ID: 285108 Cookbook: urldownload.jbs Time: 15:48:53 Date: 14/09/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report https://docs.google.com/document/d/1_vA- f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 5 Signature Overview 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 Private 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 25 No static file info 25 Network Behavior 25 Network Port Distribution 25 TCP Packets 26 UDP Packets 27 DNS Queries 28 DNS Answers 28 HTTPS Packets 29 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 30 Analysis Process: cmd.exe PID: 6652 Parent PID: 1712 30 General 30

Copyright null 2020 Page 2 of 32 File Activities 30 File Created 30 Analysis Process: conhost.exe PID: 6660 Parent PID: 6652 30 General 30 Analysis Process: wget.exe PID: 6700 Parent PID: 6652 31 General 31 File Activities 31 File Created 31 Analysis Process: iexplore.exe PID: 7092 Parent PID: 5560 31 General 31 File Activities 31 Registry Activities 32 Analysis Process: iexplore.exe PID: 6320 Parent PID: 7092 32 General 32 File Activities 32 Registry Activities 32 Disassembly 32 Code Analysis 32

Copyright null 2020 Page 3 of 32 Analysis Report https://docs.google.com/document/d/1_…vA-f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic

Overview

General Information Detection Signatures Classification

Sample URL: https://docs.google.c om/document/d/1_vA-f3_io Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam… 9FgNvQRShSMX2g543Js Queries the volume information (nam Ge8iL2d_loyVtIk/mobileba sic Analysis ID: 285108 Most interesting Screenshot:

Score: 0 Range: 0 - 100 Whitelisted: false

Confidence: 80% Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 cmd.exe (PID: 6652 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://docs.google.com/document/d/1_vA-f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6700 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://docs.google.com/document/d/1_vA-f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) iexplore.exe (PID: 7092 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\mobilebasic.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6320 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Copyright null 2020 Page 4 of 32 Sigma Overview

No Sigma rule has matched

Signature Overview

• Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 2 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote System SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Discovery 1 Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 32 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info ID: 285108 Is Dropped URL: https://docs.google.com/doc... Startdate: 14/09/2020 Is Windows Process Architecture: WINDOWS Number of created Registry Values Score: 0 Number of created Files started started Visual Basic

Delphi iexplore.exe cmd.exe Java

.Net C# or VB.NET 11 82 2 C, C++ or other language

started started Is mal i c i o ustsarted

Internet iexplore.exe wget.exe conhost.exe

4 75 2

googlehosted.l.googleusercontent.com 192.168.2.1 172.217.22.33, 443, 49717, 49718 lh4.googleusercontent.com lh3.googleusercontent.com unknown GOOGLEUS unknown United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 32 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link https://docs.google.com/document/d/1_vA- 0% Virustotal Browse f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic https://docs.google.com/document/d/1_vA- 0% Avira URL Cloud safe f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link crl.pki.goog/gsr2/gsr2.crl 3% Virustotal Browse

Copyright null 2020 Page 7 of 32 Source Detection Scanner Label Link crl.pki.goog/gsr2/gsr2.crl 0% Avira URL Cloud safe crl.pki.goog/GTS1O1core.crl 1% Virustotal Browse crl.pki.goog/GTS1O1core.crl 0% Avira URL Cloud safe www.broofa.com 0% Virustotal Browse www.broofa.com 0% URL Reputation safe www.broofa.com 0% URL Reputation safe www.broofa.com 0% URL Reputation safe https://support.google/Desktop/download/mobilebasic.html.com/accounts/answer/32050c.htmlRoot 0% Avira URL Cloud safe pki.goog/gsr2/GTS1O1.crt0 0% Virustotal Browse pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe ocsp.pki.goog/gsr202 0% Virustotal Browse ocsp.pki.goog/gsr202 0% URL Reputation safe ocsp.pki.goog/gsr202 0% URL Reputation safe ocsp.pki.goog/gsr202 0% URL Reputation safe https://pki.goog/repository/0 0% Virustotal Browse https://pki.goog/repository/0 0% URL Reputation safe https://pki.goog/repository/0 0% URL Reputation safe https://pki.goog/repository/0 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crlJ 0% Avira URL Cloud safe https://pki.goog/repository/ 0% Virustotal Browse https://pki.goog/repository/ 0% Avira URL Cloud safe ocsp.pki.goog/gts1o1core0 0% URL Reputation safe ocsp.pki.goog/gts1o1core0 0% URL Reputation safe ocsp.pki.goog/gts1o1core0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% Virustotal Browse crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe pki.goog/gsr2/GTS1O1.crt 0% Virustotal Browse pki.goog/gsr2/GTS1O1.crt 0% Avira URL Cloud safe ocsp.pki.goog/gsr2 0% Virustotal Browse ocsp.pki.goog/gsr2 0% Avira URL Cloud safe www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% Virustotal Browse crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation googlehosted.l.googleusercontent.com 172.217.22.33 true false high lh3.googleusercontent.com unknown unknown false high lh4.googleusercontent.com unknown unknown false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://staging-realtimesupport- operatordeferred_bin_base__en[ false high googleapis.sandbox.youtube.com 1].js.6.dr crl.pki.goog/gsr2/gsr2.crl wget.exe, 00000003.00000003.21 false 3%, Virustotal, Browse unknown 6016032.0000000002B55000.00000 Avira URL Cloud: safe 004.00000001.sdmp www.apache.org/licenses/LICENSE-2.0 32050[1].htm.6.dr false high https://schema.org/Thing 32050[1].htm.6.dr false high

Copyright null 2020 Page 8 of 32 Name Source Malicious Antivirus Detection Reputation www.nytimes.com/ msapplication.xml4.5.dr false high crl.pki.goog/GTS1O1core.crl wget.exe, 00000003.00000003.21 false 1%, Virustotal, Browse unknown 6016032.0000000002B55000.00000 Avira URL Cloud: safe 004.00000001.sdmp www.broofa.com operatordeferred_bin_base__en[ false 0%, Virustotal, Browse unknown 1].js.6.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://casespartner-pa.youtube.com operatordeferred_bin_base__en[ false high 1].js.6.dr https://schema.org/BreadcrumbList 32050[1].htm.6.dr false high cb=gapi[2].js.6.dr false high https://developers.googleblog.com/2018/03/discontinuing- support-for-json-rpc-and.html {9864BF69-F6DC-11EA-90E8-ECF4B false Avira URL Cloud: safe unknown https://support.google/Desktop/download/mobilebasic.html.co BEA1588}.dat.5.dr m/accounts/answer/32050c.htmlRoot pki.goog/gsr2/GTS1O1.crt0 wget.exe, 00000003.00000002.21 false 0%, Virustotal, Browse unknown 6865606.0000000002B9A000.00000 URL Reputation: safe 004.00000001.sdmp URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.5.dr false high https://realtimesupport.youtube.com operatordeferred_bin_base__en[ false high 1].js.6.dr ocsp.pki.goog/gsr202 wget.exe, 00000003.00000003.21 false 0%, Virustotal, Browse unknown 5991215.0000000002B8F000.00000 URL Reputation: safe 004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://pki.goog/repository/0 wget.exe, 00000003.00000003.21 false 0%, Virustotal, Browse unknown 5991215.0000000002B8F000.00000 URL Reputation: safe 004.00000001.sdmp URL Reputation: safe URL Reputation: safe crl.pki.goog/gsr2/gsr2.crlJ wget.exe, 00000003.00000003.21 false Avira URL Cloud: safe unknown 6016032.0000000002B55000.00000 004.00000001.sdmp www.twitter.com/ msapplication.xml6.5.dr false high https://schema.org/ListItem 32050[1].htm.6.dr false high https://pki.goog/repository/ wget.exe, 00000003.00000002.21 false 0%, Virustotal, Browse unknown 6865606.0000000002B9A000.00000 Avira URL Cloud: safe 004.00000001.sdmp mobilebasic.3.dr false high https://lh4.googleusercontent.com/MJYnaQJZ4Xhrd68SdIpyfM 8V5cOpmphbT72FpiYlN9VI4NYs8Fy6Pyi4GeKsZlPcT5 ocsp.pki.goog/gts1o1core0 wget.exe, 00000003.00000002.21 false URL Reputation: safe unknown 6865606.0000000002B9A000.00000 URL Reputation: safe 004.00000001.sdmp URL Reputation: safe www.youtube.com/ msapplication.xml8.5.dr false high crl.pki.goog/GTS1O1core.crl0 wget.exe, 00000003.00000003.21 false 0%, Virustotal, Browse unknown 5991215.0000000002B8F000.00000 URL Reputation: safe 004.00000001.sdmp URL Reputation: safe URL Reputation: safe pki.goog/gsr2/GTS1O1.crt wget.exe, 00000003.00000002.21 false 0%, Virustotal, Browse unknown 6865606.0000000002B9A000.00000 Avira URL Cloud: safe 004.00000001.sdmp ocsp.pki.goog/gsr2 wget.exe, 00000003.00000003.21 false 0%, Virustotal, Browse unknown 6016032.0000000002B55000.00000 Avira URL Cloud: safe 004.00000001.sdmp www.wikipedia.com/ msapplication.xml7.5.dr false 0%, Virustotal, Browse unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.live.com/ msapplication.xml3.5.dr false high crl.pki.goog/gsr2/gsr2.crl0? wget.exe, 00000003.00000003.21 false 0%, Virustotal, Browse unknown 5991215.0000000002B8F000.00000 URL Reputation: safe 004.00000001.sdmp URL Reputation: safe URL Reputation: safe www.reddit.com/ msapplication.xml5.5.dr false high https://staging-casespartner-pa- operatordeferred_bin_base__en[ false high googleapis.sandbox.youtube.com 1].js.6.dr

Contacted IPs

Copyright null 2020 Page 9 of 32 No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 172.217.22.33 United States 15169 GOOGLEUS false

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 285108 Start date: 14.09.2020 Start time: 15:48:53 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 58s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: https://docs.google.com/document/d/1_vA-f3_io9 FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 22 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled

Copyright null 2020 Page 10 of 32 Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@7/46@2/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 51.143.111.7, 52.184.221.185, 216.58.206.14, 104.108.39.131, 216.58.212.142, 216.58.208.35, 172.217.21.227, 216.58.208.42, 172.217.23.110, 216.58.212.132, 172.217.22.99, 172.217.22.14, 172.217.22.13, 172.217.22.10, 51.104.139.180, 52.164.221.179, 92.122.213.194, 92.122.213.247, 23.210.248.85, 152.199.19.161, 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, umwatson.trafficmanager.net, docs.google.com, au.download.windowsupdate.com.edgesuite.net, ssl.gstatic.com, arc.msn.com.nsatc.net, support.google.com, a1449.dscg2.akamai.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, realtimesupport.clients6.google.com, www.google.com, watson.telemetry.microsoft.com, www.gstatic.com, img-prod-cms-rt-microsoft- com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, fonts.googleapis.com, fs.microsoft.com, plus.l.google.com, accounts.google.com, fonts.gstatic.com, ie9comview.vo.msecnd.net, ris- prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, play.google.com, go.microsoft.com.edgekey.net, apis.google.com, cs9.wpc.v0cdn.net Execution Graph export aborted for target wget.exe, PID 6700 because there are no executed function Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

Copyright null 2020 Page 11 of 32 IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\R7X5FS43\support.google[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 26 Entropy (8bit): 2.469670487371862 Encrypted: false MD5: 132294CA22370B52822C17DCB5BE3AF6 SHA1: DD26B82638AD38AD471F7621A9EB79FED448A71C SHA-256: 451ABBE0AEFC000F49967DABF8D42344D146429F03C8C8D4AE5E33FF9963CF77 SHA-512: 6D5808CAD199A785C82763C68F0AE1F4938C304B46B70529EA26B3D300EF9430AD496C688D95D01588576B3A577001D62245D98137FD5CD825AD62E17D36F15C Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9864BF67-F6DC-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 24152 Entropy (8bit): 1.7613807149375473 Encrypted: false MD5: 22B9C013CC24727E2E90052AA981EEAD SHA1: EB98D39F36E00E49224EAE20BEE28649AB8F38D9 SHA-256: CCCA0C9EF7A039D9F3A040C15140D02DBC27CF406E663ECCC701B73D8011809E SHA-512: D24814857FF5CD46145E26F40DE005F204B107F299DFE97FEB061450E97F0EC3B13DC2F74462BB8F8F06341272535FEAF10CE86FC970000B423B1CEF66CCC66C Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9864BF69-F6DC-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 32970 Entropy (8bit): 2.3070895369510804 Encrypted: false MD5: 1A53AC756E78B329252E8EB0DB75F96B SHA1: 0E9AAFCAFA3B3D22BD78426D69C446C15E98157D SHA-256: EC347E84C81966E34183D5AF5C89ACDA85C7FD6CF64138F79033079A7DBB15A2

Copyright null 2020 Page 12 of 32 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9864BF69-F6DC-11EA-90E8-ECF4BBEA1588}.dat SHA-512: 5BD27B8A243D0550901DA0EB5EACAEFBCF11A99FE479F7884C296D240BEE11D593CEC948999220AE571C012B2AB480FCE98BCF58D3DE4C2C50AF449D08613A E0 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.054702302810104 Encrypted: false MD5: D84A34E5CD005E066C9D4C10A40EE290 SHA1: 5BE6DA4DE87AE2BBE916380312E372B5A6C8541A SHA-256: 8EDB8AD6A1EF9A9E58C336297252270F7A70EEB2BEB536BE218A5E6EA5895326 SHA-512: ADFDD86C9EDA055448CBCC0A46796A448C312A36D8184E91C931EB54ABCA8018547CEB792725D5112785E0DE6BA993FEAEE27A86A9D20ECD57E6D5A6CE2C5 AF0 Malicious: false Reputation: low Preview: ..0x6f0c6090,0x01d68ae9< accdate>0x6f0c6090,0x01d68ae9....0x6f0c6090,0x01d68ae90 x6f0c6090,0x01d68ae9..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.133621280821765 Encrypted: false MD5: F4F94FB77D6B236DAF6EBE5CC36898AE SHA1: 4681A21F5318F0B3601EC4544998DF9E7ADC5269 SHA-256: FE4E96886BA483110348C9B74C15DCE7C448B3D192A628723192B8F222C2657E SHA-512: B255158B68BF59944A0CC015CF2244EB81D14190181F0652202D26ECF72DF4D589C73807C8EBEF90740A1CF5CF5D91DC1A23D95F4B3E7E0911AD9FE6464E92AC Malicious: false Reputation: low Preview: ..0x6f02d72b,0x01d68ae90x6f02d72b,0x01d68ae9....0x6f02d72b,0x01d68ae90x6f02d72b,0x01d68ae9..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.074490744265163 Encrypted: false MD5: 88E50753CBAEFC1E176FF51A1E4BD644 SHA1: DE9184CEA3B5C822B35AE38EBFEB85067E609DB2 SHA-256: 486AC26BE127F36871A6BF5ABBEFEF35A352646B2D6B1A19DADD1C7BF4A845B4 SHA-512: D8FD48D78E36811EC8AD4BEBFF07C7FB209C3001A097D2B5A9C7083B606E83F5535E03FDEF05A901724B08B52EC0EDD902E656F9467F2C200EB88FCA68EE1DB 9 Malicious: false Reputation: low Preview: ..0x6f0c6090,0x01d68ae9 0x6f0c6090,0x01d68ae9....0x6f0c6090,0x01d68ae90x6f0c6090,0x01d68ae9..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe Copyright null 2020 Page 13 of 32 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 410 Entropy (8bit): 5.1608834227202065 Encrypted: false MD5: 1EBA565089A89358931B00C6B639569C SHA1: 122440B877BE74528045FCC69F771B0A42026A3D SHA-256: 863B54B9AB455D9BC8E1F106D52EF6291E0B2F138E0FE92CE215BEC8CD21C6FB SHA-512: 4A1B79C3A547AC72C980F54B4746A7C9567A8691F3C918C8F946677ACB3C74A2DB7A2458E66ADCD46EE5C8D18DA1BB6233BDDC6BDF8EDD41B89660FE609D4B 9A Malicious: false Reputation: low Preview: ..0x259f0d0f,0x01 d52d140x6f053a25,0x01d68ae9\lowres.png..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.085688496620684 Encrypted: false MD5: 2738830806E4A5F7A3F359AA0CC34ECE SHA1: 10A7652A624529447039FA3572FA34C31DCDAD6F SHA-256: D687429698E1109F47FF4D32C0D18247E1E8C7616461CA687CB780B7597F87B7 SHA-512: 8B9281989047CA160ADC17F0E55E6F509C9B8EDACD89797140B7FCEDB911B69E009D0805B3296C206658B1C90495085DC0C6B8DA1E9BF5BDA40E5B85AC270AF 2 Malicious: false Reputation: low Preview: ..0x6f09fe39,0x01d68ae90x6f09fe39,0x01d68ae9....0x6f09fe39,0x01d68ae90x6f09f e39,0x01d68ae9 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.092176333607463 Encrypted: false MD5: B14DB26EC01984163518E0A463BCB39C SHA1: D61BC5DD92C1420146326F46282FF044D55E052E SHA-256: AC9EB6FEA3F3180B943EDF51A4ECD0E14EF5E8CD650FBC2B8EEA9EA596085B18 SHA-512: 51D1F52782C65129937A32B9C1D03132176161440660320B532548C6056ED591D3E227F588566BEC774501C654024D78A73B3EB7DB751D831DACB23BDB59CE27 Malicious: false Reputation: low Preview: ..0x6f0c6090,0x01d68ae9< accdate>0x6f0c6090,0x01d68ae9....0x6f0c6090,0x01d68ae90 x6f0ec331,0x01d68ae9 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.074206493529583 Encrypted: false MD5: 97C654E4BA0166E8333A7D48C96980AD SHA1: 0D50D1787B00A1254D2A9E7EBE793D3441201548 SHA-256: B34616D99ABA0F9D82ECC2DC35E562423ECEDD5D4A96480B499BF6F5CAB70A4B SHA-512: E5BB4490FFDB87EA536D403C99142C07E84A97854A4F8AC370E4A76F5586CACF8121AD12957DFF312C1050F1B8D138A0EEB4419A9A9F1AE8716564A9D17FF739 Malicious: false Reputation: low

Copyright null 2020 Page 14 of 32 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Preview: ..0x6f09fe39,0x01d68ae90x6f09fe39,0x01d68ae9....0x6f09fe39,0x01d68ae90x6 f09fe39,0x01d68ae9..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.1101869465034016 Encrypted: false MD5: 4F700C15F651F8C2043C4EA779CB148A SHA1: 671D78A618756D397C75C998A97EA7CFF679C0A4 SHA-256: F8086AF03590687D5A3D5B84D3EEE1138AED2CAF0674DF85D4E7EBBFBAB10EA2 SHA-512: 9278888D3855DCA56DE6F87CEE569205762654A22DA24193C670E9F3C88ADFFC7643FC9D6A34D79ED56ABED6F21C061C4178B0C4FF31BC377C989133C012E9F8 Malicious: false Reputation: low Preview: ..0x6f09fe39,0x01d68ae9< accdate>0x6f09fe39,0x01d68ae9....0x6f09fe39,0x01d68ae90 x6f09fe39,0x01d68ae9 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.0982374371001615 Encrypted: false MD5: AB633F8EAAD87DB8EC55C46F6EEB44ED SHA1: 5F8D01C610EACE4DCB5BE4CA861A89C129FC99AD SHA-256: 53FDDA714D2FF3621412F73DF4560D0ECD5B7FF3F0CDDCEA5656D8411A58438F SHA-512: E31BE43CCE3B6AF0EC840F898C5C32F80E427546855295B8925E45A593B7B9765D1AE32608A9ACAD022492BD36B0E2CC0DC32F0311A701A248D0919F8824CBA5 Malicious: false Reputation: low Preview: ..0x6f079bdd,0x01d68ae9 0x6f079bdd,0x01d68ae9....0x6f079bdd,0x01d68ae90x6f079bdd,0x01d68ae9..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.08349440662847 Encrypted: false MD5: B7F0A9B2B639678C5558FA7F21BB8403 SHA1: FF01D807E38A2B7F1CC5AB3C3F7A9026A6DFA617 SHA-256: 20D9A6199DCB330D82C8E24A220487D3E0E9FEBD8F65EFE70A59319E0809ED4B SHA-512: 185DEBF8E46B23334EE3B30C995AE1D3021880AE39C154F4CDD4AC0034EAC80858692D446C3871AD35A02CEC16775FB0697B1D5E713B9F17D8A8CC53AED9B2B 4 Malicious: false Reputation: low Preview: ..0x6f079bdd,0x01d68ae90x6f079bdd,0x01d68ae9....0x6f079bdd,0x01d68ae90x6 f079bdd,0x01d68ae9 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 5664 Entropy (8bit): 3.7514890787893105

Copyright null 2020 Page 15 of 32 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Encrypted: false MD5: E5A033F5F8E71EFD49B4D2CE03B02052 SHA1: 0E819F42CFF48CC4A6F4B3A6F9E86C8BEEACE30F SHA-256: B9581629A09D9DEBD4F74533C69BA5E47220B2E21FE6DEF6C3CF94644A6E643F SHA-512: B1EDAD199977ABBC2E63F56E31021CB45E3F8D4FA19D7902363AB56CD16FAE2098393B15C0B10028E6CDF305460151C2E7C5C84CE5A1227DC093DADB9767AFF 5 Malicious: false Reputation: low Preview: &.h.t.t.p.s.:././.s.u.p.p.o.r.t...g.o.o.g.l.e...c.o.m./.f.a.v.i.c.o.n...i.c.o.~...... h...... (...... 0...... v.].X.:.X.:.r.Y...... q.X.S.4.S.4.S.4.S.4.S.4.S.4...X...... 0...... q.W.S.4.X.:...... J...A...g...... K.H.V.8...... F..B...... ,...... B...... B..B..B..B..B...u...... B..B..B..B..B...{...... 5...... k...... 7R..8F...... 2...... Vb..5C..;I...... R^...... 0...... Xc..5C..5C..5C..5C..5C..5C..lv ......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 20356, version 1.1 Size (bytes): 20356 Entropy (8bit): 7.972919215442608 Encrypted: false MD5: ADCDE98F1D584DE52060AD7B16373DA3 SHA1: 0A9B76D81989A7A45336EBD7B48ED25803F344B9 SHA-256: 806EA46C426AF8FC24E5CF42A210228739696933D36299EB28AEE64F69FC71F1 SHA-512: 7B1D6CC0D841A9E5EFEC540387BC5F9B47E07A21FDC3DC4CE029BB0E3C74664BBC9F1BCCFD8FB575B595C2CC1FD16925C533E062C4C82EEE0C310FFD2B4C2 927 Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc-.woff Preview: wOFF...... O...... GDEF...... G...d....GPOS...... ~..GSUB...... '...... r.OS/2...... Q...`u...cmap...\...... W.cvt ...T...H...H+~..fpgm...... 3...._...gasp...... glyf...... ;...k....hdmx..H....m....!$..head..H....6...6...\hhea..I,...... $.&..hmtx..IL...y.....XF.loca..K...... `.C.maxp..M...... (..name..M...... ~..9.post..N...... m.dprep..N...... )* v60x...1..P...... [email protected])..w...... Y.e.u.m.C.s...x.h.~R....R...A.J.x....dK...{....?..F?.|.~.m...ms.{.Z..;...... U.]7s...... \.=D.=.7...>....x...D..O|.U:...|o..3.x.j.r"B...... /.)x$.'"j.... .1LGmaGxQxG....~.:'.A..hd.z,.k..KO.....^.}H|#z_.O...... R..A...9..A..!.(./..."..:.Iq1.r..s..r.7r.7s..q.wr....nz..]...2..d4c..c....d....T.1...d....\....,c9k.g..Yv.#O."%...... t"uM..%...... j.#^.....}\c.q.i...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOmCnqEu92Fr1Mu4mxM[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 20268, version 1.1 Size (bytes): 20268 Entropy (8bit): 7.970212610239314 Encrypted: false MD5: 60FA3C0614B8FB2F394FA29944C21540 SHA1: 42C8AE79841C592A26633F10EE9A26C75BCF9273 SHA-256: C1DC87F99C7FF228806117D58F085C6C573057FA237228081802B7D8D3CF7684 SHA-512: C921362A52F3187224849EB566E297E48842D121E88C33449A5C6C1193FD4842BBD3EF181D770ADE9707011EB6F4078947B8165FAD51C72C17F43B592439FFF4 Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff Preview: wOFF...... O,...... P...... GDEF...... G...d....GPOS...... GSUB...... '...... r.OS/2...... P...`t...cmap...$...... W.cvt ...... T...T+...fpgm...p...5....w.`.gasp...... glyf...... ;Q..lD..&0hdmx..H....n...... head..Hx...6...6.j.zhhea..H...... $....hmtx..H....t...... Xdloca..KD...... BC%.maxp..M0...... (..name..MP...... t.U9.post..N ...... m.dprep.. N4...... I.f..x...1..P...... [email protected])..w...... Y.e.u.m.C.s...x.h.~R....R...A.J.x.l..h.a...... l.m.6.1+.X....i...y....&...._..63..5....2>...x|[email protected]..#u.....L.*.....^.*.4.....rP..{.* ...... Q...JT.:Xu>..T./>...oq...... [email protected]../...... #..".&.8.H$..r...J)..jj...&..f.=.9..N9.....'F..8.4.....m...m...m.m..n..&.X..}....S.|.....n...... PHaE...J*...4..MjJ.*..nW)..rn3'/.....ks5zY 5c...Mgg.5..p..rR{c...p..t\.8.c=..p...X.(...... 7....=...... !...H ...... (.0...(.q.JT?.b..z].'T...m..vNi.....t....:P.R..H....t...... &?.:.j.51+.S.":j.SK'I.^....}S.i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\googleapis.proxy[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 12858 Entropy (8bit): 5.4644622017766915 Encrypted: false MD5: F598F2A87E6FA2E00028E35F2F480ECC SHA1: 3CA77A692A994181932502EEFA1406CA309AC0A4 SHA-256: 0C0F264BFA43A7D2D52374826FF7D664A2B5475C5D535A29E27717A2C5E53A6D SHA-512: 3242B2A0CB957F199068FB42F955DDFE2885AF6D382F488BE311850CB4321768780B47108A63F68F0431A946EC92207B18DA194C9FFA9D36B1A1B49F238747AD Malicious: false Reputation: low IE Cache URL: https://apis.google.com/js/googleapis.proxy.js?onload=startup

Copyright null 2020 Page 16 of 32 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\googleapis.proxy[1].js Preview: var gapi=window.gapi=window.gapi||{};gapi._bs=new Date().getTime();(function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var g=this||self,h=function(a){return a};var m=function(){this.g=""};m.prototype.toString=function(){return"SafeStyle{"+this.g+"}"};m.prototype.a=function(a){this.g=a};(new m).a ("");var n=function(){this.f=""};n.prototype.a=function(a){this.f=a};n.prototype.toString=function(){return"SafeStyleSheet{"+this.f+"}"};(new n).a("");/*. gapi.loader.OBJ ECT_CREATE_TEST_OVERRIDE &&*/.var q=window,v=document,aa=q.location,ba=function(){},ca=/\[native code\]/,x=function(a,b,c){return a[b]=a[b]||c},da=function(a){a =a.sort();for(var b=[],c=void 0,d=0;d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\operatordeferred_bin_base__en[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 199418 Entropy (8bit): 5.185003725769512 Encrypted: false MD5: 61BAF6F59F50C98DD670AB1357F81EB8 SHA1: F0C532A89E8EACE1584DD38DA8BAF756E130FEC7 SHA-256: C13184F2FACBF2CE864CF0E340A87C3DE0DC5D52BD125FE7858EB745E2731107 SHA-512: BA836174A5876FA3F6942F75D2E4D70B2A33C121ABA3EA9C147C70C56A644CDC2E8715A491479E9862C8FF2487B4DA9E5C558955BC186D8DBAB9B7C49E304E4 F Malicious: false Reputation: low IE Cache URL: https://ssl.gstatic.com/support/realtime/operator/1599779249523/operatordeferred_bin_base__en.js Preview: /*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var rtsinternal_,rtsinternal_aa=function(a){var b=0;return function(){return b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\rpc_shindig_random[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 12856 Entropy (8bit): 5.464527167858666 Encrypted: false MD5: 7E099955521B530CE86F61CF8E3AEB41 SHA1: C908B874908460334E8DAEE297A46C82092C2E93 SHA-256: 2C79F51E02F34EF5C46DB3882D32AF8E9289B7961B9BA4E7DAFE5206F019BF33 SHA-512: 53A5BC3BAFD4027AA1DEE15610B87A05BEE1675C5A8C6383591F2066D15212353298D756165B4534BB323AB9A66029E8180B0524609B101280827BB030749384 Malicious: false Reputation: low IE Cache URL: https://apis.google.com/js/rpc:shindig_random.js?onload=init Preview: var gapi=window.gapi=window.gapi||{};gapi._bs=new Date().getTime();(function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var g=this||self,h=function(a){return a};var m=function(){this.g=""};m.prototype.toString=function(){return"SafeStyle{"+this.g+"}"};m.prototype.a=function(a){this.g=a};(new m).a ("");var n=function(){this.f=""};n.prototype.a=function(a){this.f=a};n.prototype.toString=function(){return"SafeStyleSheet{"+this.f+"}"};(new n).a("");/*. gapi.loader.OBJ ECT_CREATE_TEST_OVERRIDE &&*/.var q=window,v=document,aa=q.location,ba=function(){},ca=/\[native code\]/,x=function(a,b,c){return a[b]=a[b]||c},da=function(a){a =a.sort();for(var b=[],c=void 0,d=0;d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\unnamed[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 18 x 18, 8-bit gray+alpha, non-interlaced Size (bytes): 157 Entropy (8bit): 5.991001064175712 Encrypted: false MD5: 8396B6E584F392180CDA492103C95602 SHA1: AC67D383E68BFB641DDB2ADDD8F7CDBC53D6953A SHA-256: 2E55B281F88F75BDB6B3F23F5F7D68CFF2F6988FDDBB7C0E9B9FB3751C49D440 SHA-512: 92FAE1AAFEDD97A4F71CC77B453315693BA7F04229EA2C00FB7B8293FC4E26C6BAC174B6C792BF374A44203F22F6A02EA652542C5AAA8C1E419CAE44E7FCFD E6 Malicious: false Reputation: low IE Cache URL: https://lh3.googleusercontent.com/oLoRPrHJd7m46sWijX6zBWnEnfslP62AxJSwt5Nj0bNbpaYHz2pyscExleiofsH2kQ=h18 Preview: .PNG...... IHDR...... F.....sBIT..U.F....VIDAT(.c`.+`D....Oe`..=i#.(.."..&i&i..TQ.T...L.....P...... 1.+aMb64.>..Y....XG....I6..@....^...... IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\unnamed[2].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Copyright null 2020 Page 17 of 32 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\unnamed[2].png File Type: PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced Size (bytes): 288 Entropy (8bit): 6.7881820600030744 Encrypted: false MD5: E14A6794738FB4065E4B6A744206F223 SHA1: AF6B63420BEBC1DE814AC0F7F1617AFFD3E411DC SHA-256: BDE575738A7B0EC443CC66157705EEB2A64938306E979F8693C12EDC9F6644A5 SHA-512: C51AF36F020977F780473E1C2BFBEB6D4C49ED1A73CC64FC902956CB41219ADB2B2CB922C63AF07328EFB578FAC25D587824307DE1FA5716AF2B032FD8789185 Malicious: false Reputation: low IE Cache URL: https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h18 Preview: .PNG...... IHDR...... V.W....sBIT....|.d.....IDAT8.c`....3....P]ww.H....n..H. &\.222Q,,,...... {---....C,,,..;..,...... ?....\...%...B..c.q.e$.h...... LLL....[.....M..0...... b...... eaaq...... @..*..^...... 4(??...... ".../...... S..Q.....>.g^.2....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 19888, version 1.1 Size (bytes): 19888 Entropy (8bit): 7.96899630573477 Encrypted: false MD5: CF6613D1ADF490972C557A8E318E0868 SHA1: B2198C3FC1C72646D372F63E135E70BA2C9FED8E SHA-256: 468E579FE1210FA55525B1C470ED2D1958404512A2DD4FB972CAC5CE0FF00B1F SHA-512: 1866D890987B1E56E1337EC1E975906EE8202FCC517620C30E9D3BE0A9E8EAF3105147B178DEB81FA0604745DFE3FB79B3B20D5F2FF2912B66856C38A28C07EE Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff Preview: wOFF...... M...... GDEF...... G...d....GPOS...... GSUB...... 7b..OS/2...... P...`u.#.cmap...0...... L....cvt ...... H...H+~..fpgm...(...3...._...gasp...\...... glyf...h..:q..i..+ Ohdmx..F....f...... head..GD...6...6...\hhea..G|...... $.&..hmtx..G....d.....E#loca..J...... \[email protected]...... name..K...... ~..9.post..L...... m.dprep..L...... )* v60x...1..P...... [email protected])..w...... Y.e.u.m.C.s...x.h.~R....R.....2.x...pfK.G...1.c>..`9..m<+;..m.x...bg.M.T...O...... l...XU.../{.[_..W....c.._..72.. ." z.+..F...... &.&...`e..T]. ....K=..K2S....q..d...xf.$~i..$?.d..dU.....@R-/LMO-J6...[]..Z..O.C_."If..d....fS....$d.G>eL`....Tf1...... 9.c>..`1.TR..x./d-...... q...... 7....{...v.....!.....1.QG=.4.D3-..F;=..1'.'q.rw. ..9..e!.....Q....f...... qV.n.h.V.Z]..B..C.[B...V...... v...o.w.{...w..zRO.i=..._.....-.m....].=...[...(1.(.#.....O0/.0?..04rL.G.9.....i6..l..|.(o.....|$,..{|&|....YJ...x.e8B.#..t;R8.{+....\=.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\KFOmCnqEu92Fr1Mu4mxM[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 19824, version 1.1 Size (bytes): 19824 Entropy (8bit): 7.970306766642997 Encrypted: false MD5: BAFB105BAEB22D965C70FE52BA6B49D9 SHA1: 934014CC9BBE5883542BE756B3146C05844B254F SHA-256: 1570F866BF6EAE82041E407280894A86AD2B8B275E01908AE156914DC693A4ED SHA-512: 85A91773B0283E3B2400C773527542228478CC1B9E8AD8EA62435D705E98702A40BEDF26CB5B0900DD8FECC79F802B8C1839184E787D9416886DBC73DFF22A64 Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff Preview: wOFF...... Mp...... P...... GDEF...... G...d....GPOS...... hGSUB...... 7b..OS/2...... R...`tq#.cmap...... L....cvt ...... T...T+...fpgm...... 5....w.`.gasp...@...... glyf...L..:+..j.....hdmx..Fx...g...... head..F....6...6.j.zhhea..G...... $....hmtx..G8...]...... Vlloca..I...... ?.#.maxp..Kt...... name..K...... t.U9.post..Ld...... m.dprep..Lx...... I .f..x...1..P...... [email protected])..w...... Y.e.u.m.C.s...x.h.~R....R.....2.x.....[....#N..m.m.m.mfm....SP..NuM..9]..=.U..!...[...... w...|...... ^p....H...... ;...)...... ;..EoDo....E.E.D.. .`.0.GG.aA.H.V.Mx\xA...... /..d3.Eb_.J...R.^v...... \^ob.}.z..k.x).v$f$..O)+.2..*....y}6`C6b.6cs...l...... !...... <..|.|..|..|..|.|....o....I%.4.L.SI.&C.6..!`...{...c..\.J.(.2.C....V.A..?.M.:.....}i_Y...... :....o.&k..KY.2..6k....i]..{,.p}../.....VO3.o].fJ....R-TZ..;...RN..&V...C...3.?...... &..z.s&.D....r,.I...t.R..a$k..Mm..Y.U...+b.%kQ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cb=gapi[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 53812 Entropy (8bit): 5.5507638196763045 Encrypted: false MD5: 8548AFFEA88F0AA927DB975813C6D335 SHA1: 70D2A4EE447CEC733032E697E1C6E29B49B5BD1A SHA-256: 25E144747153EF8E812803D85816C7258B2CA5FD84DE2A143BFB7F8AA1884334 SHA-512: AA65E77F18A2EC4312897B3D76E5A5E008B3C65B511AB3B1764610AF430FE0ACC318829DA3D269766CA380342C2F76E904E46363D1C863004C44630982014265 Malicious: false Reputation: low

Copyright null 2020 Page 18 of 32 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cb=gapi[1].js Preview: /* JS */ gapi.loaded_0(function(_){var window=this;./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var ja,ma,va,wa,ya,Ba,Ia,Oa;_.da=f unction(a){return function(){return _.ba[a].apply(this,arguments)}};_._DumpException=function(a){throw a;};_.ba=[];ja=function(a){var b=0;return function(){return b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\favicon[2].ico Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel Size (bytes): 5430 Entropy (8bit): 3.6534652184263736 Encrypted: false MD5: F3418A443E7D841097C714D69EC4BCB8 SHA1: 49263695F6B0CDD72F45CF1B775E660FDC36C606 SHA-256: 6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770 SHA-512: 82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702 563 Malicious: false Reputation: low IE Cache URL: https://support.google.com/favicon.ico Preview: ...... h...&...... (...... 0...... v.].X.:.X.:.r.Y...... q.X.S.4.S.4.S.4.S.4.S.4.S.4...X...... 0...... q.W.S.4.X.:...... J...A...g...... K.H.V.8...... F..B...... ,...... B...... B..B..B..B..B...u...... B..B..B..B..B...{...... 5...... k...... 7R..8F...... 2...... Vb..5C..;I...... R^...... 0...... Xc..5C..5C..5C..5C..5C..5C..lv...... ]i..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\operatorParams[1].json Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text Size (bytes): 616 Entropy (8bit): 5.028629865539676 Encrypted: false MD5: 6939F3106E5DBBE01F4C43EF29C09BD0 SHA1: 229405DDF02F92374A768A80A260DC1C8D8B7152 SHA-256: 306F7D163DBA0C98D71CA2C0DAB7EF6E8EFB88B6C1070E39E1FCDDC8D1B4C493 SHA-512: 9AB1363010E0CAFA91E30A3D9376D68ABA22269AD78B6F9EAB1D09BB809F8A741045FBA496DD3AF270E090499AB5FA6B34111EA31BE020D65315D448473B9149 Malicious: false Reputation: low IE Cache URL: https://ssl.gstatic.com/support/realtime/operatorParams Preview: {. "operatorDeferredUrl": "https://ssl.gstatic.com/support/realtime/operator/1599779249523/operatordeferred_bin_base.js",. "eagerLoadHostnamePattern": "((https://www\\. google\\.com/express)|((adwords|support|support-content-staging.sandbox|business|fi|.+\\.corp)\\.google\\.))",. "eagerLoadHostnameFlags": "i",. "cbfVersion": 1599779249523,. "experiments": {. "enable_emojis": true,. "enable_desktop_screenshare_email_fallback": false,. "screenshare_skin_version": 3,. "mole_skin_ver sion": 2,. "mole_show_survey_url_percentage": 100,. "operatordeferred_report_rpc_events_percentage": 10. }.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\pxiDypQkot1TnFhsFMOfGShVF9eI[1].woff Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 40068, version 1.1 Size (bytes): 40068 Entropy (8bit): 7.986363416256898 Encrypted: false MD5: 3ABA54A73723BD3E90CB74D603687CCD SHA1: 2C3D597CD36CA5856587C8482557B07DD8633329 SHA-256: A94234B7387BC4E9FA7B73DEDD34E5CC1189A28D526F4DADDECD1C9AB7B86840 SHA-512: 78F4E6514CD81CECC898D151B31B691122715D0239A47AB5D53ACA4F45FC1707DDD8464543D523E355DC1C19FF257C14DF4490D0938518D02BA35AECD72482B6 Malicious: false Reputation: low IE Cache URL: https://fonts.gstatic.com/s/productsans/v12/pxiDypQkot1TnFhsFMOfGShVF9eI.woff Preview: wOFF...... `...... GPOS...... <.?..GSUB...... l..ROS/2...... V...`h...cmap...l...<....T.S$cvt ...... g...l...wfpgm...... a.A..gasp...... !glyf...... Wm...... Nhdmx..i...(...O.....head...p...6...6..N{hhea...... $...Uhmtx...... x...... +.loca...@...\...\y"..maxp...... J..name...... ,+.I.post...... ]/1.prep...... oNx.d..G.Q.....5.....n. ....d..d..p..o...... Q.....o..y~.....<..0 ....h..'c..d8.;.N'.....@...._...... [email protected]...... :.<.....r~.c....i..&.C.!Gt.x.jF...r....K...R}[email protected]./i.#..C./Q....pl+..\..$..o.....Hm\.*.....Z..t.".S..-....p..W \...*9..a|IH...9..c.s,.<88dI...%&GD.4..$D$D$.w;.=..%.4N6N].R...V>..O...0q.D$.Ow.HP....7!..v..7.%#.#...;...&?a.W..\oS....P..t+T...... +.K...,.V..h.D.'t...... qW...... ,.e1.n...... }.....G...q..b>.(...... #.....#Z./?0~FZ.5...O.".d4.'..|.ki..G...G...... [email protected]`G@K.&.G..yk...... z.2.zB3.g....Mo...... E9..2lq...~H.B\.H..8...&..../.4.k..*6..]R.;.X..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\32050[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Copyright null 2020 Page 19 of 32 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\32050[1].htm File Type: HTML document, UTF-8 Unicode text, with very long lines Size (bytes): 609220 Entropy (8bit): 5.624513586788571 Encrypted: false MD5: 6A030741384A1480EBEDA11B44E117D6 SHA1: 0C157F008A8E35E25770A3E92989A78E8BA7234B SHA-256: 45497CCED6CB9DF14486C631A58CB0682C48FCA02ED2C1D7642F6DEA27CF57C7 SHA-512: 1909B334268D050B64B81C32114173108607E527E444060EECD7BE5D434EC0E9F2C67F17C1A7C7E78E8DAFAC9E064F7817D20CEAAB19731BAF82094533A365D1 Malicious: false Reputation: low IE Cache URL: https://support.google.com/accounts/answer/32050 Preview: