Automated Malware Analysis Report For

ID: 192622 Cookbook: browseurl.jbs Time: 06:32:17 Date: 28/11/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report https://chrome.google.com/webstore/detail/crossbrowsertesting- local/ldabplgpogjknofonmccpbgeoolbcbfm 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 38 Contacted Domains 38 URLs from Memory and Binaries 38 Contacted IPs 41 Public 42 Static File Info 42 No static file info 42 Network Behavior 42 UDP Packets 42 Code Manipulations 43 Statistics 43 Behavior 43

Copyright Joe Security LLC 2019 Page 2 of 44 System Behavior 43 Analysis Process: iexplore.exe PID: 3304 Parent PID: 700 43 General 43 File Activities 43 Registry Activities 44 Analysis Process: iexplore.exe PID: 944 Parent PID: 3304 44 General 44 File Activities 44 Registry Activities 44 Disassembly 44

Copyright Joe Security LLC 2019 Page 3 of 44 Analysis Report https://chrome.google.com/webstore/detail/crossb rowsertesting-local/ldabplgpogjknofonmccpbgeoolbcbfm

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 192622 Start date: 28.11.2019 Start time: 06:32:17 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 48s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://chrome.google.com/webstore/detail/crossbrowse rtesting-local/ldabplgpogjknofonmccpbgeoolbcbfm Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.phis.win@3/94@0/13 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://chrome. google.com/webstore/category/extensions Browsing link: https://account s.google.com/ServiceLogin?cont inue=https%3A%2F%2Fchrome.goog le.com%2Fwebstore%2Fdetail%2Fc rossbrowsertesting-local%2Flda bplgpogjknofonmccpbgeoolbcbfm& amp;service=chromewebstore&sarp=1 Browsing link: https://chrome. google.com/webstore/category/apps Browsing link: http://crossbrowsertesting.com/ Browsing link: https://chrome. google.com/webstore/report/lda bplgpogjknofonmccpbgeoolbcbfm?hl=en- US&gl=GB Browsing link: https://smartbear.com/privacy Browsing link: https://chrome. google.com/webstore/detail/blheli- configurator/mejfjggmbnocnfibbibmoogocnjbcjnk Browsing link: https://chrome. google.com/webstore/detail/google-apps- script/eoieeedlomnegifmaghhjnghhmcldobl Browsing link: https://chrome. google.com/webstore/detail/javascript- editor/enhkeonpomkliaedmafeniofidolfmdd

Copyright Joe Security LLC 2019 Page 4 of 44 Warnings: Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe Excluded IPs from analysis (whitelisted): 8.241.121.254, 67.27.235.126, 8.248.119.254, 8.253.95.249, 8.248.123.254, 104.103.90.39, 172.217.23.206, 172.217.23.195 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, www3.l.google.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, chrome.google.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.n et, www.gstatic.com Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtReadFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Threat Detection

Audio Threshold 48 0 - 100 false Phisher

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Impact Valid Accounts Command-Line Winlogon Process Web Service 1 Credential Process Application Data from Data Web Data Interface 1 Helper DLL Injection 2 Dumping Discovery 1 Deployment Local System Compressed Service 1 Destruction Software Replication Graphical User Port Accessibility Masquerading 1 Network Security Remote Data from Exfiltration Fallback Data Through Interface 2 Monitors Features Sniffing Software Services Removable Over Other Channels Encrypted for Removable Discovery 1 Media Network Impact Media Medium External Windows Accessibility Path Process Input File and Windows Data from Automated Custom Disk Structure Remote Management Features Interception Injection 2 Capture Directory Remote Network Exfiltration Cryptographic Wipe Services Instrumentation Discovery 1 Management Shared Drive Protocol

• Phishing • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Phishing:

Yara detected Audio Phisher

Found iframes

HTML title does not match URL

Unusual large HTML page

META author tag missing

META copyright tag missing

Networking:

Social media urls found in memory data

Found strings which match to known social media urls

Urls found in memory or binary data

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Sample might require command line arguments

Spawns processes

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Uses new MSVCR Dlls

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Behavior Graph Copyright Joe Security LLC 2019 Page 7 of 44 Hide Legend Legend: Behavior Graph Process ID: 192622

URL: https://chrome.google.com/w... Signature Startdate: 28/11/2019 Created File Architecture: WINDOWS DNS/IP Info Score: 48 Is Dropped

Is Windows Process

Yara detected Audio Number of created Registry Values started Phisher Number of created Files

Visual Basic

Delphi iexplore.exe Java

.Net C# or VB.NET 10 87 C, C++ or other language

Is malicious started Internet

iexplore.exe

5 496

104.20.35.153 172.217.23.193 unknown unknown 11 other IPs or domains dropped dropped United States United States

C:\Users\user\AppData\Local\...\9L14CHP1.htm, HTML C:\Users\user\AppData\Local\...\WMS9QF0R.htm, HTML

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright Joe Security LLC 2019 Page 8 of 44 Source Detection Scanner Label Link www.merlin.com.pl/favicon.ico 0% Virustotal Browse www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.dailymail.co.uk/ 0% Virustotal Browse www.dailymail.co.uk/ 0% URL Reputation safe https://static1.smartbear.co/crossbrowsertesting/media/images/homepage-tour/visual- 0% Avira URL Cloud safe testing/multiple- busca.igbusca.com.br//app/static/images/favicon.ico 0% Virustotal Browse busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe www.etmall.com.tw/favicon.ico 0% Virustotal Browse www.etmall.com.tw/favicon.ico 0% URL Reputation safe it.search.dada.net/favicon.ico 0% Virustotal Browse it.search.dada.net/favicon.ico 0% URL Reputation safe https://www.meowplayground.com 0% Virustotal Browse https://www.meowplayground.com 0% Avira URL Cloud safe cgi.search.biglobe.ne.jp/favicon.ico 0% Virustotal Browse cgi.search.biglobe.ne.jp/favicon.ico 0% Avira URL Cloud safe buscar.ozu.es/ 0% Virustotal Browse buscar.ozu.es/ 0% Avira URL Cloud safe search.auction.co.kr/ 0% Virustotal Browse search.auction.co.kr/ 0% URL Reputation safe www.pchome.com.tw/favicon.ico 0% Virustotal Browse www.pchome.com.tw/favicon.ico 0% Avira URL Cloud safe crl.pki.goog/gsr2/gsr2.crl0? 0% Virustotal Browse crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe search.yahoo.co.jp/favicon.ico 0% Virustotal Browse search.yahoo.co.jp/favicon.ico 0% URL Reputation safe https://static1.smartbear.co/crossbrowsertesting/media/i 0% Avira URL Cloud safe https://static1.smartbear.co/crossbrowsertesting/media/js/html5shiv.min.js 0% Avira URL Cloud safe https://static1.smartbear.co/crossbrowsertesting/media/images/testimonial/keith-hagen.jpg 0% Avira URL Cloud safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe service2.bfast.com/ 0% Virustotal Browse service2.bfast.com/ 0% URL Reputation safe www.news.com.au/favicon.ico 0% Virustotal Browse www.news.com.au/favicon.ico 0% Avira URL Cloud safe www.kkbox.com.tw/ 0% Virustotal Browse www.kkbox.com.tw/ 0% URL Reputation safe https://static1.smartbear.co/crossbrowsertesting/media/images/favicons/mstile-144.png 0% Avira URL Cloud safe fiddlesalad.com 0% Virustotal Browse fiddlesalad.com 0% Avira URL Cloud safe www.etmall.com.tw/ 0% Virustotal Browse www.etmall.com.tw/ 0% URL Reputation safe busca.u 0% URL Reputation safe www.amazon.co.uk/ 0% Virustotal Browse www.amazon.co.uk/ 0% URL Reputation safe https://chrome.go 0% Avira URL Cloud safe https://lh3.goo 0% Virustotal Browse https://lh3.goo 0% Avira URL Cloud safe www.auction.co.kr/auction.ico 0% Virustotal Browse www.auction.co.kr/auction.ico 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Copyright Joe Security LLC 2019 Page 9 of 44 Source Rule Description Author Strings C:\Users\user\AppData\Local\Microsoft\Windows\INet JoeSecurity_AudioPhisher Yara detected Joe Security Cache\IE\KSU5XQMC\WMS9QF0R.htm Audio Phisher C:\Users\user\AppData\Local\Microsoft\Windows\INet JoeSecurity_AudioPhisher Yara detected Joe Security Cache\IE\VINVDFP6\9L14CHP1.htm Audio Phisher

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64 iexplore.exe (PID: 3304 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 944 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3304 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\accounts.google[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 107

Copyright Joe Security LLC 2019 Page 11 of 44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\accounts.google[1].xml Entropy (8bit): 4.364413484891726 Encrypted: false MD5: A9E44BE7915C8C7034C3080550162364 SHA1: 5C4C1C14D9ED0E18721E869DE05D9D21CE9E39F6 SHA-256: EA19DB056A6668C1D7D3CA269B37E55CE26D657F3227CC8F13D57FE41993306B SHA-512: FD9B69EEF940031D725A634DD6E1FC33C7B2D31FAD472A54D3A034DCDDD7F65D3F358719BE0283B5585FBA3A098BA2DE646D0A921E5D5A6C14DD7B2AFE86D5 07 Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9K719AIK\www.youtube[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 8842 Entropy (8bit): 5.121882318825809 Encrypted: false MD5: 1D6061E342A10811815F9B3F84AB110D SHA1: 7F3F86964CE6A44FB73B68BB7947A549F54ECCD3 SHA-256: 97E60EC8E73645B39710765DB54040786E998C7084F7B61FB9B26B1B42710FB5 SHA-512: E2FB6BAE279CA303CA91A6EF2EB60F8B9A8723332F1BC9AB593F43AAD691A610209DFC73EC6D257594988C2529EAD6F6A0342B32F1591D71B1A2FCEEF5B4FA AD Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06101F0C-11EC-11EA-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 39000 Entropy (8bit): 1.9176081408477423 Encrypted: false MD5: 866C4D8516D67A529F73658A61E255C7 SHA1: 48F7B2059A4D88C8578C348DC4E532624353760B SHA-256: 8B7DAC54CE1C67C3E72E85D35AD0924892FE35BF8639A5EA632DD8E46F73FD6D SHA-512: 500698E4506E8F98B8BC852D3F93872F6F91E8DD58E01C30847DDBAAD1C8DE9CD3F304C14238DBAFF621C982586DFA8789C43CC7E8F616A06C0AE71CD7DB848 E Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y...... Copyright Joe Security LLC 2019 Page 12 of 44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{06101F0E-11EC-11EA-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 242308 Entropy (8bit): 2.8640376841196447 Encrypted: false MD5: 7CB2437B92565BB9155CC002BCDB7012 SHA1: 1BAD43F10936877576C5694B61311200BE6B4F26 SHA-256: 7ED0838D49B698159306F9824805896AE80BF21437AFC5870DDF4015E933369F SHA-512: D4214B266BDAC55DDD341B079FDB417562680F0609542420F29519A55C338D6845207F9D94FCFB5DCD6547806B9CF74DE0555E784003DB085B652A600EBC9BCD Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0C308A92-11EC-11EA-AADB-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.586260519687321 Encrypted: false MD5: EA79A61CD00AE685DBD645402DE9737B SHA1: 371960E71F16D34A90D72DE61F4CC77F21D38031 SHA-256: 9F1B4201F673DECD1341304FDA07CF81039D49E72BE17EF74C5439272D132507 SHA-512: B8C9F0450902F890C092262F87781801D56FA3258E9A0E5B5738FF5918ECE2EA5416CFE4C9B94573F024DF605E65FE188D2CAA0174B81D5E589D5400B9C3A3F0 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.058606692131231 Encrypted: false MD5: 3E45E5DBCFE98AEF9DD95CCE9E0F7269 SHA1: B1FC483D7F8C6307A555039B849930C69920E72D SHA-256: 7E7E719B1681909A86432FAC233FD5D4D0935D5DEE97C57E81E2EB028C1787F6 SHA-512: D9D05C0B022F0ECE5BA233C432A018DC0E6C33DE73EE3A7075C2B44592739EAB4DC776648E4E7F51D21B5F1AB342C6F5CEB1BDD1B09F5F624BDCEF5139BBA 8B6 Malicious: false Reputation: low Preview: ..0xdd3a7c6d,0x01d5a5f8< accdate>0xdd3a7c6d,0x01d5a5f8....0xdd3a7c6d,0x01d5a5f80 xdd3a7c6d,0x01d5a5f8..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.094510451508991 Encrypted: false MD5: EAAFC379EE15EAEF4BEFC3ECE28BBF5A SHA1: 40A0753C4C9308FF604298C7B0715C8072480A5D SHA-256: 8D6E0FF220E1F23330532E2070A8135B5619C37DBC0B77482B0D5BCA77C2B2EB SHA-512: BD369C016A88A658772121F09E8B2359E2C015B735176C6694761C0A54E22D7BE365211783EF509B870DC659158F5E9B5DD73D1802ED74620B9E469446F96383 Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 13 of 44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Preview: ..0xdd2e3171,0x01d5a5f80xdd2e3171,0x01d5a5f8....0xdd2e3171,0x01d5a5f8 0xdd30a6dd,0x01d5a5f8..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.066521737416056 Encrypted: false MD5: 50547BD217D83EA68D6341A229640B48 SHA1: 0515E15795F32ABFD8FD2A6F1047D10AA9349F97 SHA-256: 426490A00528402997F74138214CF1AC264AA17D820BDF9C18B146E0AE675DE5 SHA-512: D7E99B0A3B05D110B967E3A9DDB2F97527C116C22918655488ADFE55497F02EC3A47D7479FF1A99ED31012A64C2B07DDEBDF0887E6BC9AAE0B819C2A78734E7 A Malicious: false Reputation: low Preview: ..0xdd3cf20d,0x01d5a5f8 0xdd3cf20d,0x01d5a5f8....0xdd3cf20d,0x01d5a5f80xdd3cf20d,0x01d5a5f8..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.098733205070991 Encrypted: false MD5: 8F45D30512A820F09926DAFF58356D1C SHA1: 05B6B02BA332DB7095DCB20A7EBFF54DFDB20A71 SHA-256: 4CDE7F82FCEEAD8A1D029ABA8CDAB2D7C984093F3E4C2896958EF990B0E28218 SHA-512: FFF1CC2407215EB5F9FA2852EDEE90AB34D022315B69DE2C4F2CF88DB940B9E8479AB524782CD937869D94519142827ADDB46480C64DDD8CA7F9FCB72C1225B 8 Malicious: false Reputation: low Preview: ..0xdd3591db,0x01d5a5f80xdd3591db,0x01d5a5f8....0xdd3591db,0x01d5a5f80xdd380 727,0x01d5a5f8 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.100004924831474 Encrypted: false MD5: FB6749F9C772527C2F4B06A0B87FCBEC SHA1: 83918FCCA4833CEFF908DED283D88F8E4C5047E6 SHA-256: 369B8BD83978602A919988B49665EC8DF55FF01A3A608A5F34D37160A0E1F6CF SHA-512: 0B92E39B9EBA8AFFEF9FDA45F23BAC542E8EA57D20B7B0EBA4305061E0826B10457BD8101D0535D6C37B427C54DCC594AF2CDB99F53AC6F40021C89B1BAA02 A4 Malicious: false Reputation: low Preview: ..0xdd3cf20d,0x01d5a5f8< accdate>0xdd3cf20d,0x01d5a5f8....0xdd3cf20d,0x01d5a5f80 xdd3f5443,0x01d5a5f8 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653

Copyright Joe Security LLC 2019 Page 14 of 44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Entropy (8bit): 5.055682440230975 Encrypted: false MD5: 3871868E848C9BFCE41157872DC2EE51 SHA1: 7070D25F13A8755169743DC7417EF0AF5FF5687F SHA-256: 3498C9211E47925467F6A43FE6698E537FC2AE6BFD74D7F38490482289864873 SHA-512: A9240B7ED3632D7AA21A9905DB66AF4443D4FC3B454BA5AAF0CA6E4DE8D2670BD53B94B89736EAE9A431A9208A1DBB3176C50EF34614314F5186083EDE90B35 4 Malicious: false Reputation: low Preview: ..0xdd3a7c6d,0x01d5a5f8 0xdd3a7c6d,0x01d5a5f8....0xdd3a7c6d,0x01d5a5f80xd d3a7c6d,0x01d5a5f8 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.120378865154227 Encrypted: false MD5: 6F5269BEE90FA53B4BE6D04895544A8A SHA1: 65F81ED52C486F73C459E3C7B2326773A9205805 SHA-256: 1D88708073DDAA440BD80C48EE6A8942B5C64CDD50E033CA175A953D4A69A40B SHA-512: 95CD4F897C6582306DB0E7285431BBF3F40F78A3DF05C7FCAFE42F53831AB46C92277C3DF21D34C34F0D4D6452EBECD6611B7C8FBDF9A219F294A12F3E9CC62 0 Malicious: false Reputation: low Preview: ..0xdd380727,0x01d5a5f8< accdate>0xdd380727,0x01d5a5f8....0xdd380727,0x01d5a5f80 xdd380727,0x01d5a5f8 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.090031567344531 Encrypted: false MD5: 6E7C69960569A59BCB81A23DAAD71783 SHA1: 479E4352F75851E131837AB0D781C293907622F2 SHA-256: 4273C35982018D399BC50CA54953AF3E512AEFD7514D988B6910288536728AFD SHA-512: 9BE4E6F9567EB876EEF9E4F53D05102BB6FADF58F365C990258A556D45E73635D76D0BD42399A7738C843445A32968E4054AD6A5EB564BC4690E4F1ED16D0DDC Malicious: false Reputation: low Preview: ..0xdd331c66,0x01d5a5f8 0xdd331c66,0x01d5a5f8....0xdd331c66,0x01d5a5f80xdd331c66,0x01d5a5f8..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.071295825561868 Encrypted: false MD5: DB4429B544285F5F0D1171B43D61A4B1 SHA1: 6161030CFB90B1AA20B75BE000983598AED2868E SHA-256: C7E89D39CE8C628EB765902F7816CC1F4E4CAC8B13C3CD4B1BEABA2BBCCCD699 SHA-512: 03391F22589560A21B251C5AB8DEA3C994649B545514DA99F5757831FF373277C90815F38E41DF7C4A9C7D52ED7385894CECE6983C59AACFDA3196F1EF509CCE Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 15 of 44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Preview: ..0xdd3591db,0x01d5a5f8 0xdd3591db,0x01d5a5f8....0xdd3591db,0x01d5a5f80xd d3591db,0x01d5a5f8 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 12634 Entropy (8bit): 4.483860599169893 Encrypted: false MD5: 79E1919C2761BB7B21A6EFE94D7F82FB SHA1: D327D71ABD7862274CFFA9D8DDB3E61044C6CB20 SHA-256: 3223FD75380CA17BBFA7F5F9D19B30A57FF56D9193421394C694EDAC239FA88D SHA-512: 9A429B62158F6FDD1DDA84CBC63BC429CEA53D36A2581173638A911C5618363A977922C420FBBB8B1641D7E1330680C70DD9007878FC38B65DAB4AEABAF4616D Malicious: false Reputation: low Preview: C.h.t.t.p.s.:././.w.w.w...g.o.o.g.l.e...c.o.m./.i.m.a.g.e.s./.i.c.o.n.s./.p.r.o.d.u.c.t./.c.h.r.o.m.e._.w.e.b._.s.t.o.r.e.-.3.2...p.n.g.j....PNG...... IHDR...... szz....1IDATX..].UU.. .k.s.7%..,S.7.{.jD0.$..>.*..@_..J..%z.."4...^.?"M..c|I..zP...k:5~.....V...8w...L.6...... [email protected].:.....T.h...sfo.5...M3.....w...X.}.K.wfz..s...*..v.<..4....u...... g..*.:....c`lL...... qf...tg...y...... 6Z||.F.$.*.o...;....5jU...RX.a.iXU.2<>.+.ir...6.&l.x.....A.u..}Op.O\(.p}..ooC:V .....D....u...N.w|.\.@Z"HE....``>.8.e...H..C..Z.....a5Y...... R.D...^..!.T.3....K...... K/[email protected][email protected]..=.+..S.. .kKK.$.DQj.~..AZw}I....."..C.JG.+...... (..c;v.....X^3MkJ0...... l.)2.GX.H..#.+-,...Y.35L.KJ..Gc.3..O.....e.....f.8.z&...h.B$.$.@ .w.L.<.....a.el...... |.q.....N..q#X.G$.75...... N.Z5...1c0.U.,VZ.<[email protected]...~.;..D...... T...... _.O1..8'..C..c..8...G...... %.....RE.\,r....,..%...... ]"*...z.q...... C..&..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\WMS9QF0R.htm

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators Size (bytes): 149569 Entropy (8bit): 5.1616938829108765 Encrypted: false MD5: 781BC7744C67AF3D7DF62F6544639386 SHA1: 8A25FDD9E2A4B1D9AFE49D33069D957F512D17BD SHA-256: F99D3F22E0D5E3D76FE48A8F27940ACFF03CC1F8569581A10C8BF462BE7D669A SHA-512: 3150EB4DDAE708FE08DF1B332668EB6CDF8BD6FF678816D59EFE2AE6F8A9CF6F8087CE577CD6E936ED8CDBCC8A61F87BDB9074FE83AA19A9F9712C731AD8A 9F3 Malicious: true Yara Hits: Rule: JoeSecurity_AudioPhisher, Description: Yara detected Audio Phisher, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\WMS9QF0R.htm, Author: Joe Security Reputation: low Preview: .... Google Tag Manager (noscript) -->.... End Google Tag Manager (noscript) -->.. Google Tag Manager -->...... End Google Tag Manager (noscript) -->.. Google Tag Manager -->...... .. .... ..

Can’t reach this page

Make sure the web address is correct
Search for this site on Bing

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\errorPageStrings[1] Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 16825 Entropy (8bit): 5.441186927851458 Encrypted: false MD5: DA687C04C1AC608EE8C9C25C0C366723 SHA1: CCED2E350327B76B48AFB220B3727808156C04FC SHA-256: 83205FC9C80BB48A1573224B5375DD7211D641E411E9F263AFE6C348E354D290 SHA-512: D10522A3102966233FD24F98331502C7D350FD928DBC8E91A2E4500AC80C1862C176C448D6F5AA71F91D2F7AEFE596A31F33B73C41B4E08B76ABFE0F3BD78C84 Malicious: false Reputation: low Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts ";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet conn ection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website \u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the web site you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\favicon[1].ico Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel Size (bytes): 5430 Entropy (8bit): 3.06845154459195 Encrypted: false MD5: 5E5D87F6D6CFFDF2B42518ED646E714D SHA1: 27F69933D0529B7C2E66DFDB05F4B9091A7D794B SHA-256: 9782E1C1A27C305CE67CA76FBDBABA99B93489E65F82CD4DAB57DD12FD33DFC6 SHA-512: 079867C46511DA64B2E96371F148B27B2D13B2860243028C7E0ADF0626ABDF41AE76F61CDA15971EA7DBABC8748686B8F72BE73F6082E56E1D8BC766A6422B9B Malicious: false Reputation: low Preview: ...... h...&...... (...... #...#...... !...!..P!...!...!..O...... !...!...!...!...!...!...!...!...... !...!...!...!...!...!...!...!...!...!...... f'..f'G.f'P.f'.....!..&!..l!...!...!...!..F(!...... f'..f'.f'..f'...... !../!...!..P(!.(!...... f'..f'..f'..f'..f'...... !...(!..(!...... f'P.f'..f'..f'...... (!..(!..( !.P.f'.f'..f'..f'k...... (!.&(!..(!..(!..f'.f'..f'..f'&...... (!.k(!..(!..(!..f'P.f'..f'...... (!..(!..(!..(!.P.....f'..f'.9n...... (!./(!..(!..(!...... f '..f'.9n.P9n..9n.-...... (!.(!..(!..(!...... f'.9n.F9n..9n..9n..9n.j9n.%....(!..(!.P(!.G(!...... 9n..9n..9n..9n..9n..9n..9n..9n..9n..9n...... 9n..9n..9n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\mspin_googcolor_medium[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 37560 Entropy (8bit): 7.958659971121894 Encrypted: false MD5: 0C1435AC76792A7FF694AD502B97B48A SHA1: 1501480B4FBC5FA51B2CC0F320A2D7BA4BE66094 SHA-256: 6CD8F2820819DB9CD623EA0A484D05CBD91644BB55FD6C764081AE66AC711F10 SHA-512: 71ADF9C8EDBFA7B06075C83153A091D1B34C7489470B615B3B994457B48C911084FBA6BF0E1D327BCFCB532DC4191C13C886458FEF1840B2C01EA0E02E8E252D Malicious: false Reputation: low Preview: .mspin-medium{width:36px;height:36px;overflow:hidden;-webkit-animation:mspin-rotate 1568.63ms infinite linear;-moz-animation:mspin-rotate 1568.63ms infinite lin ear;animation:mspin-rotate 1568.63ms infinite linear}.mspin-medium > div{-webkit-animation:mspin-revrot 5332ms infinite steps(4);-moz-animation:mspin-revrot 5332ms infinite steps(4);animation:mspin-revrot 5332ms infinite steps(4)}.mspin-medium > div > div{background-image:url(mspin_googcolor_medium.svg);background-size :100%;width:11664px;height:36px;-webkit-animation:mspin-medium-film 5332ms infinite steps(324);-moz-animation:mspin-medium-film 5332ms infinite steps(324);anima tion:mspin-medium-film 5332ms infinite steps(324)}@-webkit-keyframes mspin-medium-film{from{-webkit-transform:translateX(0)}to{-webkit-transform:translateX(-116 64px)}}@-webkit-keyframes mspin-rotate{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(360deg)}}@-webkit-keyframes mspin-revrot{from{-webkit-tra nsform:rotate(0deg)}to{-webkit-transform

Copyright Joe Security LLC 2019 Page 29 of 44 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\photo[1].jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: [TIFF image data, little-endian, direntries=1, software=Google], baseline, precision 8, 68x68, frames 3 Size (bytes): 27865 Entropy (8bit): 7.943545727085878 Encrypted: false MD5: DDC162513DDABA7C1FF047172CE5C2FA SHA1: 982D0DB4DA65ABAE40398C38DB0167876EAF46E4 SHA-256: BAB8132D0957741D2AA8C7620992CCC5E340B9A415805DB9AC7490E435BE6B89 SHA-512: 9FFA134E740B8CFFB4591723213F1C01C40E7D25BE883EED3B09914FB2C9615C36E2AF1FB2EF218FD72A9643B0A02317FE4FA14A41093C2114214C9B33E15E22 Malicious: false Reputation: low Preview: ...... JFIF...... *Exif..II*...... 1...... Google...... D.D...... - ...... !..1."A..2r..#3QRa...... 1...... !1A.Q"2q.BRa.....r...... ?..N..D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(....g-.YEqh.i.}...L6`.c.[*.,1...v..s. 6...$J.U./...... N.yc.L.F.w.w:...... i.ct.;,q...9!Td...s.D.....m/y..I&..\?.>...C-..K.;L..(a...... xp..]V.4n...... r...R..D.,'..a...}..Q..+5...m..D...}...A.'...a.wms..]...?)..m.fR.Y....vP..&.vQ..*&. ....G|1...<}.l.w\.}....W...\3+..5V..W5..N..]..-p=. 8...9^....l....p...P.....;8...r.....En...n.W...... P#..KwI.[...... J... c...0...j2...... m..gVu.....g...... ing.....NX.s...WK.5M?.fGz)...r....K.M...D.q .5.<...2..x3....._Ra...*...|m.....D. Ln<..5..&.f...... (...D.c.#.w)V...Z.KN...... Pt#...=...... S.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\unnamedGQ1BAXHF.jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 220x140, frames 3 Size (bytes): 5761 Entropy (8bit): 7.8488765898818205 Encrypted: false MD5: E45C9316F7AD3B40694626FE99134D1E SHA1: 13A408369EDAED4B769E42824E9F4DFF1A95A0F8 SHA-256: 9B78950AADB9E7AB502D517D7F492C0524A7FDD2F9D6EDA8E5388B1A3AB5595F SHA-512: 8F0FF9F1C8708C115D316F33B47B15F90C8ECF36DBC075B9F6A595035E9192510DE0421C45AF3BED27C854E0E50028E0766A2CD499145117DF8EB4D873D4D924 Malicious: false Reputation: low Preview: ...... JFIF...... 7...... !..1.".#2AQa.Bq.. .3b....$Rs...... >...... !."12A.BQRabqr...... #...... C...... ?..'4.. [email protected] ..H...1P$..@...... b....@A .0P...... $.. . @...... @....@ .I!;#h...@A [email protected]...... H/..m..]....]j...A:..:..'.d...... kS....F....=..qz5.W.ABF.=..#...%H:....gHp.f..#...Z...... c.l...%.vm...t.c..O.....v[....I....=- ~...... YX..[...tA.U({...@. [email protected]$...`....Z.....H&...... r...H.....HS..).....`....[?mO..$y..0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\www-embed-player[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Size (bytes): 1355240 Entropy (8bit): 5.564907319383914 Encrypted: false MD5: 8DB3CFC93E7F68A3D8F08AE0B687206D SHA1: 1A2E3E4272D1B97F315D0C752AD22FCD0ABDC689 SHA-256: 41C01DDCB3F5D1C32E2B9A76062EDD16F33C332207B6501EE0D2E6B8F1BBDE0B SHA-512: 21D1BDD7E30E6A5881E0AFFD99BC34B60E825F957BB6C58737334F72884BDFB6E1AA9928EFBBDAD8BBBAFDCA98A0AB450A2C07BA92BC993DDCC586076975A 947 Malicious: false Reputation: low Preview: (function(){var m;function aa(a){var b=0;return function(){return b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\www-player-vfl-sWJSq[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 275892 Entropy (8bit): 5.176520321630863 Encrypted: false MD5: FAC5894AA4CE0D80349B426A2891FBC7 SHA1: DF7745227492EA01B9F7880193F625A9E7411627 SHA-256: 0F1EBB9F09828B2F06C332EF6D43792A55F6F2B1A67B6B34E2B270F32A254BD3 SHA-512: A776F03FFEA3936A0F3E9630240B1598D73B7702B83745D16DDD6B3D3BE0A9046D882CC7DFC64FEA65BBBE59CB02259C69055D066EE94F899B4720A2F72ED730 Malicious: false

Copyright Joe Security LLC 2019 Page 30 of 44 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\www-player-vfl-sWJSq[1].css Reputation: low Preview: .html5-video-player{position:relative;width:100%;height:100%;overflow:hidden;z-index:0;outline:0;font-family:"YouTube Noto",Roboto,Arial,Helvetica,sans-serif;color:#eee;t ext-align:left;direction:ltr;font-size:11px;line-height:1.3;-webkit-font-smoothing:antialiased;-webkit-tap-highlight-color:rgba(0,0,0,0);touch-action:manipulation;-ms-high- contrast-adjust:none}.html5-video-player:not(.ytp-transparent),.html5-video-player.unstarted-mode,.html5-video-player.ad-interrupting,.html5-video-player.ended-mode,.ht ml5-video-player.ytp-fullscreen{background-color:#000}.ytp-big-mode{font-size:17px}.ytp-autohide{cursor:none}.html5-video-player a{color:inherit;text-decoration:none;- moz-transition:color .1s cubic-bezier(0.0,0.0,0.2,1);-webkit-transition:color .1s cubic-bezier(0.0,0.0,0.2,1);transition:color .1s cubic-bezier(0.0,0.0,0.2,1);outline:0}.html5- video-player a:hover{color:#fff;-moz-transition:color .1s cubic-bezier(0.4,0.0,1,1);-webkit-transition:color .1s cubic-bezier(0.4,0.0,1,1);transiti

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\CheckConnection[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with very long lines Size (bytes): 30132 Entropy (8bit): 5.429471778504565 Encrypted: false MD5: FBF4AD5345F65E1BD3F70BED18E448F0 SHA1: CD7CB5BAE948B9EDEDE7A95E6F0F7903E02CA803 SHA-256: 37A0F58AADC0A7469D4F233C901DA9FC07B7E3F46130DB8068AAE781D44BA32D SHA-512: 1729A2F4D6B740462DF2A9ECE72E5D7394B4F27CE6537A5C8BABEA2F9130D3C117612925077A8698261A3FE8BB769B0E3FB6B1FC5149896D78438FF4FE2F66FF Malicious: false Reputation: low Preview: