ID: 250035 Cookbook: browseurl.jbs Time: 11:24:04 Date: 23/07/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report http://www.careinvest-online.net/xga/eventr/nlciad/?cat=Die_Top- Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eventr/nlah/? cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im-Zimmer- besucht-werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead- V45/elead_track/Weblink/whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0#cmNhc3Ryb0BsZWNhZ3JhcGhpY3MuY29t Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 7 Domains and IPs 7 Contacted Domains 7 Contacted URLs 7 URLs from Memory and Binaries 8 Contacted IPs 9 Public 9 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 12 Static File Info 28 No static file info 28 Network Behavior 28 Network Port Distribution 28 TCP Packets 28 UDP Packets 30 DNS Queries 31 DNS Answers 31 HTTP Request Dependency Graph 32 HTTP Packets 32 HTTPS Packets 33 Code Manipulations 34 Statistics 34 Behavior 34 System Behavior 35 Analysis Process: iexplore.exe PID: 4080 Parent PID: 700 35 General 35 File Activities 35 Registry Activities 35 Analysis Process: iexplore.exe PID: 2920 Parent PID: 4080 35 General 35 File Activities 35 Registry Activities 36 Disassembly 36

Copyright null 2020 Page 2 of 36 Analysis Report http://www.careinvest-online.net/xga/ev…entr/nlciad/?cat=Die_Top-Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eventr/nlah/?cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im-Zimmer-besucht-werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead-V45/elead_track/Weblink/whitedot.aspx?url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0#cmNhc3Ryb0BsZWNhZ3JhcGhpY3MuY29t

Overview

General Information Detection Signatures Classification

Sample URL: www.careinvest-onlin No high impact signatures. e.net/xga/eventr/nlciad/?ca t=Die_Top-Nachrichten_de r_Woche&action=14&label =Impressum&url=http://ww w.altenheim.net/xga/eventr /nlah/?cat=Altenheim_New sletter_27_KW&action=2&l

Ransomware abel=Kreis-Guetersloh-Hei

Miner Spreading mbewohner-duerfen-nicht-i

m-Zimmer-besucht-werden mmaallliiiccciiioouusss malicious

&url=https%3A%2F%2Fea Evader Phishing sssuusssppiiiccciiioouusss utodealerhub.com/evo2/fre suspicious

cccllleeaann sh/eLead-V45/elead_track/ clean

Weblink/whitedot.aspx?url Exploiter Banker =aHR0cHM6Ly9maWxlc2 RvY3hsaW4xLmF6dXJld2

Spyware Trojan / Bot Vic2l0ZXMubmV0#cmNhc Score: 0 3Ryb0BsZWNhZ3JhcGhp Adware Range: 0 - 100 Y3MuY29t Whitelisted: false Analysis ID: 250035 Confidence: 80% Most interesting Screenshot:

Startup

System is w10x64 iexplore.exe (PID: 4080 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 2920 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4080 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 3 of 36 • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Graphical User Winlogon Process Masquerading 1 Credential Process Remote File Data from Data Standard Eavesdrop on Remotely Accounts Interface 2 Helper DLL Injection 2 Dumping Discovery 1 Copy 1 Local Compressed Cryptographic Insecure Track Device System Protocol 2 Network Without Communication Authorization Replication Service Port Accessibility Process Network Security Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Monitors Features Injection 2 Sniffing Software Services Removable Over Other Non- Redirect Phone Wipe Data Removable Discovery 1 Media Network Application Calls/SMS Without Media Medium Layer Authorization Protocol 2 External Windows Accessibility Path Rootkit Input File and Windows Data from Automated Standard Exploit SS7 to Obtain Remote Management Features Interception Capture Directory Remote Network Exfiltration Application Track Device Device Services Instrumentation Discovery 1 Management Shared Layer Location Cloud Drive Protocol 3 Backups Drive-by Scheduled System DLL Search Obfuscated Files Credentials System Logon Input Data Remote File SIM Card Compromise Task Firmware Order or Information in Files Network Scripts Capture Encrypted Copy 1 Swap Hijacking Configuration Discovery

Behavior Graph

Copyright null 2020 Page 4 of 36 Hide Legend

Behavior Graph Legend:

ID: 250035 Process

URL: http://www.careinvest-onlin... Signature Startdate: 23/07/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values

waws-prod-dm1-125.sip.azurewebsites.windows.net filesdocxlin1.azurewebsites.net started Number of created Files

Visual Basic

Delphi

Java iexplore.exe .Net C# or VB.NET

C, C++ or other language 3 84 Is malicious

Internet started

iexplore.exe

9 78

portal-prod-westeurope-02.westeurope.cloudapp.azure.com blob.byaprdstr14a.store.core.windows.net

20.50.1.36, 443, 49772, 49773 52.239.161.42, 443, 49749, 49750 12 other IPs or domains MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS United States United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 5 of 36 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link www.careinvest-online.net/xga/eventr/nlciad/?cat=Die_Top- 1% Virustotal Browse Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eventr/nlah/? cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im- Zimmer-besucht-werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead- V45/elead_track/Weblink/whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0#cmNhc3Ryb0BsZWNhZ3JhcG hpY3MuY29t www.careinvest-online.net/xga/eventr/nlciad/?cat=Die_Top- 0% Avira URL Cloud safe Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eventr/nlah/? cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im- Zimmer-besucht-werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead- V45/elead_track/Weblink/whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0#cmNhc3Ryb0BsZWNhZ3JhcG hpY3MuY29t

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Copyright null 2020 Page 6 of 36 Source Detection Scanner Label Link www.careinvest-online.net 0% Virustotal Browse eautodealerhub.com 3% Virustotal Browse

URLs

Source Detection Scanner Label Link www.careinvest-online.net/xga/eventr/nlciad/?cat=Die_Top- 1% Virustotal Browse Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eventr/nlah/? cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im- Zimmer-besucht-werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead- V45/elead_track/Weblink/whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0 www.careinvest-online.net/xga/eventr/nlciad/?cat=Die_Top- 0% Avira URL Cloud safe Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eventr/nlah/? cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im- Zimmer-besucht-werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead- V45/elead_track/Weblink/whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0 https://docs.microsoft 0% Virustotal Browse https://docs.microsoft 0% Avira URL Cloud safe https://filesdocxlin1.azurewebsites.net/#cmNhc3Ryb0BsZWNhZ3JhcGhpY3MuY29tRoot 0% Virustotal Browse https://filesdocxlin1.azurewebsites.net/#cmNhc3Ryb0BsZWNhZ3JhcGhpY3MuY29tRoot 0% Avira URL Cloud safe https://filesdocxlin1.azurewebsites.net/P 0% Avira URL Cloud safe https://portal.azure.c 0% Avira URL Cloud safe https://docs.microsoftazurewebsites.net/#cmNhc3Ryb0BsZWNhZ3JhcGhpY3MuY29t.com/en- 0% Avira URL Cloud safe us/archive/blogs/wa https://filesdocxlin1.azurewebsites.net/ 0% Virustotal Browse https://filesdocxlin1.azurewebsites.net/ 0% Avira URL Cloud safe fontello.comIcon 0% Avira URL Cloud safe https://www.google.%/ads/ga-audiences 0% URL Reputation safe https://www.google.%/ads/ga-audiences 0% URL Reputation safe www.partnerblog.at 0% Virustotal Browse www.partnerblog.at 0% Avira URL Cloud safe www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe https://SteveLasker.blog 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation stats.l.doubleclick.net 172.253.120.155 true false high portal-prod-westeurope- 20.50.1.36 true false high 02.westeurope.cloudapp.azure.com w.usabilla.com 99.80.110.198 true false high www.careinvest-online.net 213.61.145.54 true false 0%, Virustotal, Browse unknown blob.byaprdstr14a.store.core.windows.net 52.239.161.42 true false high eautodealerhub.com 63.236.88.199 true false 3%, Virustotal, Browse unknown cdn.speedcurve.com unknown unknown false high filesdocxlin1.azurewebsites.net unknown unknown false low portal.azure.com unknown unknown false high certificates.godaddy.com unknown unknown false high msdnshared.blob.core.windows.net unknown unknown false high stats.g.doubleclick.net unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation www.careinvest-online.net/xga/eventr/nlciad/?cat=Die_Top- false 1%, Virustotal, Browse unknown Nachrichten_der_Woche&action=14&label=Impressum&url=http://www.altenheim.net/xga/eve Avira URL Cloud: safe ntr/nlah/?cat=Altenheim_Newsletter_27_KW&action=2&label=Kreis-Guetersloh- Heimbewohner-duerfen-nicht-im-Zimmer-besucht- werden&url=https%3A%2F%2Feautodealerhub.com/evo2/fresh/eLead- V45/elead_track/Weblink/whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2Vic2l0ZXMubmV0 Copyright null 2020 Page 7 of 36 URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation azure-web-apps-error-403-this-web-app- false high https://msdnshared.blob.core.windows.net/media/2016/01/Ibiz is-stopped[1].htm.2.dr aQuotas.jpg https://portal.azure.com/App/Download Welcome[1].htm.2.dr false high schema.org/BreadcrumbList azure-web-apps-error-403-this-web-app- false high is-stopped[1].htm.2.dr https://docs.microsoft {DDB8CF70-CD11-11EA-AADE-C25F1 false 0%, Virustotal, Browse unknown 35D3C65}.dat.1.dr Avira URL Cloud: safe https://portal.azure.com/ ~DF4F5A93B6A8CBAF43.TMP.1.dr, false high Welcome[1].htm.2.dr aka.ms/stephanus/blog) toc[1].json.2.dr false high https://stats.g.doubleclick.net/r/collect? analytics[1].js.2.dr false high t=dc&aip=1&_r=3& www.amazon.com/ msapplication.xml.1.dr false high https://account.windowsazure.com/Home/Index azure-web-apps-error-403-this-web-app- false high is-stopped[1].htm.2.dr www.twitter.com/ msapplication.xml5.1.dr false high ~DF4F5A93B6A8CBAF43.TMP.1.dr false low https://filesdocxlin1.azurewebsites.net/#cmNhc3Ryb0BsZWNh Z3JhcGhpY3MuY29t {DDB8CF70-CD11-11EA-AADE-C25F1 false 0%, Virustotal, Browse low https://filesdocxlin1.azurewebsites.net/#cmNhc3Ryb0BsZWNh 35D3C65}.dat.1.dr Avira URL Cloud: safe Z3JhcGhpY3MuY29tRoot https://filesdocxlin1.azurewebsites.net/P ~DF4F5A93B6A8CBAF43.TMP.1.dr false Avira URL Cloud: safe low https://github.com/ d7089f5b.index-docs[1].js.2.dr false high 7501e2bd.index-polyfills[1].js.2.dr false high purl.eligrey.com/github/classList.js/blob/master/classList.js https://docs- azure-web-apps-error-403-this-web-app- false high archive.visualstudio.com/DefaultCollection/docs-archive- is-stopped[1].htm.2.dr project/_git/blogs-archive-pr?p https://stats.g.doubleclick.net/j/collect analytics[1].js.2.dr false high https://portal.azure.com/favicon.ico~ imagestore.dat.2.dr false high https://docs- azure-web-apps-error-403-this-web-app- false high archive.visualstudio.com/DefaultCollection/docs-archive- is-stopped[1].htm.2.dr project/_git/blogs-archive-pr/c https://portal.azure.c {DDB8CF70-CD11-11EA-AADE-C25F1 false Avira URL Cloud: safe unknown 35D3C65}.dat.1.dr www.reddit.com/ msapplication.xml4.1.dr false high certificates.godaddy.com/repository/gdig2.crt A4B782275DC1682E4DC39E697A49B1 false high 51.2.dr Welcome[1].htm.2.dr false high https://portal.azure.com/Content/Dynamic/2T0nXZp38ppy.css https://portal.azure.com//en- ~DF4F5A93B6A8CBAF43.TMP.1.dr false high us/archive/blogs/waws/azure-web-apps-error-403-this-web- app-is-stopped {DDB8CF70-CD11-11EA-AADE-C25F1 false Avira URL Cloud: safe unknown https://docs.microsoftazurewebsites.net/#cmNhc3Ryb0BsZW 35D3C65}.dat.1.dr NhZ3JhcGhpY3MuY29t.com/en-us/archive/blogs/wa www.apache.org/licenses/LICENSE-2.0 d7089f5b.index-docs[1].js.2.dr, false high 7501e2bd.index-polyfills[1].js.2.dr www.nytimes.com/ msapplication.xml3.1.dr false high azure-web-apps-error-403-this-web-app- false high https://msdnshared.blob.core.windows.net/media/MSDNBlogs is-stopped[1].htm.2.dr FS/prod.evol.blogs.msdn.com/CommunityServer. Welcome[1].htm.2.dr false high https://portal.azure.com/Content/Dynamic/3GbaJ2dekkRN.css https://www.jsdelivr.com/using-sri-with-dynamic-files template.min[1].js.2.dr false high certs.godaddy.com/repository/1301 A4B782275DC1682E4DC39E697A49B1 false high 510.2.dr fontello.com docons.85811ef5[1].eot.2.dr false high https://filesdocxlin1.azurewebsites.net/ ~DF4F5A93B6A8CBAF43.TMP.1.dr false 0%, Virustotal, Browse low Avira URL Cloud: safe https://w.usabilla.com/cd99660205c0.js?lv=1 ~DF4F5A93B6A8CBAF43.TMP.1.dr false high https://certs.godaddy.com/repository/0 A4B782275DC1682E4DC39E697A49B1 false high 510.2.dr fontello.comIcon docons.85811ef5[1].eot.2.dr false Avira URL Cloud: safe unknown https://d6tizftlrpuof.cloudfront.net/live/ ~DF4F5A93B6A8CBAF43.TMP.1.dr false high https://portal.azure.com/favicon.ico imagestore.dat.2.dr false high crl.godaddy.com/gdroot-g2.crl0F A4B782275DC1682E4DC39E697A49B1 false high 510.2.dr

Copyright null 2020 Page 8 of 36 Name Source Malicious Antivirus Detection Reputation manage.windowsAzure.com azure-web-apps-error-403-this-web-app- false high is-stopped[1].htm.2.dr https://aka.ms/sitefeedback azure-web-apps-error-403-this-web-app- false high is-stopped[1].htm.2.dr https://www.google.%/ads/ga-audiences analytics[1].js.2.dr false URL Reputation: safe low URL Reputation: safe www.youtube.com/ msapplication.xml7.1.dr false high https://portal.azure.com/App/Welcome? ~DF4F5A93B6A8CBAF43.TMP.1.dr false high configHash=4vjBqbP1Dw6S&iepolyfills=true&l=en.en- us&pageVersion www.partnerblog.at toc[1].json.2.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://portal.azure.com azure-web-apps-error-403-this-web-app- false high is-stopped[1].htm.2.dr www.wikipedia.com/ msapplication.xml6.1.dr false 0%, Virustotal, Browse low URL Reputation: safe URL Reputation: safe https://SteveLasker.blog toc[1].json.2.dr false Avira URL Cloud: safe unknown https://github.com/js-cookie/js-cookie d7089f5b.index-docs[1].js.2.dr false high www.live.com/ msapplication.xml2.1.dr false high schema.org/Organization azure-web-apps-error-403-this-web-app- false high is-stopped[1].htm.2.dr aka.ms/MattsBlog toc[1].json.2.dr false high

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 213.61.145.54 Germany 8220 COLTCOLTTechnologyServicesGr false oupLimitedGB 172.253.120.155 United States 15169 GOOGLEUS false 52.239.161.42 United States 8075 MICROSOFT-CORP-MSN-AS- false BLOCKUS 20.50.1.36 United States 8075 MICROSOFT-CORP-MSN-AS- false BLOCKUS 63.236.88.199 United States 209 CENTURYLINK-US-LEGACY- false QWESTUS 99.80.110.198 United States 16509 AMAZON-02US false

Copyright null 2020 Page 9 of 36 General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 250035 Start date: 23.07.2020 Start time: 11:24:04 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 15s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: www.careinvest-online.net/xga/eventr/nlciad/?cat =Die_Top-Nachrichten_der_Woche&action=14&label=I mpressum&url=http://www.altenheim.net/xga/eventr/nla h/?cat=Altenheim_Newsletter_27_KW&action=2&label= Kreis-Guetersloh-Heimbewohner-duerfen-nicht-im-Zim mer-besucht-werden&url=https%3A%2F%2Feautodeal erhub.com/evo2/fresh/eLead-V45/elead_track/Weblink/ whitedot.aspx? url=aHR0cHM6Ly9maWxlc2RvY3hsaW4xLmF6dXJld2 Vic2l0ZXMubmV0#cmNhc3Ryb0BsZWNhZ3JhcGhpY3 MuY29t Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/54@10/6 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://go.microsoft.com/fwlink/? linkid=2095007 Browsing link: https://portal.azure.com/

Copyright null 2020 Page 10 of 36 Warnings: Show All Exclude process from analysis (whitelisted): ielowutil.exe, WMIADAP.exe, MusNotifyIcon.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.39.87.170, 192.124.249.31, 192.124.249.41, 192.124.249.36, 23.101.125.65, 23.37.41.201, 104.108.61.138, 152.199.19.160, 65.55.44.109, 52.142.114.2, 172.217.168.14, 151.101.2.217, 151.101.66.217, 151.101.130.217, 151.101.194.217, 204.79.197.200, 13.107.21.200, 152.199.19.161, 23.210.248.85 Excluded domains from analysis (whitelisted): waws-prod-dm1-125.cloudapp.net, docs.microsoft.com-c.edgekey.net, c-msn-com- nsatc.trafficmanager.net, c-bing-com.a-0001.a- msedge.net, e8789.b.akamaiedge.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, prod.fs.microsoft.com.akadns.net, docs.microsoft.com- c.edgekey.net.globalredir.akadns.net, blogs.msdn.microsoft.com, www.google- analytics.com, fs.microsoft.com, www-google- analytics.l.google.com, blogs.msdn.microsoft.com.edgekey.net, cs22.wpc.v0cdn.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, e13630.dscb.akamaiedge.net, web.vortex.data.trafficmanager.net, web.vortex.data.microsoft.com, a3.shared.global.fastly.net, c.bing.com, go.microsoft.com.edgekey.net, gdcrl.godaddy.com.akadns.net, portal.azure.com.trafficmanager.net, az725175.vo.msecnd.net, c1.microsoft.com, docs.microsoft.com, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Copyright null 2020 Page 11 of 36 No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 2472 Entropy (8bit): 7.139560346502974 Encrypted: false MD5: F410302934FBE2CF692EA785EE188601 SHA1: 45CBB6AE476B78A36204F33B70030DAE82E6D750 SHA-256: CEE233C87CAB1B1B6D99A56119FACF9D0880CFBB9172F7E0C71EC80E3B29CECC SHA-512: 9F185692B104F279B559D40F675CCEE1C8FA72C605FA5F2E89F0CAA6A37727FF411606F7CB16524AC49590005B7DD4E08F7674383B0C5C6EF097207731BA1354 Malicious: false Reputation: low Preview: 0...0...... 0...*.H...... 0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...11050307000 0Z..310503070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0+..U...$http://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20.."0...*.H...... 0...... v..b.0d...l...b../.>e..b.....2...d..:P.J..y3...... 9.i.lcR.w...t....PT5KiN.;.I.....R...... 0...0...U...... 0....0...U...... 0...U...... @.'..4.0.3..l..,. .0...U.#..0...:....g(.....An .....04..+...... (0&0$..+.....0...http://ocsp.godaddy.com/05..U....0,0*.(.&.$http://crl.godaddy.com/gdroot-g2.crl0F..U. .?0=0;..U. .0301..+...... %ht tps://certs.godaddy.com/repository/0...*.H...... ~l...8....K.._O..l>

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 524 Entropy (8bit): 2.9834567614436405 Encrypted: false MD5: 3A78B03498C1A9C6C3AB94A75B61125C SHA1: 7F523C134AF6E0CEA6266C634F74C9E6DCC1BA07 SHA-256: 0CE7FDBD06F052A6C6F19D09A3639198C544843F70FFBE443939CE45606DD6C5 SHA-512: 0CD7C433C1FC461D13964AAB4EDFE12B1BEF20687106F89578046E418886299D42749BEB995A85D934A40D378EFDFFF17196F1A7696E55D4CBE14EF106F57DE5 Malicious: false Reputation: low Preview: p...... j....Y...a..(...... 8%...... (...... h.t.t.p.:././.c.e.r.t.i.f.i.c.a.t.e.s...g.o.d.a.d.d.y...c.o.m./.r.e.p.o.s.i.t.o.r.y./.g.d.i.g.2...c.r.t...".4.d.4.- .5.a.2.2.b.d.4.c.c.3.7.4.0."...p...... j...... a..(...... 8%...... (...... h.t.t.p.:././.c.e.r.t.i.f.i.c.a.t.e.s...g.o.d.a.d.d.y...c.o.m./.r.e.p.o.s.i.t.o.r. y./.g.d.i.g.2...c.r.t...".4.d.4.-.5.a.2.2.b.d.4.c.c.3.7.4.0."...

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9K719AIK\portal.azure[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 26 Entropy (8bit): 2.469670487371862 Encrypted: false MD5: 132294CA22370B52822C17DCB5BE3AF6 SHA1: DD26B82638AD38AD471F7621A9EB79FED448A71C SHA-256: 451ABBE0AEFC000F49967DABF8D42344D146429F03C8C8D4AE5E33FF9963CF77 SHA-512: 6D5808CAD199A785C82763C68F0AE1F4938C304B46B70529EA26B3D300EF9430AD496C688D95D01588576B3A577001D62245D98137FD5CD825AD62E17D36F15C Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\D1YBPPLZ\docs.microsoft[1].xml Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 26 Entropy (8bit): 2.469670487371862 Encrypted: false MD5: 132294CA22370B52822C17DCB5BE3AF6 SHA1: DD26B82638AD38AD471F7621A9EB79FED448A71C SHA-256: 451ABBE0AEFC000F49967DABF8D42344D146429F03C8C8D4AE5E33FF9963CF77 SHA-512: 6D5808CAD199A785C82763C68F0AE1F4938C304B46B70529EA26B3D300EF9430AD496C688D95D01588576B3A577001D62245D98137FD5CD825AD62E17D36F15C Copyright null 2020 Page 12 of 36 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\D1YBPPLZ\docs.microsoft[1].xml Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DDB8CF6E-CD11-11EA-AADE-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 30296 Entropy (8bit): 1.8510404384905903 Encrypted: false MD5: 211CFAE2DFAB9F35888804BCFFC50FB5 SHA1: BDBF2839EA9EE4F4EC335497B3A7ADC48C33DCB6 SHA-256: 5AC9C87F9A52953384874B3B6F074CEC07C057C73BB9FF2CC910DF84CF2CAAE8 SHA-512: 517BCFD8E005118CC0F7D7DDF9F96334FEB5E4FBF14ACAD7F456A6B6FD1C08F1D858AAEE01BE807E29A75CBC5435954612B2CE517A3E6AC8EFED56CCA01BD 441 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DDB8CF70-CD11-11EA-AADE-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 65152 Entropy (8bit): 2.246123544404467 Encrypted: false MD5: 46C06046A18467B0D287671EFFF292E6 SHA1: AAB95A46825AEFCD66D7B6508587BBB0885E4921 SHA-256: CC35320F2E1AFD110A620BFAC2EEF5B526EBB4FE3D0D7A660762FC82441B3097 SHA-512: C04F61EAB421C611ACD0B972330830CCF8057DA1047F37C35D25C0DC9E291D2AACDF3051961167C5A47581FD2F1100CB398ADAE316BB123D98BB08EC7B85B00 A Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E6E45809-CD11-11EA-AADE-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.5639641028467475 Encrypted: false MD5: B6D2529C5431C2DBA643868553DAF0C0 SHA1: AF9B57C489A64024CAA1FE11B024C1BBF0AB8465 SHA-256: F26D43F9CAA273CBA26F74B829B97AA00777964356AD6DEB48FADD80160D5AC3 SHA-512: 36AF7B4EBA88E68CB1ABD319C3AA45D7AFE268893595A0A6E472241D16CC1B840D4A1F08017E70CA1A65929964CBA24D7FBE27EBBA0B54FD0C3204682E9902 D2 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.098122460508507 Encrypted: false MD5: 698F8ADF3DDAF8B4EAAF142DEB1CBDDC

Copyright null 2020 Page 13 of 36 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml SHA1: 5C58E3F1BE6214B888EDD12433586B530A025921 SHA-256: 45379E8D57FD029A205D513496F843816DDC97E6C60EA126F14B0F40A32DC7E8 SHA-512: 160094381DCD17CC0E39EDA90187C160443257AE5AAEE76B36DD070417579807C8DEE9981999B80FBBF63F73F02D3A9A33B00DFA557064E5F55ABB0BAE402FB6 Malicious: false Reputation: low Preview: ..0xb79eb43b,0x01d6611e< accdate>0xb79eb43b,0x01d6611e....0xb79eb43b,0x01d6611e0 xb79eb43b,0x01d6611e..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.103525522563293 Encrypted: false MD5: 9F0C06969ECDFCCDA959E23325727A5A SHA1: DCAA9DF6982F0A355179C3D444533BA44497BF43 SHA-256: 2284E2BBBD0E5E54E11C04EE97CA64B8A3CBC06D4118FF0BD22724FA09723F2B SHA-512: FC702D101E95D508DB1FBDB3E787D349D42B4DFE61445F93ABDD893462D3187DFA6AB5C3B15EE744540B1A8D0E62DB0117531FD1FFF21CC1686148F4BCE6E8D 7 Malicious: false Reputation: low Preview: ..0xb77036a0,0x01d6611e0xb77036a0,0x01d6611e....0xb77036a0,0x01d6611e0xb77534d9,0x01d6611e..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.110662443937098 Encrypted: false MD5: 65A24872CDC5035282D8B0B595EC1FC3 SHA1: 607780B1DFAD45614733E4AA417A2455452A64C2 SHA-256: C7CD2E9A3788D8E159E7DEABCA36E4EEEC94B68C0276D5D8BADFCDB531D6F057 SHA-512: 04805F5E354B2B24C53EF53B063901DC8F1CA96FF6ABAFBEB0DD8CC89500AC3AC8CDD6094199B7F789556860523F93DAF26DDB7A9C2B1BEE65D56173D20C909 1 Malicious: false Reputation: low Preview: ..0xb7a3eb92,0x01d6611e 0xb7a3eb92,0x01d6611e.. ..0xb7a3eb92,0x01d6611e0xb7a6c040,0x01d6611e..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.107688636223089 Encrypted: false MD5: 12C5B631162665D548509C19264B126A SHA1: BB47C6A808B17776C334E1A11A28812C69270314 SHA-256: 24F683401A4A396E136C12A6BD315B993F08C3695DBE06466A9149741063F483 SHA-512: C74EEB247BB78E52A05430F781445FB42CA302F5B77497819E18A1D3FA6A007A83E9FCC2D5FB61D7A5AD8906805E56A0F8C17A10E51E86EE661D28D7302A04EA Malicious: false Reputation: low Preview: ..0xb786a2c5,0x01d6611e0xb786a2c5,0x01d6611e....0xb786a2c5,0x01d6611e0xb786a 2c5,0x01d6611e ..

Copyright null 2020 Page 14 of 36 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.132371770807355 Encrypted: false MD5: 69CFECDF2309F5E802D8E3B59D57AFAC SHA1: 7F0A94F0DC67020F50BBFC99DE42EC165E263B98 SHA-256: 219D7735576086D29C3DEF50C31A92B37B64AFC1AED656DAD198F02749828CC5 SHA-512: 5A27FB881961C942140D94E4EA4092E5A5DBF786F7BF34583B56EB96C7CD9FF199B39EFE42A171A6CD3F00A7686967457451D1782DED84BB39D1310369E9F9AD Malicious: false Reputation: low Preview: ..0xb7a948c3,0x01d6611e< accdate>0xb7a948c3,0x01d6611e....0xb7a948c3,0x01d6611e0 xb7a948c3,0x01d6611e ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.093091849135439 Encrypted: false MD5: A9F280CDBE8A1D1B2D7025856B12C977 SHA1: 5AD87F97D3B2EE7C5C5EEA51240AD89E3077587E SHA-256: DF1576773E69F2CFA5C8F64E190BD8483AED2DA87813AB293B3FC015BCDFCB82 SHA-512: 472892EC077678E33D7BF2C87A39D359C462311F64F620B8EEAF2EFE08A960A13FA37EFC673F49FFFDCD97E0D45FDC85B614A8E1A8BE7E389F28ACA028F8F86 D Malicious: false Reputation: low Preview: ..0xb7996a05,0x01d6611e0xb7996a05,0x01d6611e....0xb7996a05,0x01d6611e0xb 7996a05,0x01d6611e ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.144716576690825 Encrypted: false MD5: BF2A88AC25893BA7D123DB2725950F74 SHA1: 8EF0002820B7730E28A89F3B33314132FB953A3E SHA-256: AD8B916DE80B90F2DBAAEAAE9D36DE0A6B70104DD4C835D36C5EA2B72843F01A SHA-512: E64090F5FDCF967B3E000F6FEBEAC45AA3D352072B5DC5842980E4E33A9684921DD012BB9F9316E062DDBEA4E89442D78BF7A0D641F6F3FA26C0A22A95E84CE 7 Malicious: false Reputation: low Preview: ..0xb7897796,0x01d6611e< accdate>0xb7897796,0x01d6611e....0xb7897796,0x01d6611e0 xb7897796,0x01d6611e ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.094473746653773 Encrypted: false MD5: D8ECEA34C474C9EC82C9E8ABF8E220BA SHA1: E1002A4CF2C3735D31E90C660585FF37EB1511C8 SHA-256: 42DE18458353BD2E6277B1E8E95E0E3E7309369DB566E4A59E9BB8213D0FC424 SHA-512: 017B712A8A11051EADDDA3CB8742DE383E2140D7343CABDB10064E7446EA9E1761E3565C62BA9747AC3EE9BF678A63714C93B25E29B1317F603803A7358A1AFB Malicious: false

Copyright null 2020 Page 15 of 36 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Reputation: low Preview: ..0xb77c818a,0x01d6611e 0xb77c818a,0x01d6611e....0xb77c818a,0x01d6611e0xb77d2c74,0x01d6611e..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.070619416384003 Encrypted: false MD5: 15981EB9D5BFB027F8D3D55E34C88D94 SHA1: CFFE3F7980DE1CA25D58BCA66176153BD90CD95A SHA-256: 299DBAA536ADDCEDB948A9B51E77AC2241215EEEDBFBFC0F57B1DE86D106A997 SHA-512: 36EDBF8969E13949504626DB276D13FFC8B566FD5305B3A2C6B30FFA29E4B752EB2CCFE96A601115443DB36FA2BF65E15CA8EE28C9AF9A79A845737FA6D534E C Malicious: false Reputation: low Preview: ..0xb77fec3d,0x01d6611e0xb77fec3d,0x01d6611e....0xb77fec3d,0x01d6611e0xb 7823e97,0x01d6611e ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Size (bytes): 50384 Entropy (8bit): 3.155238536256745 Encrypted: false MD5: CBF701E21CAFBBEFF9EA14C83E556208 SHA1: 2D0740D17D09509AF020049D25CB71C612D9230C SHA-256: 709FC55537D51F7678D9570A77164CBA8704FC92B8238FFF5EBB3E5D68F57AD3 SHA-512: DDBBCFF86D29F4836F06F0AE66EB51989FFC994D5F4561CCDF1717DF1CA608BFA4D0B2CC34EF766EFBC3B9BD7335D853DE87898315981585294383EBDC55D9B 6 Malicious: false Reputation: low Preview: &.h.t.t.p.s.:././.d.o.c.s...m.i.c.r.o.s.o.f.t...c.o.m./.f.a.v.i.c.o.n...i.c.o.~(...... h(...... (...... (...... "P...... """""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333" """"""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333 333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""" """"""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...3333333333333333333 33333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\3157.AzureWebsitesQuota_thumb_42A7A3A5[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 628 x 484, 8-bit/color RGBA, non-interlaced Size (bytes): 75916 Entropy (8bit): 7.9656116474781555 Encrypted: false MD5: A3B26DD4AB688C07D713F79E66CF62ED SHA1: FB1241B0CFD26CCE8E169626A5B85349B4B59BE4 SHA-256: B463BBED6F9E304D3C720D424A31626F849C1D732AB0EA3487AB44E8E92CA95E SHA-512: B257F63F90D5DD4658C6F1A109DE9B9DB56ADFB9372DF76AAD511A2B2C4FCD3B5B39C09CE87C22840B9C1D18212848827C44024F36C5B1CE6383E787B8A4723 E Malicious: false Reputation: low IE Cache URL: https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/62/25/metabloga pi/3157.AzureWebsitesQuota_thumb_42A7A3A5.png Preview: .PNG...... IHDR...t...... sRGB...... gAMA...... a.....pHYs...t...t..f.x....IDATx^...{#.y.....w...-.V..+...^....]...Iq.QN#.h4.$M.....l.s&.@...... "...... )..&{Z.n...... 4+.:u.:..*T...0..0.. +.."..2...ppp..:.a..a.s...:..."...... {.C..Zm.....)..0..0g...... F#..(..{...*.mX,.....oLg..a..9..?..W.bnn.~....=.Q....r.....j....0..0....[<...... ~e.{Oq..J..B....5.2..0...... /...... o/tG....?....jqH..Q.y...... WE.\B.\Au....G.8..[)...Q....o...}.U.(....m)..h?...... e..s.h.]..tN.pD...=..{.x{.r..D..=R.r>...>...... f...r.o.Q..|.g.V.....hz...l..t.....;..0..0.....8.z..mW.V.6BG. V..`1...}.k.....T67by...]...... FO..f...f.8../..Y.@49...... aIeG8.{..q._A.g.bq.C.2.c....f.B..._ ....{(.=.(.11<...~..Ha.....v?$8.n>...... 6...0-...I.Z- .t...`...3.SE6.QiE0S..#....d3...C_.0 ..U..R..z...R^.\.M...,M...... l:i...... m.!.+...... Mb..w`.s....,.b.._.-.B.d.I.v.0..`.f.c..JH8...}h$.0..0.9...... to't5..M...`q5p,S'...J.

Copyright null 2020 Page 16 of 36 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\4150.azurewebsitesquota_stopped_thumb_0177099D[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 644 x 89, 8-bit/color RGBA, non-interlaced Size (bytes): 17865 Entropy (8bit): 7.957973919345797 Encrypted: false MD5: 9CBA5F880B9CADEFF7F3CB3B87CB159E SHA1: A84822AFF6EB6F49B251C1351750521E92BB8F09 SHA-256: C273866F70D47344EEE4DFD457233E61FD698F4E29E578E2E260B38DCE1A82D1 SHA-512: 7627F681CAC3B24191C7778D64F6D507E29778F7831ED702A23B12AA7D37F9E97F5C3D7E7634F8C0A3B793CB9548091E0EFE7D9276048908EE4655535A3BDAE6 Malicious: false Reputation: low IE Cache URL: https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/62/25/metabloga pi/4150.azurewebsitesquota_stopped_thumb_0177099D.png Preview: .PNG...... IHDR...... Y...... 5.....sRGB...... gAMA...... a.....pHYs...t...t..f.x..E^IDATx^.w{c.y..r]q...;..'.c..N..N.-;v..v.[r../.e....V.Da.H...Q...... ;y..}H....#)+ie.. .s...9.g.~.JJJ JJJJJJ.J...H.R8::...)..*)))))))]3..~...!..`gg...... 2e.)S.L...... a0...z5(|[email protected].#)S.2e.)S.L.k...*...... 2e.)S.L...... /jPXSS...... a,.S.L.2e.)S...'>...... p.?C.\..L.2e.)S...... W...d ggcxx..-*!....)S.L.2e.){..c...... "''...... GC...... K/!77....+))))))))}t..O}....7PPP....PIIIIIII...... @aa!\...B%%%%%%%..&..JJJJJJJJ.\...... *)))))))]s) TRRRRRRR..R@...... t ..PIIIIIII.K...... 5..B%%%%%%%.k...JJJJJJJJ.\...... *)))))))]s) TRRRRRRR..R@...... t..PIIIIIII.K...... 5..B%%%%%%%.k...JJJJJJJJ.\...... *)))))))]s) TRRRRRRR..R @...... t...... s... .H`ii.sss...~l...X]]...6.../.z>:;;..<::.^...!.{rr..yzzz...... K[[[.....hDYY.....7nhv..Mdff...... BH.R.g.w.;;;.D".p.<..|...... q$..5...;<<../-.`2...... Z....a.i..g..j..;.v.x.w

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\4657.image_thumb_62C01FB1[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 644 x 227, 8-bit/color RGBA, non-interlaced Size (bytes): 34719 Entropy (8bit): 7.96487049148524 Encrypted: false MD5: 4E5D0B4AD9B96580B0ACC9AA16E91EB3 SHA1: 7F1B3380E379AD35A190ABC8F3CF4EEF5E8C0FA2 SHA-256: 161A14FEC93FB93DF056F4E05D5F7FBB62E3C1AC3CAF362B59D530272BFA0ACA SHA-512: 5CE3B909CE5AB9705F1F6B7A65861512270AFA7809633EFC55CB84E8932BCF4B7AFC1D768556B8282DBFC6169E56E30470DFE39AFFDC1E2B212B83947D3F92C C Malicious: false Reputation: low IE Cache URL: https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/62/25/metabloga pi/4657.image_thumb_62C01FB1.png Preview: .PNG...... IHDR...... sRGB...... gAMA...... a.....pHYs...... o.d...4IDATx^....U...... {.=..;Q..$.4...... [pw...... ]...... &...{f...... Vw.^...... C./...... H.x_...... `0.""b. ..B....) .d....K....\...8Y*..%O...%.|..I...r.Z.I.8.S2.. 4!.0a..?_.n.*g.1Bh0....!r.e.a.SH.T.U#.(i*I.6../U^._.f.....9....VZ.C"...M....R..d.Q..R. LEI.\....n...... M...... !4!l....0@I!.B#....`0.".~...ub.O$)Rg..EJJ..ui.L.*...4...z...(SAm...... ]...]_.92X.f].#..K...... M...(..p...m.6#....`0.".~..~..:..'w.*.T.ZS..G...... H..+..D.C..'.<.Y.g.!.j..- .JCGXq:I.(.:.....B..T.RI..e.A.a..#....`0.".~...#N..%[...... zv..."...R2...?...M.X../"..4...Zi..V...... &I.D.-+....u...!4...... Y./$c..R.~#.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\8562.image_thumb_4F7CD861[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 644 x 372, 8-bit/color RGBA, non-interlaced Size (bytes): 80269 Entropy (8bit): 7.960555750691777 Encrypted: false MD5: 1661636B66ADE933CF14D78F42A97061 SHA1: DB87AE1D1E1257ADB18D9E6AF0361431362D2A94 SHA-256: B68F2D1B303CFE9FD240F7F3FDF77D30A6CBE0147D43B80A114DC6FB150D23AD SHA-512: 5A6F2549BC73E92DEB359923CDB0E304CD48DAB5019340A2ABE4D0BC6CCC423F0450C8B5DC17D72E2519A12036DBD6A1B25CD91975611BFAB570CB547E96DA DB Malicious: false Reputation: low IE Cache URL: https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/62/25/metabloga pi/8562.image_thumb_4F7CD861.png Preview: .PNG...... IHDR...... t...... (.....sRGB...... gAMA...... a.....pHYs...... o.d....IDATx^...]...q/R..R.T(R7.B.N...... R.^$..H.[. q.D.!.B....;...... 3....;w.....m..%u..p8....1q...... C www....N...... R.w...... 9s.E...O<.ZZZ..:6B@..(.7Z..x.Ua.K...... /.....q8...eI..N.r..8..s..S.Y...+* .E..HP..c..X.?a...-D. .[...... '....#..u Y?.o'".../.....3Z.....XG...... SN...... TN.^.m...... f....w8..F.6|...... _..b)...f;...:&. m1....OEH+..g..k..74.o.o..^...]..~..#...... a.....!...6...... >5.5.ciW8kYW.....m..5.....`...0 .T.'...:....<.ay...... t..sl.P.x...<[email protected]...... J.ni..?..n...7...7...k$v.c..5.6y..P..b.pA{[email protected][Q.|...7D....+;.Cg...... ?,l.7.x....9.&...... p.H...J.....i<...?..dfCo....D.0(...)\..m..:_.....y..UOt.]..:N..#*O..I..A...x.B...... fm..J.KoR 9..<;..RBx...nQk_....c.H.._/...... m...1...N>..p..g...{hB...[Bm.z.Q.z.AX...o....S...5...... 6....p...... \.X.."l....g...... '.k.o...B....)..DB.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\ElectronBackground[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 2732 x 1536, 8-bit/color RGB, non-interlaced Size (bytes): 28246 Copyright null 2020 Page 17 of 36 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\ElectronBackground[1].png Entropy (8bit): 5.615213152094708 Encrypted: false MD5: A72CFCB3B79702EA854B7FD7D522AFFA SHA1: ED357DD54B17E64596AA3AFFCFFC6588A9725889 SHA-256: 8CA93668EBC8437D75323961D0D62A52CB6626C4FBF6D44FFD3CA0735D9C34E5 SHA-512: 61F354A2E5205090829AF8F670974BF3591A869C470F6C49AB6B44BEA1EDE92160A28F3EE0E44A2695CC8198D05F7EE87D506D5C9B5AF2E700D7CF2A608CB2FB Malicious: false Reputation: low IE Cache URL: https://portal.azure.com/Content/Images/MsPortalFx/ElectronBackground.png Preview: .PNG...... IHDR...... l.....sRGB...... gAMA...... a.....pHYs...... e..m.IDATx^..k{.F...5...{!..2.$o).&.%K.....qJ..S8.\...o...... 8./...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B...... B......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\IbizaQuotas[1].jpg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: [TIFF image data, big-endian, direntries=4], baseline, precision 8, 641x917, frames 3 Size (bytes): 69248 Entropy (8bit): 7.584805716499132 Encrypted: false MD5: 28828196CD9E7AB5DE88AF24A29DEA17 SHA1: BEA201E166E6877764A292A047CD278C44CD4A24 SHA-256: 1F9CA1B753ACC49E73BA72F44F6ABECBFA19A83922A6F6C1D3347959A6F06BB0 SHA-512: B8E171322398969C3D210E84AF874B5ED37A8800E8EB065BF7782305BE6A8EE1ECD34EA378A49FDA552ACC61A4240F7C2BC63DC1D8C4F7472A25D9545B480BC 7 Malicious: false Reputation: low IE Cache URL: https://msdnshared.blob.core.windows.net/media/2016/01/IbizaQuotas.jpg Preview: ...... JFIF.....`.`...... Exif..MM.*...... ;...... J.i...... X...... x...... >......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\MicrosoftLogoColors[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 864 x 171, 8-bit/color RGBA, non-interlaced Size (bytes): 24001 Entropy (8bit): 7.947915070052089 Encrypted: false MD5: 2C86299F63EDE4923527FD3177668289 SHA1: 1C4A0BD767CE33F67B9DAA4DEDEBC8AB4202AFBB SHA-256: 6AF32094F90C68B8EEB4E4DADECEA22EF335F0F5BDFCDC63BF8CC3F117ECC1D6 SHA-512: 9D18B7598CCDC54F9A5452B98D0C9F8FEBDBD2B62D6228EF791DFA38C345CC4B1955B7217F9537083BC66A3C77FE9024636337C988B3A3D38499DACA7C1B97E 5 Malicious: false Reputation: low IE Cache URL: https://portal.azure.com/Content/6.352.0.591371.200710-2134/Images/MsPortalFx/MicrosoftLogoColors.png Preview: .PNG...... IHDR...`...... U.N....sRGB...... gAMA...... a.....pHYs...... ].....]VIDATx^..r.W.... H.....<."E..T.I.J...... W..J.z.../..:.....L..(.H...P$..$.b..-...... c.?...1.o_....T...Y.B.!..B.!. NO...B.!..B....L.!..B.!JB...B.!..B...0!..B.!.(..`B.!..B.Q.....B.!...$...!..B.!DI(..B.!..B..P.&..B.!..%..L.!..B.!JB...B.!..B...0!..B.!.(..`B.!..B.Q.....B.!...$...!..B.!DI(..B.!..B..P.&..B.!..%..L.!..B. !JB...B.!..B...0!..B.!.(..`B.!..B.Q...... 8;.....|".^...... P..C%.....ja:.|.8..O.....8g.Uz*.....i.0.a{...B.!.....lq.yX|t7,..1,\.[X..[.dmS.{2.~...... ac.Dz...3c..s...... 0;..._.l...[7..;7...... m.S.D.!..B...o .`..aq.._...{X..R.dm.s...... ='?.....z7...... g.;y...... Ze`.P..?.....N...F..T?.B.!..B....!..B.!DI(..B.!..B..P.&..B.!..%..L.!..B.!JB...B.!..B...0!..B.!.(..`B.!..B.Q.....B.!...$...!..B.!DI(..B.!..B..P .&..B.!..%..L.!..B.!JB...B.!..B...0!..B.!.(..`B.!..B.Q.....B.!...$...!..B.!DI(..B.!..B..P.&..B.!..%..L.!..B.!JB...B.!..B...0!..B.!.(..`B.!..B.Q...... YXX......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bluebird.min[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines, with CRLF line terminators, with escape sequences Size (bytes): 79576 Entropy (8bit): 5.23717134330721 Encrypted: false MD5: 8C0479914B7B3B840BF9F62CFFE4ADAF SHA1: C33559D5F359521E58ED375D6863A2E85A37EADD SHA-256: AEC354E7DEA8B95F5A6242C12DBC66C54D6264795CDDF1CE685F59DE541CBA86 SHA-512: 7C31C0BD521562CC0F6DD604B568267FC217D198DAAE568B384A49B9CB93E21A27FED0FAB3B2A989F3715A864E0F7F867040474799ABFA6C344360310CAF4C7A Malicious: false Reputation: low

Copyright null 2020 Page 18 of 36 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bluebird.min[1].js IE Cache URL: https://docs.microsoft.com/static/third-party/bluebird/3.5.0/bluebird.min.js Preview: /* @preserve.. * The MIT License (MIT).. * .. * Copyright (c) 2013-2017 Petka Antonov.. * .. * Permission is hereby granted, free of charge, to any person obtaining a cop y.. * of this software and associated documentation files (the "Software"), to deal.. * in the Software without restriction, including without limitation the rights.. * to use, cop y, modify, merge, publish, distribute, sublicense, and/or sell.. * copies of the Software, and to permit persons to whom the Software is.. * furnished to do so, subject to the following conditions:.. * .. * The above copyright notice and this permission notice shall be included in.. * all copies or substantial portions of the Software... * .. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\7501e2bd.index-polyfills[1].js Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: UTF-8 Unicode text, with very long lines, with CRLF line terminators Size (bytes): 21414 Entropy (8bit): 5.429253050177203 Encrypted: false MD5: 13B9D44A8A0337793C8658703E2F9272 SHA1: A2FC49222080A74A0E512AB92CADF773A03FD0FB SHA-256: 1FABD1B18BC7499FF4C5DE2038BEEE214B7590FE1EC76D40703284CD588A5F33 SHA-512: 5CE9619E750DDE1933B6BADC34C12903231DAB1384C9295BC03E926FC17B6E0E2A05F591F8AF696AA1A07BE25699ECD4BDA8974A814DD8FADA344C5956148C9 6 Malicious: false Reputation: low IE Cache URL: https://docs.microsoft.com/_themes/docs.theme/master/en-us/_themes/scripts/7501e2bd.index-polyfills.js Preview: !function(){"use strict";../*! @source http://purl.eligrey.com/github/classList.js/blob/master/classList.js */"document"in window.self&&((!("classList"in document.createE lement("_"))||document.createElementNS&&!("classList"in document.createElementNS("http://www.w3.org/2000/svg","g")))&&function(e){if("Element"in e){var a=e.Elem ent.prototype,r=Object,t=String.prototype.trim||function(){return this.replace(/^\s+|\s+$/g,"")},s=Array.prototype.indexOf||function(e){for(var a=0,r=this.length;a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\CloudConnected[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 877 x 599, 8-bit/color RGB, non-interlaced Size (bytes): 33956 Entropy (8bit): 7.929007179994227 Encrypted: false MD5: 153107EE6477066FE80CCA8E9947DD24 SHA1: 6D51DC17B428474481001501536DDB9402BFF15C SHA-256: D11BCFDD5F1BB2189245E20A9A754D6D38FAEE3344B30CE3B2851D122D418418 SHA-512: 59294E24C35B3CFC91BAED0AE24662A5D994235C2E6C7DEFE008DEAA34B6FA918F4DD07D7072D5DB1CE8968FC575F96D15D111F1CD917C9FB24A80C417BED8 FB Malicious: false Reputation: low IE Cache URL: https://portal.azure.com/Content/6.352.0.591371.200710-2134/Images/MsPortalFx/CloudConnected.png Preview: .PNG...... IHDR...m...W...... +.....sRGB...... gAMA...... a.....pHYs...... e...9IDATx^....\.].{wu...ZY..3..&....q...... }...x..p...... ]`...,..`m...q....q..DI....&(..9WWU..s.O?z.T.S.U ...... sNU.|~]1.Y\...... b....b..jC... *....3e..H.Dh.H....0#[email protected],Z...... C[..h...... @C.._aL...N/....4.=3....t..ln~ye>._X.Z.,,..e.=.....=...... w...J.=y.dO.H.,S.....#.. h...E..h.K..G..?z1s.|..K..3Yo..H..9qh(~...... shkBcb A...... Q.:...b..+'.>....g.k...... w.K.~..e.S.~P..h#...+....H..6..D.u..../?.p...... B....?..z.s{..6>...... &E.u..._\...g...&..B..H....? vk.....$.fJ...:.9...:.h..l>v.Ss.=:...^...... _...!I.([email protected]...... s9...{../.~.-..h^.Ok...[...#...... na[5:...f?..l...Y.W..~.u.?tc..!..J-.I...... @M$&.. >.K..?xp..G.Z1A.n....n..}.s...... 4.q....'I.-.. h,,....L}..\t>FS..v].o.}...T2...... $a..Zk...... '7.k ..;...... [6..0..V2J[.@{#G..P5M....1..._wO...N..R.?...w...... H.#..Z..1r$...... ~z...?...g.[...{.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\OSP90M55.htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 21185 Entropy (8bit): 5.63083522971742 Encrypted: false MD5: E50CA43CCDF97D2AF3126C8D7ABCE5A4 SHA1: 3CD63805D5AC5A53A365E2C2D0C39886335A1AE5 SHA-256: FC70930E7ABD0C7E9C322E45AC40E6B1F3B5197BD6147B69B11CA93D8487B68A SHA-512: F15AF4914C2E2C74ACAFA9205DAB26205CDD0E492408F5E46B8DDF071F7249AD75FE352BB9462E261868E2E1BF72604186E6A5D491E5EFAAE3B6FED57813F67 0 Malicious: false Reputation: low

Copyright null 2020 Page 19 of 36 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\OSP90M55.htm Preview: