.M.T...O...... l...XU.../{.[_..W....c.._..72.. ." z.+..F...... &.& ...`e..T].....K=..K2S....q.....xf.$~i..$?.d..dU.....@R-/LMO-J6...[]..Z..O.C_."If..d....fS....$d.G>eL`....Tf1...... 9.c>..`1.TR..x./d-...... q...... 7....{...v.....!.....1.QG=.4.D3-..F;=. .1'.'q.rw...9..e!.....Q....f...... qV.n.h.V.Z]..B..C.[B...V...... v...o.w.{...w..zRO.i=..._.....-.m....].=...[...(1.(.#.....O0/.0?..04rL.G.9.....i6..l..|.(o.....|$,..{|&|....YJ...x.e8B.#..t;R8.{+....\=.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\analytics[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 43964 Copyright Joe Security LLC 2019 Page 14 of 35 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\analytics[1].js Entropy (8bit): 5.517521542154716 Encrypted: false MD5: 80E9F663857FE3A4F3B2826EC5AB4377 SHA1: 61B43A28C52673E73F5F6DF9F5C16D712EFC72DC SHA-256: 8F88CB7A1CD4134F5D616B9FCA90B9069FA16C162B7AE66BA1B500C490B41DD2 SHA-512: 3E4BFBC2233CE8731A5D7614DCA0D7E5658BDBE8E5B18176828EBFA0E6DA0AA0BFA6126FCB0A9C69F9574B9641F5BF1E50C5D33F4DA390EAF71A2827C2B5B0 82 Malicious: false Reputation: low Preview: (function(){var k=this||self,l=function(a,b){a=a.split(".");var c=k;a[0]in c||"undefined"==typeof c.execScript||c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.lengt h||void 0===b?c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={}:c[d]=b};var n=function(a,b){for(var c in b)b.hasOwnProperty(c)&&(a[c]=b[c])},p=function(a){for(var b in a)if (a.hasOwnProperty(b))return!0;return!1};var q=/^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))/i;var r=window,u=document,v=function(a,b){u.addEventListener?u.addEventList ener(a,b,!1):u.attachEvent&&u.attachEvent("on"+a,b)};var w=/:[0-9]+$/,y=function(a,b){b&&(b=String(b).toLowerCase());if("protocol"===b||"port"===b)a.protocol=x( a.protocol)||x(r.location.protocol);"port"===b?a.port=String(Number(a.hostname?a.port:r.location.port)||("http"==a.protocol?80:"https"==a.protocol?443:"")):"host"===b&&(a .hostname=(a.hostname||r.location.hostname).replace(w,"").toLowerCase());var c=x(a.protocol);b&&(b=String(b).toLowerCase());switch(b){case "url_no_fra

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\bg-main-slower[1].dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 786432 Entropy (8bit): 6.80975069333387 Encrypted: false MD5: BA650852E84A6C11C7B5F43AC8B7A9AE SHA1: D0C6F53DE6DE6C5F4E013D57EA0796B6D4126B15 SHA-256: F5A3F9C4AEC599A503A83818F0ACD027B8963990329B65F7CF10B3C0E5615F11 SHA-512: 56CA2A91D1C3AD482ACDCD08EA296C0D59506F4791A149CEA915A93DA9698992E5FADC5D234022B722D9C79D0264C158BFD2EAC89F1EB421E9061D7EB495468 8 Malicious: false Reputation: low Preview: scbX...... %..n.r..a...... ;.X.7u...M...J.?p.X...k.\P8..t..4..t...... [email protected]....$.M9..n.%e...... V...... =.&..;-..&..N..G/.=..O.d..\...... J...J"...3..I..f.V....S.. ...Q..S.I6.lg.,s...3.Y.6q...... Z...3Pg....".[.E..'..8.....UG..y...u..K.i...... ~I...9...C.,T....k..!. ;.....O....g.F...... >.X...6....u...E..u.A...... [..S...H.>...H.N..R.a.^V....i.....]w. _gF.*sq..4..j...... Xz\.5.....>..j...3q.=...... "t.O..J.v.-...... H...:..:..I..s.R.M..]..\T.Q%....l.V..@...... Or.W...*?.zi..-.VE.4...z4.-CX..B.....2.5.....F..O|.5..Lc.;.40.~...... qx...3.w....1p.~!.b...ni....#*K18V6(.. .,h...p...... ].D,^[email protected]...... ].T...... e>.G...+.%}.?>...... jo_.iK..v<.p..I.2M8...... _-....Z.3..A...&/...I..,t...... B.L..\78b..t...Ru.#`...O.n.....w..yc!.^...n,...V.....~.WEs.....,.FI.E..{. .8..S..U..M.0h`.)...+h....'.d...q.Y.g\H..,5...:b...&..}J....}...... {...|......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\favicon[1].ico Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: MS Windows icon resource - 1 icon, 16x16 Size (bytes): 2048 Entropy (8bit): 4.737770241937844 Encrypted: false MD5: 9D88ADF1B48D0395E690BD17E5625851 SHA1: 1874190D30C93CA117B3B1D65F150BE38EC55A56 SHA-256: 817D5D40F1ADDC3A4247E62AAF58400A7A81830ADDC9692B2BA65DD5068F02C8 SHA-512: 9B7F701094FFE63BA2F8499B23EE7F02A5795FE1ACCBEDFC41D5A5C4BF5A32D1C8AB855E8DCC82980887441EBFDB95498F8964B33924E5CD4C980C2EBFFF5B C3 Malicious: false Reputation: low Preview: ...... h...... (...... zNF.\'..o@7...... i...... %.!...... >...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... i...... %...... <...... VO.W"..k<3...... qa...... <...... XQ.W"..l=4...... <...... 0...... <.....yJBZpB:.Y&..h7/.l@GY...... E...I[.!...... [.....]( .[)!._-%.\)!.Q.&...... #...1....|RM.g7/.[( .g7/.sJO..9...-..;...[.9..$.." ..7...,...... e3+.Z'..o@8...... k:2.Z'..f5-.|QI...zs...... bZhc1).[( .Z&...ke...... ^Uw.WO..VN..{t 4......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\fontawesome-webfont[1].eot Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Embedded OpenType (EOT), FontAwesome family Size (bytes): 56006 Entropy (8bit): 7.982832242681074 Encrypted: false MD5: 7149833697A959306EC3012A8588DCFA SHA1: 0183979056F0B87616CD99D5C54A48F3B771EEE6 SHA-256: E511891D3E01B0B27AED51A219CED5119E2C3D0460465AF8242E9BFF4CB61B77 SHA-512: 3D0D435310306C977BFA7FAF3BE358E7184A27D7F83688131D295378F6EE0FE053AFAA0C1E5FBC9C00EB24787E8239F4B0D4D7B339B5576E3C4B1FE741906415 Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 15 of 35 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\fontawesome-webfont[1].eot Preview: ...... LP...... $...... F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.n. .4...2...0. .2.0.1.3...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r..... BSGP...... ~...... `...... Y.D.M.F..x...>...... )[..1.H..-A)F...1..../.S7.U.'.&a..;a.#71.^...wR.. .P...r...o....b..R.6....l..n._Up.!...... b...... h.,7z..U...... ].)..WF..(...VH..# .... j.2..l.Q..T&*...j..9.._..[."L...... aA.ynF...... e.....Ga.1E. a.b.0....8zSA..-...... =7..Ex..Cr....06.,..R~>..cI:.S*..`5..n.(TefX`[email protected]...=.C.=..e.<.'f.sH.'.e.i/"x. [email protected].!b..8R.8 .*j.a.eFUkL.....I....'.Z...... @..I.3H...p.GH...... @[email protected]..@Xoy..{..f...h..U..h..L...*.l...... N.1{....)e.T....0R..n...../S.c.PV..z6%f}.4.C...&....W..'.,.A...... @Q%....F.`.Th.] ...3...... X)@.VZ=F.Y.\'S.Ngx...,...'...... b.R.m.....j...[.b..0A....NM.$...X.m....YQ....v..a..iT3...CT...#...8EFM2*.....+$.I.)>.7..=...+...b..t_.:.>RfH.U.6b.....[..~Y%,.3j...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\free-my-device[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with CRLF line terminators Size (bytes): 32719 Entropy (8bit): 4.639596353618184 Encrypted: false MD5: 854AE95C2A8843AB2E96214A9EA37BA5 SHA1: CF6A374B2F6430B20E938FF3A1DEC6EC3C4C534A SHA-256: CB22E9E71F500DB4D9095395E30BE8A01D3EDEC514F5E1E81A4B636C00ED742C SHA-512: D39FF14AF317A2019C1E11FB93D579863C94DC57E4F7804A9AC030C4707F85A71AE259969F4D66673C0D1AD9E53AECCC79D7AF27E9084770D646DD876B759E36 Malicious: false Reputation: low Preview: .........Freenom World....... .. .. .. Latest compiled and minified CSS -->.. css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">...... < link href='https://fonts.googleapis.com/css?family=Open+Sans:400,300,600' rel='stylesheet' type='text/css'>.. .. .. ........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\freenom-world[2].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 800 x 107, 8-bit/color RGBA, non-interlaced Size (bytes): 9235 Entropy (8bit): 7.910165167594853 Encrypted: false MD5: D5E3B25BDE5198C87AAD6741F51F2E71 SHA1: A38E471CD4FB2CF6C6BB017F086B204CC2460239 SHA-256: 36C376AF44C3AC669D3B488BDE3BBC3ED5098C5FD1BC62BE243D61D1BADF4769 SHA-512: 721E14ADB66962D904BECE5A011F6A6CC5C77DD5A1679276EA95C5E7922B064CD9C4DAB96320B06DC106F5E6C9C23336513C1F796E80394BD0235561FC4CC5C E Malicious: false Reputation: low Preview: .PNG...... IHDR...... k...... Z....tEXtSoftware.Adobe ImageReadyq.e<..#.IDATx..]Mr.H.-ux?.....oz..N ....3[.'.x..'.t.A[[email protected]...... U..7L.$..*..E [email protected]....>C~...... 0...... t.G...... I.38..$@.$J..Y.[...... *>n...JeZ...Bd...... jp..|[email protected]..}..[.A.o.?N..G....8..B...... [email protected]<...... o}...... n...... @O.KM.A...... ]...... }S..M...... 1z. ]...... x.y.f...... @]...^...... Q...... %@p...... @_...... V.)...... >w..O...... E.M..|08...... @...... a...!9?...... t..R...... r45...... M...... @...... x.&h.~.-M..H..d...... ?....N.[...o.h)...... 8=..34..!..].4..I#...|..2....J=.....*6....j./..s+L J...... 3b.T..z.U...o...... `.=L....Ld-D...aP..X..O.g..&.e]F.b..% ..T...... DI^m...+.-...l.,P{1N...... q-...%.Y..G)...... }f.j..;..U]...}."..v..5...... lkkQe..M....z.u.x.,..}n..^Bm^.....ZE..e.5,;"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\routers[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 18286 Entropy (8bit): 5.401345293006877 Encrypted: false MD5: 4B1029E68AED2ECD9ABE517E6B5478E4 SHA1: 52204BA8D5B491BA23977953BBF19BE572ADF34F SHA-256: 88AF1AAED02A02429755354D3ED58187169BDDD1EA905F50138FEAC8B8AF4A40 SHA-512: 72974C4E89DA815FD49AE2F84074212886F5E250C944F592EA32ADA59996720D210C4A213921F0CB4A22AFA1319D56898C23E323283A6C1CF18621A20F3B1C9A Malicious: false Reputation: low Preview: [{"ru":"Zm2zFzHlNCw","pt":"CtDx5pfD9SU","en":"83AnppxBHuo","it":"u-WORL_Lk5k","type":"AirPort Express","zh":"oMdXN0Cvo4M","es":"GaYNOUBWgCI","ar":"iam SD4tTuuc","zhyouku":"XMjc1Mjc0ODcyNA","ja":"-Nlee43EQmM","zu":"E2vBSrFXoQI","id":"raxf_H25yU8","brand":"Apple","tr":"SzVXPHbgC1k"},{"ru":"k5839YwGFmk" ,"pt":"rk9Az64yPsE","en":"oQSoNzZD9qQ","it":"aX2I3nACTmk","type":"AirPort Extreme Express","zh":"TQCg68lWQNI","es":"USj1yNz7H2s","ar":"f1hBmheZenU","z hyouku":"XMjc3MzcwODA4OA","ja":"D1njM1Dyehk","zu":"unVNJH9YgxY","id":"DuS_I1x0awk","brand":"Apple","tr":"LbohisC4tnw"},{"ru":"Exn8CPLAvL8","pt":"xIAPBtR-- Kc","en":"QptEB6j2z8Y","it":"W0f_AMmeBU4","type":"AirPort Extreme Express (iPhone)","zh":"de0PYMx7JsI","es":"xkuJmHQMJ5c","ar":"dcV4d7yTAPo","zhyouku":"XMjc 3MzYzNDY3Mg","ja":"UzJ4U9j8RNE","zu":"JKzhSsrDnmo","id":"TTERHe_eTvA","brand":"Apple","tr":"Sr4yaONDV1M"},{"ru":"U6KVVuzOTAw","pt":"HbhsxPnCI3g","en": "7zQqQWM2-SI","it":"OZnp931Guzs","type":"TG1672G","zh":"PLUrQokbvkw","es":"tg-jjQ1Jx-A","a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\bootstrap.min[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 121923 Entropy (8bit): 5.107172900578496

Copyright Joe Security LLC 2019 Page 16 of 35 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\bootstrap.min[1].css Encrypted: false MD5: 4C71430FA1D240DCA2B0AA0A1D470778 SHA1: 072CBE24EAFA03B2356D94013E650E36ECE60FFB SHA-256: 8499D6368C5FBB57EE5DB9BBCA231B0380F62FC8F4711CCFAC5A8397C8316C3D SHA-512: 5615B00431CFF4D620C048AA894DDD6D8F752FC21C151E54EE05C13AB25A690EA2B3137BE5563E94F6113F4B8224E682A57FAC12EB5CFFC72B3980595C24DB76 Malicious: false Reputation: low Preview: /*!. * Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin: 0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align :baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font- size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\bootstrap.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 37045 Entropy (8bit): 5.174934618594778 Encrypted: false MD5: 5869C96CC8F19086AEE625D670D741F9 SHA1: 430A443D74830FE9BE26EFCA431F448C1B3740F9 SHA-256: 53964478A7C634E8DAD34ECC303DD8048D00DCE4993906DE1BACF67F663486EF SHA-512: 8B3B64A1BB2F9E329F02D4CD7479065630184EBAED942EE61A9FF9E1CE34C28C0EECB854458977815CF3704A8697FA8A5D096D2761F032B74B70D51DA3E37F45 Malicious: false Reputation: low Preview: /*!. * Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under the MIT license. */.if("undefined"==typeof jQuery)throw new Error ("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn..split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}(jQuery),+function(a){"use strict";function b(){var a=document.creat eElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for( var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=fu nction(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\connectivity-lg[1].jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 2708x929, frames 3 Size (bytes): 71057 Entropy (8bit): 7.883143733747939 Encrypted: false MD5: FBF2EF784BC432FBC84A3AF5C7E50344 SHA1: EFE0E9D26C54E71C3AAF35CFBC6058693C9F2F2D SHA-256: 9EDE2BBC221642952808E63463EF16E56331F6A4E14D73E7E8284024BBE95F0E SHA-512: 005D0D3F78B5E8A041E314ED5F45C4AE77D20FC8A7E0A320ED0637F10471BE415DCF7A8970090ADF6BAE6C3CEE7127297EB94762309C3232C7F294E0D08709BC Malicious: false Reputation: low Preview: ...... JFIF...... C...... $$''$$53335;;;;;;;;;;...C...... %...... % #...# ((%%((22022;;;;;;;;;;...... "...... %0I.....B`[email protected]`..P... $...N.M"o6....9...... (.....@...... $.H.../...... @ ..L..K..i.][...H.E1.0...... H..J`L.&&...L.0....1(HBu..g.$. ...H._k.....*.9Vk.Fy...... D.....$BB%...I.....V...A ..A 5.gm.+_MX..."...ty@...... D.`.."`$.!...GV.e...... b...&Q...H...5...Lk6W(...W:...... @....."H..H.D....uu...~...... &.$.d...... /.b.. M.6..c(.Fy..y...... $.....H.L..k...... &..%..)..2..D.7.f.6..B.k...p.y...... D&..os....:{..E.x...@. L.&..J....y"..7..}3...XVYy...... 3.P"bP.. .0.B H..w..'..}}.tm$.....@.../!...S J....4...f...... _:.P...... A...$.0. .'...>.O..v...,..\|...`$4.$..H.k_.a...33.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\dos[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 20368 Entropy (8bit): 4.9423311789438955 Encrypted: false MD5: 01BE4B09B9AFB3EE51244B4BBE9DC565 SHA1: C38D5A0282034A33197C4971AD784A8AC38C903B SHA-256: 3171967AA4080C37BAFF60D0F68D3BE3ACC213565C66DFBAE7717A4D964889C3 SHA-512: 85CB696E8C63FEDAFAA5F3B8E6D407D83F4689445CE24307FF2D19FA3A7B64CFD9F3122B6B8CF10185FFA3DA0B0CF761E58C8BF257A3B5421E02AA0870CEE76 0 Malicious: false Reputation: low Preview: /**. * PgwBrowser - Version 1.3. *. * Copyright 2014-2015, Jonathan M. Piat. * http://pgwjs.com - http://pagawa.com. *. * Released under the GNU GPLv3 license - http://op ensource.org/licenses/gpl-3.0. */.;(function($){. $.pgwBrowser = function() {.. var pgwBrowser = {};. pgwBrowser.userAgent = navigator.userAgent;. pgwBrowser.browser = {};. pgwBrowser.viewport = {};. pgwBrowser.os = {};. resizeEvent = null;.. // The order of the following arrays is important, be c areful if you change it... var browserData = [. { name: 'Chromium', group: 'Chrome', identifier: 'Chromium/([0-9\.]*)' },. { name: 'Chrome Mobile', group: 'Chrome', identifier: 'Chrome/([0-9\.]*) Mobile', versionIdentifier: 'Chrome/([0-9\.]*)'},. { name: 'Chrome', group: 'Chrome', identifier: 'Chrome/([0-9\.]*)' },. { name: 'Chrome for iOS', group: 'Chrome', identifier: 'CriOS/

Copyright Joe Security LLC 2019 Page 17 of 35 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\icon-dashboard[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 205 x 205, 8-bit/color RGBA, non-interlaced Size (bytes): 11461 Entropy (8bit): 7.97472004643344 Encrypted: false MD5: EF32F530BEBC2C09A5CB0CD5EFE14D81 SHA1: 85945D1CA18BFBC0A127E5DD796196A34BE81326 SHA-256: D0680224E568784E18F0CCB8858581A65D69B9552208D4F8680C8FE951D570EA SHA-512: 936FBF883E4045C1D0640DEA8236A74155F0EEF31AB1A0F19502DE71BAD298EA73D6B33FD1BBFB686B20F81C545CCF138D7171AAA328FBBBDD7ED00283F2531 B Malicious: false Reputation: low Preview: .PNG...... IHDR...... i.. .IDATx..y|...... $l".e....DqC,*....m...... U.A..o.Z.V.....R.e..(*".}.$,.B.....Jn...33wI..z.....9sH.s.s...@@@@@@@@@@@@@.E"...aMKQW..y@.`?.. (o.).J..W...... v..V...r`....v.f[.Iq?.*....?C.*.X..~...... o.E./.....`.qOg.(.h`.p(P...... <.=.#.kd...It....9...... A.;z..f.C.m`&.]j....F.>.i.)...... 5b<3...{S..#0.....o....$.M.K...\.)..I...1..1....W..e4..x .x.X....hb..\...tJq_..0.x.x...... h .8....U...... ho(j4Y).G*...... F...m...p...;.=.M.p%2/...... +...... &...X.<....xK.p>.~..<.Y...... z../.\d..-0...ns.UG.`...h...a...... N...... '.kSa..Gd.. {=m.{V...... >c_.d5b.~...... @.C...@...... =..pE[4.1..I.4l/.9.>.....:..0...h....Mj...... Sp..%...... E..Bb..$...d.!.$..A%sm...u.I.==....8..d. ..@.^.>.m..wC.Q.D.Q..p...e.-.4.d....."./~..x.x ...o..bFw.l..`P....]...{.&..f(.....>.".....io....x$../..7 S.~!e..\..m..G.L.....;.z.d..8....t#./.3.q.FS.k.]....e..{[email protected]../^.~..!.%.f4y.}....F.w..,T.A.{!..!.s.W..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\index[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators Size (bytes): 12948 Entropy (8bit): 5.309819685210709 Encrypted: false MD5: 06FC57068A398045E7A35B4CE71B777E SHA1: F7EAB04DEC0460E21720EAEC6B35B6BE6F6D7191 SHA-256: DECACE0743D1170DF0F5D92EC78E0CBB9AB383B0D551304A680B9CA14A9E995B SHA-512: 583ECEF9B2E875AEBC8B53E98F03B0F36D25483CF3AC69C5F7050E433AEAB5B9E73CAC4FAB9F188346D9873AA17B3202004A9139E18F12852D77D762E0C08AA 4 Malicious: false Reputation: low Preview: .........Freenom World....... .. .. .. Latest compiled and minified CSS -->.. ...... < link href='https://fonts.googleapis.com/css?family=Open+Sans:400,300,600' rel='stylesheet' type='text/css'>.. .. .. ........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\jquery-1.12.4[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text Size (bytes): 293430 Entropy (8bit): 5.083604069256311 Encrypted: false MD5: FB2D334DABF4902825DF4FE6C2298B4B SHA1: 433836DA7E015F2EB3FC386817DE88B78248F6EF SHA-256: 430F36F9B5F21AAE8CC9DCA6A81C4D3D84DA5175EAEDCF2FDC2C226302CB3575 SHA-512: 8CAC69EC91C437AA5E126CE683A6BB5C904E44D4C1D084C3D8F8BEE85524735E8F09A340257D9A859D5E8E7D69D6E637ECFC728AB9FFD0E30D65B2136C48378 F Malicious: false Reputation: low Preview: /*!. * jQuery JavaScript v1.12.4. * http://jquery.com/. *. * Includes Sizzle.js. * http://sizzlejs.com/. *. * Copyright jQuery Foundation and other contributors. * Released under the MIT license. * http://jquery.org/license. *. * Date: 2016-05-20T17:17Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper `window`...// is present, execute the factory and get jQuery....// For environments that do not have a `window` with a `document`...// (such as Node.js), expose a factory as module.exports....// This accentuates the need for the creation of a real `win dow`....// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info....module.exports = global.document ?....factory( global, true ) :....function( w ) {.. ...if ( !w.document ) {...... throw new Error( "jQuery requires a window with a document" );.....}.....return factory( w );....};..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\jquery-ui[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 520714 Entropy (8bit): 5.069793318308826 Encrypted: false MD5: AB5284DE5E3D221E53647FD348E5644B SHA1: 75C20ACDC6CBC6334FE2B918AB7AFEEC007F969E SHA-256: 4F455EB2DDF2094EE969F470F6BFAC7ADB4C057E8990A374E9DA819E943C777D SHA-512: 2462ACC237C0063263B52527CFECBC5D4063065C0CD541CD966D9924DEC0D9AF475184F732C92AF9269CB08DF993896893EFF37AD4B18598CA4B7AF7B5F02742

Copyright Joe Security LLC 2019 Page 18 of 35 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\jquery-ui[1].js Malicious: false Reputation: low Preview: /*! jQuery UI - v1.12.1 - 2016-09-14.* http://jqueryui.com.* Includes: widget.js, position.js, data.js, disable-selection.js, effect.js, effects/effect-blind.js, effects/effect-bou nce.js, effects/effect-clip.js, effects/effect-drop.js, effects/effect-explode.js, effects/effect-fade.js, effects/effect-fold.js, effects/effect-highlight.js, effects/effect-puff.js, effect s/effect-pulsate.js, effects/effect-scale.js, effects/effect-shake.js, effects/effect-size.js, effects/effect-slide.js, effects/effect-transfer.js, focusable.js, form-reset-mixin.js, jquery-1-7.js, keycode.js, labels.js, scroll-parent.js, tabbable.js, unique-id.js, widgets/accordion.js, widgets/autocomplete.js, widgets/button.js, widgets/checkboxradio.js, wi dgets/controlgroup.js, widgets/datepicker.js, widgets/.js, widgets/draggable.js, widgets/droppable.js, widgets/menu.js, widgets/mouse.js, widgets/progressbar.js, wi dgets/resizable.js, widgets/selectable.js, widgets/selectmenu.js, widgets/slider.js, widgets/sortabl

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\jquery.custom[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 12794 Entropy (8bit): 5.582135693842838 Encrypted: false MD5: 6A16DC3358E971B05E22207FBA621217 SHA1: 88A17ECB3B6E5BC732E3FE1A09AF7A15A1F43D80 SHA-256: FDDDC0E3955F84952C41E8D1255E4BAFCB86013210994A963C4125448EA9BD18 SHA-512: 39CD75300F36F4BE3EBBC4AC9A8605B4A4BC31C95F9B6C8D10411A19EC17557DF07C0C4AFBE05ECAD7065EF9D8238D475AA3D48D0B0547417F4E9BB50AE885 BE Malicious: false Reputation: low Preview: $(document).ready(function(){$(window).scroll(function(){if($(this).scrollTop()>100){$(".stickem").addClass("fixed")}else{$(".stickem").removeClass("fixed")}});$(".toggle Container").click(function(){$("body").toggleClass("menu-active")});$(".instructions span").click(function(){$("#overlay").addClass("active")});$(".instructions .Windows1 0").click(function(){$("#overlay").addClass("windows10")});$(".instructions .Windows8").click(function(){$("#overlay").addClass("windows8")});$(".instructions .Windows7") .click(function(){$("#overlay").addClass("windows7")});$(".instructions .WindowsVista").click(function(){$("#overlay").addClass("wvista")});$(".instructions .WindowsXP"). click(function(){$("#overlay").addClass("wxp")});$(".instructions .AppleOSX").click(function(){$("#overlay").addClass("osx")});$(".instructions .ApplemacOS").click(function() {$("#overlay").addClass("")});$(".instructions .AppleiOS").click(function(){$("#overlay").addClass("ios")});$(".instructions .Android").click

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\remote[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 245956 Entropy (8bit): 5.561317444596711 Encrypted: false MD5: A1B26AD1209B0CCC616024A0FA15578C SHA1: 938878B8C1C6F76D04C62F8885684C0367C74D4F SHA-256: 8CE1AC136BECA77E97407D973088D95371FD4E42D6F30B43A12AE6D2ED85B7ED SHA-512: 02D0B046B5E05FFC8F1CC85DB1ADD2CC268F4353760955BB74E889100D06209C2F46A56345A103E7CEB63C717B435DC4445A05646A5E63C14C20CA2BC19C0578 Malicious: false Reputation: low Preview: (function(g){var window=this;var Npa=function(a,b){return g.Ub(a,b)},s2=function(){},Opa=function(a){if(a.yc&&"function"==typeof a.yc)return a.yc();.if(g.Da(a))return a.s plit("");if(g.La(a)){for(var b=[],c=a.length,d=0;d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\sddefault[1].jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 640x480, frames 3 Size (bytes): 42285 Entropy (8bit): 7.965323511953435 Encrypted: false MD5: B73289ED2EC0EAF1D10BA343F87EBA4D SHA1: 1F2F6D9AEA3AC8819E9B26D64E5B6B6BB03392C1 SHA-256: D47A15E3FBC02962F7865C2BD651DD9845D493343B5EA1797F0E63AEB8A19B9F SHA-512: 5AEC53A53B87F46B4FF8E96F7D05CE1257F7664C94D539A70C250AED30B056DD213154DCBE1814B9CB43239931C93FF56DD17E1B38E448273AB9DA9C4C74DFC 8 Malicious: false Reputation: low Preview: ...... JFIF...... "...... i...... !..1..AQ.."2Raq.. .#Uc...... 6BTtu...... 345ESbr...... $&Ce...ds.....%DV.7...... 9...... !Q1..Aa....R"q.2..Bb..#.$3Cr...... [email protected]@...DD....D@.. [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@...DD... [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]~...M;[._..km <.9.t..c...... v.....O>...=.y.C..._.N...... i.....".{[._..i..._.M<...\.1.Y.k~...M;[._..i...WK..<.!.o.~/.k~...M4..j.s..d=../..4.o.~/.|.].{..,...e...... /..4.....s.E...... e....y.5t..c...... v.....O>...=.y.C..._ .N...... i.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\6at8RAIcI2dAjmEmt800-oHizg2nGEdwM-h3wKhI3gw[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Copyright Joe Security LLC 2019 Page 19 of 35 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\6at8RAIcI2dAjmEmt800-oHizg2nGEdwM-h3wKhI3gw[1].js Size (bytes): 20004 Entropy (8bit): 5.556091108594332 Encrypted: false MD5: 1889FEC26AFA7B834840A8E1BEA22E3F SHA1: 7B994E23FD849517F31A159E06F12FC5331318EC SHA-256: 9611A1D1D032CD70CEC7903251E7179C6FA91FBECAAD8D383FFDF80DA9CD3BBC SHA-512: 53F451DD8E42D084239AAF1873A2972CCE19B526D65C2D2074EE83D930C4C19BF9E3301E1A85555DBFF18068B31F0F8F87B5007F8DDCA68F714F90279E5274D0 Malicious: false Reputation: low Preview: /* Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t */Function('var m9=function(m,Y){function K(){}m.Cx=((((K.proto type=Y.prototype,m).U=Y.prototype,m).prototype=new K,m.prototype).constructor=m,function(H,p,g){for(var P=Array(arguments.length-2),a=2;aY?1:0},c=this||self,I=function(m,Y){return(Y=typeof m,"object"==Y)&&null! =m||"function"==Y},YU=function(m){for(m=0;64>m;++m)W[m]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".charAt(m),S["ABCD EFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".charAt(m)]=m;((W[64]="",S["+"]=62,S)["/"]=63,S)["="]=64},gt=function(m,Y,K,H,p){for(H=(Y= [],K=0);Hp?Y[K++]=p:(2048>p?Y[K++]=p>>6|192:(55296==(p&64512)&&H+1>18|240,Y[K++]=p>>12&63|128):Y[K++]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KRHE4CQY\H1DjfYq_YMI[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, UTF-8 Unicode text, with very long lines Size (bytes): 44834 Entropy (8bit): 5.738982217557356 Encrypted: false MD5: 7F7E8175F1C95EB154758DFA7D666C94 SHA1: DC66B09F3768DA9C3D28321464E835B54715FD88 SHA-256: F9C187FD36B5F3A7B2244DAE1C88F7C680417E2453DFFC5802BD39674DB55A67 SHA-512: E7D208EC03EB71E0DF5F9F966B3BF511E5FBDB898233412E95B13107984A7E431EB6FBE3F3EA574F19AADFE865B0DB2D709287854EBE6C5DFDAA00FD8E0AE6 7B Malicious: false Reputation: low Preview: ...