Play interactive tour

Edit tour

Analysis Report http://doc-0o-0o-docs.googleusercontent.com

Overview

General Information

Sample URL:	http://doc-0o-0o-docs.googleusercontent.com
Analysis ID:	324947
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

No high impact signatures.

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Startup

System is w10x64

iexplore.exe (PID: 5844 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 1376 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5844 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: doc-0o-0o-docs.googleusercontent.comConnection: Keep-Alive

Source: so[1].htm.2.dr	String found in binary or memory: ,[36,"YouTube","0 -1863px","https://www.youtube.com/?gl\u003dGB\u0026tab\u003dw1","",false,null,""] equals www.youtube.com (Youtube)
Source: m=Erxfzf,GPhFgf[1].js.2.dr	String found in binary or memory: var s_f3c=function(a){return s_d3c("https://www.facebook.com/dialog/share",{app_id:"738026486351791",href:s_e3c(a),hashtag:"#GoogleDoodle"})},s_g3c=function(a){return s_d3c("https://twitter.com/intent/tweet",{text:a})},s_e3c=function(a){var b=a;b&&0==b.indexOf("//")&&(b="https:"+a);return b},s_d3c=function(a,b){var c=new s_sn,d;for(d in b)c.add(d,b[d]);a=new s_ln(a);a.fp(c);return a.toString()};s_f("synu"); equals www.facebook.com (Facebook)
Source: m=Erxfzf,GPhFgf[1].js.2.dr	String found in binary or memory: var s_f3c=function(a){return s_d3c("https://www.facebook.com/dialog/share",{app_id:"738026486351791",href:s_e3c(a),hashtag:"#GoogleDoodle"})},s_g3c=function(a){return s_d3c("https://twitter.com/intent/tweet",{text:a})},s_e3c=function(a){var b=a;b&&0==b.indexOf("//")&&(b="https:"+a);return b},s_d3c=function(a,b){var c=new s_sn,d;for(d in b)c.add(d,b[d]);a=new s_ln(a);a.fp(c);return a.toString()};s_f("synu"); equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: doc-0o-0o-docs.googleusercontent.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1561Date: Tue, 01 Dec 2020 03:44:36 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/0/#spf=1606794294696Root
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/0/ogleusercontent.com/Root
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/0Error
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/0Root
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/Root
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://doc-0o-0o-docs.googleusercontent.com/z
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: http://schema.org/WebPage
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: http://www.agoogleaday.com/%23date%3D04-22-2011
Source: m=_b,_tp[1].js.2.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: m=_b,_tp[1].js.2.dr	String found in binary or memory: http://www.broofa.com
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: so[1].htm.2.dr	String found in binary or memory: https://ads.google.com/home/?subid
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr, callout[1].htm.2.dr, cb=gapi[1].js.2.dr, so[1].htm.2.dr, X0YR3RNF.htm.2.dr	String found in binary or memory: https://apis.google.com
Source: m=_b,_tp[1].js.2.dr, callout[1].htm.2.dr, so[1].htm.2.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: so[1].htm.2.dr	String found in binary or memory: https://artsandculture.google.com/?hl
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://artsandculture.google.com/asset/1gHDloJoP5eVQg
Source: so[1].htm.2.dr	String found in binary or memory: https://books.google.co.uk/bkshp?hl
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://clients6.google.com
Source: so[1].htm.2.dr	String found in binary or memory: https://contacts.google.com/?hl
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://content.googleapis.com
Source: so[1].htm.2.dr	String found in binary or memory: https://docs.google.com/document/?usp
Source: so[1].htm.2.dr	String found in binary or memory: https://docs.google.com/presentation/?usp
Source: so[1].htm.2.dr	String found in binary or memory: https://docs.google.com/spreadsheets/?usp
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: so[1].htm.2.dr	String found in binary or memory: https://drive.google.com/?tab
Source: so[1].htm.2.dr	String found in binary or memory: https://duo.google.com/?usp
Source: so[1].htm.2.dr	String found in binary or memory: https://earth.google.com/web/
Source: so[1].htm.2.dr	String found in binary or memory: https://hangouts.google.com/
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://id.google.com/verify/AHGvNoyMNNUL5ue7jBCECGeWmKuLuSNhOLy_Zln9zLqRGPh53o05OXwRESksNV9AF0B-gRN
Source: so[1].htm.2.dr	String found in binary or memory: https://jamboard.google.com/?usp
Source: so[1].htm.2.dr	String found in binary or memory: https://keep.google.com
Source: so[1].htm.2.dr	String found in binary or memory: https://mail.google.com/mail/?tab
Source: so[1].htm.2.dr	String found in binary or memory: https://maps.google.co.uk/maps?hl
Source: so[1].htm.2.dr	String found in binary or memory: https://meet.google.com?hs
Source: so[1].htm.2.dr	String found in binary or memory: https://myaccount.google.com/?utm_source
Source: so[1].htm.2.dr	String found in binary or memory: https://news.google.com/?tab
Source: callout[1].htm.2.dr, so[1].htm.2.dr	String found in binary or memory: https://ogs.google.com/
Source: so[1].htm.2.dr, X0YR3RNF.htm.2.dr	String found in binary or memory: https://ogs.google.com/widget/app/so
Source: callout[1].htm.2.dr	String found in binary or memory: https://ogs.google.com/widget/callout
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19014989
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=drsl&drsl=
Source: so[1].htm.2.dr	String found in binary or memory: https://photos.google.com/?tab
Source: so[1].htm.2.dr	String found in binary or memory: https://play.google.com/?hl
Source: rs=ACT90oGnjuwwpk66nUEkpxUZ2ydCHhoN_A[1].js.2.dr, QCHAMIQX.js.2.dr, X0YR3RNF.htm.2.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://play.google.com/store/apps/editorial_collection/promotion_topic_donations?hl%3Den_US
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://plus.google.com
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://plus.googleapis.com
Source: so[1].htm.2.dr	String found in binary or memory: https://podcasts.google.com/
Source: callout[1].htm.2.dr, so[1].htm.2.dr	String found in binary or memory: https://ssl.gstatic.com
Source: so[1].htm.2.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/p1_799229b0.png
Source: so[1].htm.2.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/p2_edfc3681.png
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/spinner_32.gif
Source: so[1].htm.2.dr	String found in binary or memory: https://stadia.google.com/
Source: so[1].htm.2.dr	String found in binary or memory: https://translate.google.co.uk/?hl
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://trends.google.com/hottrends
Source: rs=ACT90oGnjuwwpk66nUEkpxUZ2ydCHhoN_A[1].js.2.dr, m=_b,_tp[1].js.2.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: so[1].htm.2.dr	String found in binary or memory: https://www.blogger.com/?tab
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.co.uk/finance?tab
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.co.uk/intl/en/about/products?tab
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://www.google.co.uk/intl/en/about/products?tab=wh
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.co.uk/save
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.co.uk/shopping?hl
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.co.uk/webhp?tab
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr, callout[1].htm.2.dr, so[1].htm.2.dr, X0YR3RNF.htm.2.dr	String found in binary or memory: https://www.google.com
Source: callout[1].htm.2.dr	String found in binary or memory: https://www.google.com"
Source: ~DF24CF9591405FD0E2.TMP.1.dr	String found in binary or memory: https://www.google.com/#spf=1606794294696m/
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr	String found in binary or memory: https://www.google.com/_/og/promos/
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.com/calendar?tab
Source: callout[1].htm.2.dr	String found in binary or memory: https://www.google.com/chrome/%3Fbrand%3DOKWM%26utm_source%3Dgoogle.com%26utm_medium%3Dmaterial-call
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.com/chrome/?brand
Source: so[1].htm.2.dr	String found in binary or memory: https://www.google.com/enterprise/marketplace
Source: imagestore.dat.2.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://www.google.com/favicon.ico~
Source: callout[1].htm.2.dr	String found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
Source: QCHAMIQX.js.2.dr, X0YR3RNF.htm.2.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: ~DF24CF9591405FD0E2.TMP.1.dr	String found in binary or memory: https://www.google.com/ogleusercontent.com/
Source: ~DF24CF9591405FD0E2.TMP.1.dr	String found in binary or memory: https://www.google.com/ogleusercontent.com/0o-docs.googleusercontent.com/
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://www.google.com/search?q%3Dnebulae%26um%3D1%26ie%3DUTF-8%26tbm%3Disch%26csf%3Db
Source: callout[1].htm.2.dr	String found in binary or memory: https://www.google.com/url?q
Source: callout[1].htm.2.dr, X0YR3RNF.htm.2.dr	String found in binary or memory: https://www.google.com/url?q=https://www.google.com/chrome/%3Fbrand%3DOKWM%26utm_source%3Dgoogle.com
Source: {86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://www.google.comgoogleusercontent.com/z
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: cb=gapi[1].js.2.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: callout[1].htm.2.dr, so[1].htm.2.dr	String found in binary or memory: https://www.gstatic.com
Source: callout[1].htm.2.dr, so[1].htm.2.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.UClDByRFGDk.
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js.2.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: X0YR3RNF.htm.2.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eDa9r_TVF5I.O/rt=j/m=qdsh/d=1/ed=1/rs=AA2YrTvt_FChtzG
Source: so[1].htm.2.dr	String found in binary or memory: https://www.youtube.com/?gl

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: classification engine

Classification label: clean0.win@3/31@2/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86BBD72B-3387-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2E772EE282E37133.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5844 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5844 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer3	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://doc-0o-0o-docs.googleusercontent.com	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.google.co.uk/intl/en/about/products?tab=wh	0%	URL Reputation	safe
https://www.google.co.uk/intl/en/about/products?tab=wh	0%	URL Reputation	safe
https://www.google.co.uk/intl/en/about/products?tab=wh	0%	URL Reputation	safe
https://www.google.co.uk/save	0%	URL Reputation	safe
https://www.google.co.uk/save	0%	URL Reputation	safe
https://www.google.co.uk/save	0%	URL Reputation	safe
https://www.google.co.uk/intl/en/about/products?tab	0%	URL Reputation	safe
https://www.google.co.uk/intl/en/about/products?tab	0%	URL Reputation	safe
https://www.google.co.uk/intl/en/about/products?tab	0%	URL Reputation	safe
http://www.broofa.com	0%	URL Reputation	safe
http://www.broofa.com	0%	URL Reputation	safe
http://www.broofa.com	0%	URL Reputation	safe
https://translate.google.co.uk/?hl	0%	URL Reputation	safe
https://translate.google.co.uk/?hl	0%	URL Reputation	safe
https://translate.google.co.uk/?hl	0%	URL Reputation	safe
https://books.google.co.uk/bkshp?hl	0%	URL Reputation	safe
https://books.google.co.uk/bkshp?hl	0%	URL Reputation	safe
https://books.google.co.uk/bkshp?hl	0%	URL Reputation	safe
https://www.google.co.uk/webhp?tab	0%	URL Reputation	safe
https://www.google.co.uk/webhp?tab	0%	URL Reputation	safe
https://www.google.co.uk/webhp?tab	0%	URL Reputation	safe
https://www.google.co.uk/finance?tab	0%	URL Reputation	safe
https://www.google.co.uk/finance?tab	0%	URL Reputation	safe
https://www.google.co.uk/finance?tab	0%	URL Reputation	safe
https://maps.google.co.uk/maps?hl	0%	URL Reputation	safe
https://maps.google.co.uk/maps?hl	0%	URL Reputation	safe
https://maps.google.co.uk/maps?hl	0%	URL Reputation	safe
https://www.google.co.uk/shopping?hl	0%	URL Reputation	safe
https://www.google.co.uk/shopping?hl	0%	URL Reputation	safe
https://www.google.co.uk/shopping?hl	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
pagead46.l.doubleclick.net	172.217.18.2	true	false	high
googlehosted.l.googleusercontent.com	172.217.16.193	true	false	high
favicon.ico	unknown	unknown	false	unknown
doc-0o-0o-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://doc-0o-0o-docs.googleusercontent.com/	false		high
http://doc-0o-0o-docs.googleusercontent.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.co.uk/intl/en/about/products?tab=wh	X0YR3RNF.htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	m=_b,_tp[1].js.2.dr	false		high
http://doc-0o-0o-docs.googleusercontent.com/0Root	{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false		high
https://www.google.co.uk/save	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.google.co.uk/intl/en/about/products?tab	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.broofa.com	m=_b,_tp[1].js.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://doc-0o-0o-docs.googleusercontent.com/0/#spf=1606794294696Root	{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false		high
https://translate.google.co.uk/?hl	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://doc-0o-0o-docs.googleusercontent.com/z	{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false		high
https://books.google.co.uk/bkshp?hl	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.youtube.com/?gl	so[1].htm.2.dr	false		high
https://www.google.co.uk/webhp?tab	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://doc-0o-0o-docs.googleusercontent.com/0Error	{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false		high
https://www.google.co.uk/finance?tab	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://doc-0o-0o-docs.googleusercontent.com/0/ogleusercontent.com/Root	{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false		high
https://maps.google.co.uk/maps?hl	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.blogger.com/?tab	so[1].htm.2.dr	false		high
https://www.google.co.uk/shopping?hl	so[1].htm.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schema.org/WebPage	X0YR3RNF.htm.2.dr	false		high
http://www.agoogleaday.com/%23date%3D04-22-2011	X0YR3RNF.htm.2.dr	false		high
http://doc-0o-0o-docs.googleusercontent.com/Root	{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.16.193	unknown	United States		15169	GOOGLEUS	false
172.217.18.2	unknown	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	324947
Start date:	01.12.2020
Start time:	04:43:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://doc-0o-0o-docs.googleusercontent.com
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/31@2/2
Cookbook Comments:	Adjust boot time Enable AMSI Browsing link: http://www.google.com/
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.83.120.32, 52.147.198.201, 216.58.208.36, 216.58.210.3, 172.217.21.227, 172.217.18.99, 172.217.18.14, 216.58.212.174, 172.217.16.142, 216.58.205.227, 51.104.139.180, 92.122.213.247, 92.122.213.194, 152.199.19.161 Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, ssl.gstatic.com, arc.msn.com.nsatc.net, ogs.google.com, adservice.google.com, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, id.google.com, www.google.com, watson.telemetry.microsoft.com, www.gstatic.com, img-prod-cms-rt-microsoft-com.akamaized.net, plus.l.google.com, fonts.gstatic.com, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcoleus16.cloudapp.net, play.google.com, www3.l.google.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, apis.google.com, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found. VT rate limit hit for: http://doc-0o-0o-docs.googleusercontent.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\BC6XF3KU\www.google[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	6613
Entropy (8bit):	5.027599028761285
Encrypted:	false
SSDEEP:	96:1fK1kSJyMM62HU333ChH2ylAv6nL4P7AjyChH2ylAv6nL4P7AjyChH2ylAv6nL4V:5KG8yMMNE/eE/eE/eE/T
MD5:	CA5851B91F5F30C0A37B38285BCA1AE5
SHA1:	82827D27F6C3C20EDE3ADBA75324A4992B95C466
SHA-256:	D32EB0E119F6D46ED67D5C4B19F5A81C437C4DF7B1ED6D24E8938C72396A5F61
SHA-512:	146F27D305E016E2F4BBEA1E5AD63BEA6D3A0F2C807801F3C3251DE022A7F4D847FAFD7CB4E7232287ABD027F7FCA5E5444C8AC8E2935FA8A2390C2B31BAEE89
Malicious:	false
Reputation:	low
Preview:	<root><item name="sb_wiz.qc" value="1" ltime="2811281280" htime="30840570" /><item name="sb_wiz.zpc." value="[[["news UK",0,[362,308,154,357],{"zl":40009}],["dinner recipes",0,[362,308,154,357],{"zl":40009}],["24hr supermarket near me",0,[362,308,154,357],{"zl":40009}],["last minute holidays",0,[362,308,154,357],{"zl":40009}],["weather tomorrow",0,[362,308,154,357],{"zl":40009}],["cities in UK",0,[362,308,154,357],{"zl":40009}]],{"ag":{"a":{"40009":"Try searching for"}},"q":"m-8sCxwNVqraaMzd_0n2ExiMRbc"}]" ltime="2829291280" htime="30840570" /></root><root><item name="sb_wiz.qc" value="1" ltime="2811281280" htime="30840570" /></root><root><item name="sb_wiz.qc" value="1" ltime="2811281280" htime="30840570" /></root><root><item name="sb_wiz.qc" value="1" ltime="2811281280" htime="30840570" /><item name="sb_wiz

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86BBD72B-3387-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8525974116477766
Encrypted:	false
SSDEEP:	192:rlZmZn2D9W4txif0sOzMDGBvgDSsfBsPjX:rrC2DU8OVKqBW
MD5:	CA423302B500E89D438D7A76D624F86C
SHA1:	B102CEFC3DF7A52D2BC7E693F28BA5716D620FB3
SHA-256:	1810B3FC3BC8E7D4A9730CAC3B8152AB13A328B399ACD38E8C10E13635AC74DD
SHA-512:	A586CC20549929864A5013143D26BBA2049BB930F28DCEB7A3882445947A32CE49160EAF5B1734C907AC4371086FC451C23D39ACA8BAF119C510D01E0A050972
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{86BBD72D-3387-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	36316
Entropy (8bit):	1.910525816968464
Encrypted:	false
SSDEEP:	192:reZ9QN6ekSFjN2okWoMLYTguYkW5akjY6kuJBHBXwt9CIW:rqC4/ShEsNLWgLkV+raI
MD5:	BD7A66D08F485BFFA07AF22AF6D1E239
SHA1:	C0E3C770685207D66D96555999169945C6237080
SHA-256:	3E5809FCACB00E0B6E3A17CDE90727D414AAD244AA219938ED46F57F7D8347CB
SHA-512:	AA601CD0906F2AFB3F54963ED4CAAF8F5CB9AFD6AD7FE072DA0FAD4DB177B392357F45E8C44DBFC0776C617DE66D4EE6665361779CD74A97BB11D99FFF99AF75
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{86BBD72E-3387-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5647182128723551
Encrypted:	false
SSDEEP:	48:IwLGcpr7GwpaCG4pQJGrapbS1rGQpKPG7HpResTGIpG:rRZVQy6pBS1FAeTe4A
MD5:	59834544D9B073E3484F96CDC66775E5
SHA1:	727FAA0CCFDD466A5F3B2448BF2D74DA8A997E73
SHA-256:	F35F7DC0AF634D177302B3E6C37AD58A3390781C240C6FC969C31D55877E3C3D
SHA-512:	0ED753CDD99C358393BF9B654EC4C3817683C7853B373672C8A0698032D5CBB4ABC23300387190DB22FA7295AD6D2BE99AA5D7FCEC4A835F8ECCCAF3E0812803
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5648
Entropy (8bit):	3.741578576080997
Encrypted:	false
SSDEEP:	48:xwDaO7IJct3xItwDaYxG/7nvWDtZcdYLtX7B6QXL3aqG8b:YvIJct+MP47v+rcqlBPG92
MD5:	A2BB4E5BC5C01E362716683E34CD525C
SHA1:	735749041E0B0B57774F0B09E7E98E64821553C0
SHA-256:	04B618AF4F95AF9337B2480D60A1D489859CE4146878464DEEF15E2A049F3383
SHA-512:	B046B1E6D2A073D5631CDE05BAC32A25864574B118A9D7B4AE29B521805E210B3FF4265C335AF4A57160D93FC9B7D655C778CE8CF840645653D8A89DBE46AAC9
Malicious:	false
Reputation:	low
Preview:	".h.t.t.p.s.:././.w.w.w...g.o.o.g.l.e...c.o.m./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\4UabrENHsxJlGDuGo1OIlLU94YtzCwA[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 26412, version 1.1
Category:	downloaded
Size (bytes):	26412
Entropy (8bit):	7.982191465892414
Encrypted:	false
SSDEEP:	768:BXFxTA19K8CdHMT6KHQO8LWhHCWN1ekhzLS:9f29ZYMTwO8qh1nm
MD5:	142CAD8531B3C073B7A3CA9C5D6A1422
SHA1:	A33B906ECF28D62EFE4941521FDA567C2B417E4E
SHA-256:	F8F2046A2847F22383616CF8A53620E6CECDD29CF2B6044A72688C11370B2FF8
SHA-512:	ED9C3EEBE1807447529B7E45B4ACE3F0890C45695BA04CCCB8A83C3063C033B4B52FA62B0621C06EA781BBEA20BC004E83D82C42F04BB68FD6314945339DF24A
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
Preview:	wOFF......g,................................GDEF.......q........GPOS.......%..+...RGSUB.......y......m.OS/2.......U...`i`..cmap...........~n...cvt ................fpgm...@.......uo..gasp................glyf......>F..m>Q..head..[\...6...6..'.hhea..[.... ...$...3hmtx..[..........<'3loca..^l...{...._.{.maxp..`.... ... ....name..a........V..4.post..a..........i]\prep..et.......^....x.D...Q...3..IX=D.@@....@....."...}......`.%.....x.........umW...g.WwO.....J..^?.Jci^N{.Nr..Jw@.n(.....t4....g...x.....6.E..8..........affff.0.B..&.L...B.Nzy..n.T.t~w&..%[.dYzzz.Oe" ..lE.........m..7[s}...[l..)..)...(H.A.@q.57..S.@.._..]..j.-^N.R...'...]v.0..2n.6...~....X..xN.DN.T..b..Q5.E.).,QI.....M....6.P."..\|...tI5.......t..r.(...{M..T}..@.kbNP.I.9-...=E.U'.{.....p\|.t..qJE.9...'......z...L./.....rnXQ.6.\|.....n.V.....K.?.G...<..<..Q.....C..K(s.PR.x\(..P@.P..z.DL.1.$../.8A.8Q.r.Pr[e.Rt+~.}9.)E.'.U..z.G..G..OH/H...L.../..{S...EP.%........o.................uN...'.}%..9.F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOmCnqEu92Fr1Mu4mxM[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 19824, version 1.1
Category:	downloaded
Size (bytes):	19824
Entropy (8bit):	7.970306766642997
Encrypted:	false
SSDEEP:	384:ozNCb8EbW9Wg166uwroOp/taiap3K6MC4fsPPuzt+7NCXzS65XZELt:K4zbWcDVwt230hfs+x+Bb65X2
MD5:	BAFB105BAEB22D965C70FE52BA6B49D9
SHA1:	934014CC9BBE5883542BE756B3146C05844B254F
SHA-256:	1570F866BF6EAE82041E407280894A86AD2B8B275E01908AE156914DC693A4ED
SHA-512:	85A91773B0283E3B2400C773527542228478CC1B9E8AD8EA62435D705E98702A40BEDF26CB5B0900DD8FECC79F802B8C1839184E787D9416886DBC73DFF22A64
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
Preview:	wOFF......Mp.......P........................GDEF.......G...d....GPOS...............hGSUB............7b..OS/2.......R...`tq#.cmap...........L....cvt .......T...T+...fpgm.......5....w.`.gasp...@............glyf...L..:+..j.....hdmx..Fx...g........head..F....6...6.j.zhhea..G........$....hmtx..G8...]......Vlloca..I.........?.#.maxp..Kt... ... ....name..K........t.U9.post..Ld....... .m.dprep..Lx.......I.f..x...1..P......PB..U.=l.@..B)..w.......Y.e.u.m.C.s...x.h.~R....R.....2.x.....[....#N..m.m.m.mfm....SP..NuM..9]..=.U..!...[........w...\|......^p....H......;...)..........;..EoDo....E.E.D...`.0.GG.aA.H.V.Mx\xA....../..d3.Eb_.J...R.^v........\^ob.}.z..k.x).v$f$..O)+.2..*....y}6`C6b.6cs...l...........!.........<..\|.\|..\|..\|..\|.\|....o....I%.4.L.SI.&C.6..!`...{...c..\.J.(.2.C....V.A..?.M<nG......v..m.;..R.C..aj.H...=..{.>.:.....}i_Y......:....o.&k..KY.2..6k....i]..{,.p}../.....VO3.o].fJ....R-TZ..;...RN..&V...C...3.?.......&..z.s&.D....r,.I...t.R..a$k..Mm..Y.U...+b.%kQ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cb=gapi[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	100406
Entropy (8bit):	5.525672610215441
Encrypted:	false
SSDEEP:	1536:pIjKdByen4KOw9McPis5wfmYW23KeCTgXYH1mUQIaJmJdQQOJtTY2O2s+od3E0:pxByen4m23sg41mU1mm7POvY2O9d3E0
MD5:	F703AA01FA1649D14950B7E4539DF1C2
SHA1:	78314DD487CF0AFD139D085B8873EBE12C3D6E3F
SHA-256:	090B52C2D41BE76825F837CF93B9CEA34F43A43D619B5B5EEBDAD5A0D9BA23CC
SHA-512:	8859F09D9059A36E6A90CA164F7FDD2BBABD7FA8FDABFF38C36F3156EE56C7BBE6627F1FAF9A7EADDE99916DF4220CCBCCB504412501D80FED67B752F5566B54
Malicious:	false
Reputation:	low
Preview:	/* JS / gapi.loaded_0(function(_){var window=this;./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var ja,na,ta,xa,Ba,Da,Ia,Ra;_.ea=function(a){return function(){return _.aa[a].apply(this,arguments)}};_._DumpException=function(a){throw a;};_.aa=[];ja=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};na="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.ta=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};xa=ta(this);Ba=function(a,b){if(b)a:{var c=xa;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&na(c,a,{configurable:!0,writable:!0,value:b})}}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\desktop_searchbox_sprites318_hr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 40 x 124, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	779
Entropy (8bit):	7.376883204451902
Encrypted:	false
SSDEEP:	24:36kAKAyMhGb5AHgK7+Wpf3sNQV34DVvN9sck:3vAKzVb5wuo3+1Jxk
MD5:	03E471800AFFD719388000AA2356DE1F
SHA1:	42E718342BD7F6EDF4899E161A77452DCBAC68F5
SHA-256:	BC23B3B207E8FA55B0C65A00F3FED491FA9EB5B1B39D159E7C4921BD331135EC
SHA-512:	BFA4329D35568F4F50AC2B05917AECB4AD3A4A69F8B7248E6D39CEA94F90C231B022C705ED1255F930271DB2BF5286F4B24BE6756A61E928B0D0723747D40081
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/images/searchbox/desktop_searchbox_sprites318_hr.png
Preview:	.PNG........IHDR...(...\|.....,?.....{PLTE..............................................................................................................................5...)tRNS.......`..0. p`.. ...@...p.P.._.@P0.o@P.\|:8.....IDATx.....0..a...,'....9jz...S<..#.'...O..-e....n`.X...M^.ka..r.....:...'@.WCA.G.F`[i...r.X.....,....`..2`../g.<...:.Cg@ ....M...@w.C..ix`o...8.....?..@..Z.r.@.Wf..,.......z.....~B...y~.b.je]_...p......:YR.....4W..{>.}r%.~..$..........C.B..@..;....p.......4.gg.Muo...;B4..#.....5L..F.j..F.5...\|.'x.`.O.-,-...:.....'....~.....,uj...y\|......v.....b..;......./kfm...ck'2.".....b&aru..@b.B{h.&.H.7:.)..d.W.\z...{......a.Bx_...<.?..M8C....,8.....S....T...... .Y.n].A~.j.Pt*KNe.,:.'..J.M.......Wt.#)[..w....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nav_logo299[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 167 x 410, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	7952
Entropy (8bit):	7.93179676106173
Encrypted:	false
SSDEEP:	192:bQ8ePIaxbsTeABjAzGp1GiE7SVXto6QASgpmDK9a:bkPdsaABjAzc1GbOhhQASgpdI
MD5:	D5EA698739C83D806F561C1E13D6C7D9
SHA1:	D4AE66F91282E794A966559795C169977156ADF3
SHA-256:	B27CD7827CD201E80B3DC43E789C284FC5F7C457678A3D6908C61C39A0CBE336
SHA-512:	FEEC93D40AA4318EA41F5697D77F7223EC6EB831A547E9F35AC542B484607713964A36F42E5FC32F43B70FAEAD102EBB504AB0C67F5624C5440B5DC79F96DF05
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/images/nav_logo299.png
Preview:	.PNG........IHDR.............j.S+....IDATx...x.G..'.#....-.IQ...2333..!Tfff.C......$.........X.ko..=..s.k.....I..V....Nn..M...$w..$v.U%...N].H...CQ.zy.\|....5.g@[.&.v.3...Hu.J@.......v.......Bee........)>.@.3.U..B....F.].s.g.V .Ex.v..N.PQ.z.b......M.db0.....UT%~.....p.OE...`U....a%.;...zX..w,..0.#.\|......o...5.o.w.....t._.v..K......$......3G8..........N...A.b&..\z....g...x..Lp6.\.Y.^..-.#.\.&...&B.y+-!.........~@...vsl...t=...8....}.2...t.B...<....;/..Pp..H`TK4p8i..G6E.,.$_./...JG....'..KFv4.r@.pU.Z...X);..f.Pm..@..E.?.B.7...5G...G.G5E.;5.)[.Hw@a.4.N.h6a..d^......k.c..)..... .NS4....7.D..@.2..$:....._Z..;f6.. .. ...M..'../#..i.7J...a........./m....GS$...H..@.......hA.I...E.\$...].w.........i......."..".D....{............i..w.s....@..8!..9,...c...h..w.R@..ZPa....3.f.q n..*.....(a .@....:<..H.H..t......Y.^..q......;..`...%...V...)Z.IS..:.M....H`..Bb'....~2... .@l.>.u..@,0........~.c.6..G..6G.....#...0.......F.~3.J7..P.!.........t v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Chrome_Owned_96x96[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	6177
Entropy (8bit):	7.941892268309048
Encrypted:	false
SSDEEP:	96:iYr3dN0F+QXKWXPTdNVeVTGTe+24Usw2i2DDF2ryznZE4OYF3ETHKI2HAr9UXPDf:iY8FXrf5N2TuB2Rvc2ryzZhtG7drgb
MD5:	C101133ECB2D66F0EA98131267D2A10A
SHA1:	8C038B9B39FA23E0AD2226F0016BF51FA0B86E37
SHA-256:	E3654539251DF82D59096E81C875D1244FFB7AB92DBF3CE26F63F675121D8918
SHA-512:	751E9BFD75D1685A490972FE0D40FDBCDA97607F6A500D051B400B002ED8C1D7CF9DAB019388B74796C9AFEAED4E317AC6B40A7E936D234536AEB0CB6C0D8434
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/images/hpp/Chrome_Owned_96x96.png
Preview:	.PNG........IHDR...`...`......w8....IDATx..]y....}..-.z.....P#" (.q....K.K..`.'9N.q.sb....1F.1..".D..3.!.5...EQ......M.....?...o...5...y...W..}....8<.....8<.^.._/l....Q.....5[.C3@f.a{.......B.P...b........S0o...Qg...].b.N....(1.6.....I(.D@.....L..q.q2...8I.6.mP(.VF.^..$.....W.........%..\|...@.h...6E.-I@>...%.H.l.w.8.H4y..=....K..qX_...J...........`.~....m.6.:y...;.'..j.6_....~....MV2.".os.[.J....P .D..B.;C...7.........,.....9...Vb.E.)"....A...m...{.}"...+....mW_....=.G...1...........H..4....z..I...#.=rgR.O[.(......<.....@.."..ig..&wv.?0..q......W..M.pi.....zj...oA<z.GWm.5V............"\ .9':4.....}.....=......mPo.q.....p.....R.....v.BQ?.....a..w;~....t.!$`.E!3..QJ....(".....y_.! ...A..........CN...#.#.OJ4v..H..P..Q..a! e....q..\<..mH>`...CM.*..8.YC.H.2.......`....k5.~.n..!!`.....I..X.<1.&A.......R6....a.@.#..~@.`I.&..^t.....3./..K.....W.DM...k.E...~.9w.T.^..c_..\)..\......z..R......#.@...o_z.....9.g:...A......5S...-.u..(.1.(....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\callout[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	31662
Entropy (8bit):	5.747982157852498
Encrypted:	false
SSDEEP:	768:3x/d9SvRu3Ys0ZQrzmfnoV/iMbJlFYtzFYHgqGQPFJ/N4F96iOXw:fb0ZQQno9iMXgq91yOXw
MD5:	045DB46E10ADD79F63E53D1273367FA4
SHA1:	BAB5BD004ED476527348E3878BDF44D4D3BFE23F
SHA-256:	098A22593A51D44D87A5F005A6B910A2025FBAC40FF3DF1B8C65B6C42A72A537
SHA-512:	1BE2593368A24967E141D9BB9E7AF04D8DB9828AD9638D8D38E1F7C9AF7C8861C1CCC97FD3A3AB4DF3A2CC94E2510A1AC757807244189EDC6F58B5A5976320B5
Malicious:	false
Reputation:	low
IE Cache URL:	https://ogs.google.com/widget/callout?prid=19014989&pgid=19011552&puid=b29a01365649289&cce=1&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=1&hl=en
Preview:	<!doctype html><html lang="en" dir="ltr"><head><base href="https://ogs.google.com/"><meta name="referrer" content="origin"><link rel="canonical" href="https://ogs.google.com/widget/callout"><link rel="preconnect" href="https://www.gstatic.com"><link rel="preconnect" href="https://ssl.gstatic.com"><link rel="preconnect" href="https://apis.google.com"><link rel="prefetch" href="https://apis.google.com/js/api.js"><script data-id="_gd" nonce="ipJ4kZl77JBvqm2Q1K42Jw">window.WIZ_global_data = {"DpimGf":false,"EP1ykd":["/_/*"],"FdrFJe":"-2243371911093619694","Im6cmf":"/_/OneGoogleWidgetUi","LVIXXb":1,"LoQv7e":true,"MT7f9b":[],"NrSucd":false,"OwAJ6e":false,"QrtxK":"","S06Grb":"","S1NZmd":false,"Yllh3e":"%.@.1606794297485069,179603536,1124516962]\n","ZwjLXe":1,"cfb2h":"boq_onegooglehttpserver_20201129.07_p0","eptZe":"/_/OneGoogleWidgetUi/","fPDxwd":[1763433,1772879,1782333,45695529],"gGcLoe":false,"ikfjnc":["https://www.google.com"],"nQyAE":{"wcLcde":"false","tBSlob":"false"},"qwAQke":"OneGoogl

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\i1_1967ca6a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 528 x 68, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	7325
Entropy (8bit):	7.921402686202911
Encrypted:	false
SSDEEP:	96:6pOxoZD8O12dRpcKvaOHkkm6t+CGiRFJhtkAZqo/2e6NRIHZHOAZ0MnPp1cUANcW:+D525cKvPBt+3wPkiXLP7W97H
MD5:	063ADA405398FB5D6F1E2C3B5FB0EF59
SHA1:	E8D110B196C504D1D48D0C864411223CC3604F18
SHA-256:	A0E3B4584E7C0EB991BD5668A7495674DADCCD5D1261DCBA749D03700C5BCEAA
SHA-512:	F06B9BCF20A273E8A4CFC2C05B94D0B1A263DD3A485CCD6E14E748274734E03966DCD199A0E366B40D4C2327EBA45D181F767713471AE9377289EFEBCD3D3A71
Malicious:	false
Reputation:	low
IE Cache URL:	https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
Preview:	.PNG........IHDR.......D.......A...dIDATx....l.W....EI.lK..Dg..L.+em...8..Yz..W.m.....-...z.Eze...fz.ki....z......0mw.-....x.<....."...`<o....G.+W.S7.p....m.s....?.C.QC.*.)..+W. .{.-'....7;;..xvzzz..a......8.RE..D..r../y..t.....CETG..X.....333/p.W.=#D..si......UG.^.1.%.....@..B...Tj..o....u.n..fX....."..T.q.........b......9T..b.e.EY.T@....k....s...g.....M7..)..~.D.q..C..'..j..".(.......D:...W.+.=x.2... 2....r..v......@.a..>.%..Fx...JxP.9@<........%@.~..".B....F.......[p.........@....8.k.u!.s%7...a=&cZ.v...r.x..~w....>.s.:."n..r.Dp..%....E.P.eD.2.........!...o..G.._..'>.Q[.........3....U..Q.y..Dj.a...<....'N..>.s..uW7..9.TxX...:.O..}....YS..@..1.,F1..GFF..?L..9..z..K.fy+....:..,..U.......!A4~@..[$@@,,,.u...w.u....5....v}.....?K.>...y...Q..t.@H0.`........ME.>...d.<H(C.%3.[.....i....Cf......cf.}....l~.>......Y...X.Y....B..Oh....... .....O.K.....E....X..w~.w.$..+.J.^.Y._.;..APzq..0...+..C.....@...k....o....Q.\...X...J.y4`V..+...b..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\robot[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 171 x 213, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	6327
Entropy (8bit):	7.917392761938663
Encrypted:	false
SSDEEP:	192:fqjwqVtaVHyEy9BWc2AwJ+3qg1f6WUBIT8mIKPNc93Y8Nm:Yk3WBkAkg1CWUCwmIKS93O
MD5:	4C9ACF280B47CEF7DEF3FC91A34C7FFE
SHA1:	C32BB847DAF52117AB93B723D7C57D8B1E75D36B
SHA-256:	5F9FC5B3FBDDF0E72C5C56CDCFC81C6E10C617D70B1B93FBE1E4679A8797BFF7
SHA-512:	369D5888E0D19B46CB998EA166D421F98703AEC7D82A02DC7AE10409AEC253A7CE099D208500B4E39779526219301C66C2FD59FE92170B324E70CF63CE2B429C
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/images/errors/robot.png
Preview:	.PNG........IHDR...................WPLTE...z..z........2........W..{..V........z.....2..3.....V..2..................W.....>`......tRNS.............................Y..j....IDATx....BcI.@A.s..HX....k.0c...T.?n./.~....b....GM.Gu.c...?.{5.5...4.'.o<...i.O.n<.f..?).g.&..8.E4..tl.4.G.o4.....'.....\......._ ...../.~..<......../.~^.}...?...~...Z../.~.]._ ...I. .Q.Y....YQu..i..4.._ \|S...A.-.-h...9...o...k.....9o..?N.U,../+...Z.y...nbMu....4O.7>..Y.-L=J..q..`.B^{4~.p...bR.j.....Gq=..]&..7Y)G6.....A.h`i]...Pd.'.7....9.2...2x.........&..a0N..By.Y.C..S......nR.-..A[5.....\|.p...+v...d\e..]Yq;.&q0..F.c.....p3.&.`..!q..}...k.g5n#........NG-.9...C..[.7.n.v..u......{o.C&n!.(.G7.JA.'6..{(<....p....:..!=..1.f.."..n.8....~o..N.3l..p.[..........r..6..z...(.g1qA.[....q.v+..&...B{.I.\..-.....S.y&.......J.Wn!\|D.....+...y.....9.......> .j......{.....K\X.n!..e.I.+'...j...-pA.[..2...8g.DO.#.?p.. ....-.w5.d......4....n..!q..=..Gu.X..O.........sN.h.q..n!..qP

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\rs=AA2YrTuQ20Y1DxiLuszzs3iGhNldxe3INA[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	189264
Entropy (8bit):	5.501567695816113
Encrypted:	false
SSDEEP:	3072:TR2aJNJqV+dKh1UWUGqEf/X6/BSHZQAyYHRBUJrFm/cm2:gazJg+dKkUZ2
MD5:	E2AF0443DA76B76ADD9D1BFAE6766A89
SHA1:	BFF5BB888D64613512E1421A575A3466B36C60A1
SHA-256:	AA3C7DCD34335E1E39AC96D32F0437851992F58B722D31E52850B5C6811DB087
SHA-512:	50DD7ABE03AC666E2216D0B7FBCED6777225DC7D84427550E6B73C63F726FFD99BD1D4F71D87AD923EAD0B6CA6942B2E8E28D6BBAFD9E58111619314857190DC
Malicious:	false
Reputation:	low
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var Jg,Ng,Wg,Yg,ih,Zg,ah,$g,dh,bh,Xg,jh,kh,ch;Jg=function(a){return Array.prototype.concat.apply([],arguments)};_.Kg=function(a){return _.Jd(a).toString()};_.Lg=function(a,b){return _.Re(a.o,b)};_.Mg=function(a){return new _.Fd(_.Dd,a)};Ng=function(a,b){if(a){a=a.split("&");for(var c=0;c<a.length;c++){var d=a[c].indexOf("="),e=null;if(0<=d){var f=a[c].substring(0,d);e=a[c].substring(d+1)}else f=a[c];b(f,e?decodeURIComponent(e.replace(/\+/g," ")):"")}}};._.Og=function(a,b){this.$a=this.D=this.o="";this.C=null;this.A=this.F="";this.B=!1;var c;a instanceof _.Og?(this.B=void 0!==b?b:a.B,_.Pg(this,a.o),this.D=a.D,_.Qg(this,a.$a),_.Rg(this,a.C),_.Sg(this,a.eb()),_.Tg(this,_.Ug(a.j)),_.Vg(this,a.A)):a&&(c=String(a).match(_.Ke))?(this.B=!!b,_.Pg(this,c[1]\|\|"",!0),this.D=Wg(c[2]\|\|""),_.Qg(this,c[3]\|\|"",!0),_.Rg(this,c[4]),_.Sg(this,c[5]\|\|"",!0),_.Tg(th

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\so[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	46876
Entropy (8bit):	5.721281917917302
Encrypted:	false
SSDEEP:	768:/Ym/d9SvRu+2oM0nbvfnoV1BDEp3lQPFJ/N49REO6h+V6nN9MI:t2MmnoDFEp3E1KREO6h26nN9MI
MD5:	F4A3A62E3F65208F9E1B0BECAE9D1C34
SHA1:	585C1C7C6CF5C010D1C690F6EFD0EA95255FFE9A
SHA-256:	0613336DECCCAAA0F945A95321EE0D8C9B8E9BB3F3F62AD266894A9B829F014F
SHA-512:	92949689C73355CC61A368BC0A355B2F5BE5E5211CE7396B7FD2DE10E5E649B132BC19EE39C61EC2770C88DB9922BB72092238C03B65F0ED237823E3A508B315
Malicious:	false
Reputation:	low
IE Cache URL:	https://ogs.google.com/widget/app/so?origin=https%3A%2F%2Fwww.google.com&cn=app&pid=1&spid=1&hl=en
Preview:	<!doctype html><html lang="en" dir="ltr"><head><base href="https://ogs.google.com/"><meta name="referrer" content="origin"><link rel="canonical" href="https://ogs.google.com/widget/app/so"><link rel="preconnect" href="https://www.gstatic.com"><link rel="preconnect" href="https://ssl.gstatic.com"><link rel="preconnect" href="https://apis.google.com"><link rel="prefetch" href="https://apis.google.com/js/api.js"><script data-id="_gd" nonce="mgsepnH+WLuuiPB8sCcpmg">window.WIZ_global_data = {"DpimGf":false,"EP1ykd":["/_/*"],"FdrFJe":"-3659694503391355785","Im6cmf":"/_/OneGoogleWidgetUi","LVIXXb":1,"LoQv7e":true,"MT7f9b":[],"NrSucd":false,"OwAJ6e":false,"QrtxK":"","S06Grb":"","S1NZmd":false,"Yllh3e":"%.@.1606794297543869,173286481,990113001]\n","ZwjLXe":1,"cfb2h":"boq_onegooglehttpserver_20201129.07_p0","eptZe":"/_/OneGoogleWidgetUi/","fPDxwd":[1763433,1772879,1782333,45695529],"gGcLoe":false,"ikfjnc":["https://www.google.com"],"nQyAE":{"wcLcde":"false","tBSlob":"false"},"qwAQke":"OneGoogleW

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\QCHAMIQX.js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	218266
Entropy (8bit):	5.514713916592285
Encrypted:	false
SSDEEP:	1536:qIrbqxxxQoDiR+uX+E4UBgg6lNisnkHgotrbxQxHhAa1hygP65PQI6VXKOB+oBFW:XH1OmBgNcbxQxH65eVBDeBIiyEJf
MD5:	4A7CAC8D001A6842D37EF1E668B9656F
SHA1:	8A1048FA92C198D5D36CC452715AD54458D40162
SHA-256:	F0A1F2AEAB8E584947BD2AF082D4E1420F57F8FE8C16F0B6EB84C7644C497877
SHA-512:	2F33DDD66BAD1053EE0BCFE74B4B00D6A9133DA36AE2B2008F00E16679C925D308C533E110A7368BFDB2DD61D988F27F173334A4A3F0BA5C45668CF3CB2BC3CC
Malicious:	false
Reputation:	low
Preview:	"use strict";_F_installCss(".KL4X6e{background:#eeeeee;bottom:0;left:0;opacity:0;position:absolute;right:0;top:0}.TuA45b{opacity:.8}sentinel{}");.this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._.uB=function(a,b){return a==b?!0:a&&b?a.width==b.width&&a.height==b.height:!1};_.r("sy2e");./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var wB;_.vB=function(a){_.si.call(this);this.g=a\|\|window;this.i=_.fi(this.g,"resize",this.s,!1,this);this.j=_.af(this.g)};_.H(_.vB,_.si);_.xB=function(a){a=a\|\|window;var b=_.va(a);return wB[b]=wB[b]\|\|new _.vB(a)};wB={};_.vB.prototype.Pa=function(){_.vB.Gb.Pa.call(this);this.i&&(_.oi(this.i),this.i=null);this.j=this.g=null};_.vB.prototype.s=function(){var a=_.af(this.g);_.uB(a,this.j)\|\|(this.j=a,this.dispatchEvent("resize"))};.._.u();.._.r("n73qwf");./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var yB=function(a){_.si.call(this);thi

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\december-holidays-day-1-6753651837108829.4-law[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 500 x 180
Category:	downloaded
Size (bytes):	112546
Entropy (8bit):	7.820680787857715
Encrypted:	false
SSDEEP:	3072:FUlgvSaEHtCq2FqVRVDLzuypmqm87RRshKA:FUUWjZSw5ycA
MD5:	857C7581A63C3E4C66F427D3BCF508EB
SHA1:	41CBA85674DC60C5E940B11915D99B00CA6E6FD6
SHA-256:	F2420E6ADB55AEFF970A3E240E1B95A5AF62F10FD8882D936A8AFD2718826E30
SHA-512:	B217352E64F6D7A91B9942B897156BEE6C3D4AE3576D07E9AB02AD0FF67257A04AEE451E9499EAE13890A40E532A72E31D51FCF701384D0E1D084D286DD678E5
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/logos/doodles/2020/december-holidays-day-1-6753651837108829.4-law.gif
Preview:	GIF89a..............3%(O']`^S........./....M).h.m.m..m.hMv..T1..GiE..q..."..-.......UH.......]..L....ti.......f......1..f...j....$D.Gw..N&`.h.UJ.hNo....]v...N.Q..t4.B......)k6...D..3..}..f.f....D5...n..3w.M.g...g..S..J.......bR..u......$...J...R.l.........N.nsos@....gZ..].&v.\|H.U....Tv[s.P.j.h.K.....A$0.....p.........I....+.)..P........(...n...&w....jgwf.".;._.P.nO.h2.w........{..u..........T.3.n@R?.q..D.U...2N...2.j;..!3".......2..byN0.f..Uf.j1V.....U........A`~..5..L....6D...B`.UU....D3K/T.....".....fBa....?.j.6Nw3.U!w...4.Qp3w........D4......3.U...U..D..".D.................D....""f..............U3V............<....D"....".U33.D_.......8w.".U.3U....D..!.U.".D"......"w.........U"..4..............."....U.3.D........D........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c002 79.164360, 2020/02/13-01:07:22 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\googlelogo_color_150x54dp[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 150 x 54, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	3170
Entropy (8bit):	7.934630496764965
Encrypted:	false
SSDEEP:	96:c2ZEPhMXQnPkVrTEnGD9c4vnrmBYBaSfS18:c2/XQnPGroGD9vvnXVaq
MD5:	9D73B3AA30BCE9D8F166DE5178AE4338
SHA1:	D0CBC46850D8ED54625A3B2B01A2C31F37977E75
SHA-256:	DBEF5E5530003B7233E944856C23D1437902A2D3568CDFD2BEAF2166E9CA9139
SHA-512:	8E55D1677CDBFE9DB6700840041C815329A57DF69E303ADC1F994757C64100FE4A3A17E86EF4613F4243E29014517234DEBFBCEE58DAB9FC56C81DD147FDC058
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png
Preview:	.PNG........IHDR.......6.....%.`....)IDATx..].pT..>.l......b..(Hv7 D7.n.8....V..H_.R;S.hY`w.(...N_R."0`.-.A..\|.N..`....n..{.&..l.o..;.....a....d..$.................J.1......7+.c...o..T/.~V.r.....D..G.Ic.....E_.FUR.&..U%...X.4!!Q.H";......e(Ic...$..."1..jR[.L..../Ek.}AH...W.L.V....Y..S..q...!._r.D....G,%...Hu.$q..\.j.x...G.....]....B.i.I.+B.....Hu.....Q...K;...J.q..._......_.x....A:......j....:c...^.....k=GIj..Y]B.V..m...Y.\....$..!....+.R%..U/;p.....R4.g.R...XH.3%..JHHby.eqOZdnS..$.. ....dn...$.w....E.o.8...b@.z.)5.L4\|.F...9......pP.8.\|....-.M..:..ux...7.]...'..(q..~.....KQ.W..,b..L<.Y.].V+....t4.$.V.O.....D.5..v.j...Hd.M....z.......V..q.p.......;:.J.%2.G.;./.E...!.H. ..../Dk.8.T....+..%Vs4..DC.R.`..Z..........0.[)N!.....%.>&.b.$.M....P.!...!....'Kv..Nd...mvR.:.L....w..y%.i..H..u....s.Se1.[.)."..)%.I.....(.#M..4.@....#.....X..P<...k..g....O..I..>-...'._.Q..T.y.=Z.GR{]..&t}......>J..!,..X6.HC..$.:.}..z...._b.b.4.E.....;.Ha.?s.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\m=Erxfzf,GPhFgf[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	28336
Entropy (8bit):	5.428152332119371
Encrypted:	false
SSDEEP:	768:zLo3w5HZK1UnA/0K7xDkChVfgJgM2XOR5:zLhApkOKJgM2eR5
MD5:	67E1BA464FC74E42122E7F905DF3C4BF
SHA1:	DBC37EDE31D0F64C871BD93CB32920FED3A99972
SHA-256:	41F70CE8468327E65CCABF3B422C866BFFF40DB13782C0D2D03057D11E4FC2D4
SHA-512:	CF38E2CB790960EBF0D5785DB21BB26A7458D1C2F6319873E9614D6329D00325E6B1FF3447F08B3E2A9EFC37876BCC1697DCCB5DDF2424D84E29261283CF5375
Malicious:	false
Reputation:	low
Preview:	try{.s_f("sy56");./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var s_u2a=function(a){return(a=a.exec(s_yd))?a[1]:""},s_v2a=function(){if(s_Ae)return s_u2a(/Firefox\/([0-9.]+)/);if(s_pe\|\|s_qe\|\|s_oe)return s_Zga;if(s_Ce)return s_le()?s_u2a(/CriOS\/([0-9.]+)/):s_u2a(/Chrome\/([0-9.]+)/);if(s_De&&!s_le())return s_u2a(/Version\/([0-9.]+)/);if(s_3ga\|\|s_Be){var a=/Version\/(\S+).Mobile\/(\S+)/.exec(s_yd);if(a)return a[1]+"."+a[2]}else if(s_4ga)return(a=s_u2a(/Android\s+([0-9.]+)/))?a:s_u2a(/Version\/([0-9.]+)/);return""}(),s_Jl=function(a){return 0<=s_pd(s_v2a,a)};..s_g();..}catch(e){_DumpException(e)}.try{.s_f("sy55");./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var s_w2a=function(){if(s_Qga){var a=/Windows NT ([0-9.]+)/;return(a=a.exec(s_yd))?a[1]:"0"}return s_ue?(a=/10[_.][0-9_.]+/,(a=a.exec(s_yd))?a[0].replace(/_/g,"."):"10"):s_ve?(a=/Android\s+([^\);]+)(\)\|;)/,(a=a.exec(s_yd))?a[1]:""):s_we\|\|s_xe\|\|s_Sga?(a=/(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\m=_b,_tp[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	155206
Entropy (8bit):	5.479607084458
Encrypted:	false
SSDEEP:	3072:I0vYq4idxwGdW1mokLRjgb2zO2tGBNm2yeHiJ:LdeGguRXO2kBNmBeCJ
MD5:	301BCFF5161646D5FFF5339970528EB4
SHA1:	DE148C04790E643FCD2473FA7CE47A0628BE16FD
SHA-256:	E4CE253817710274AC19940303F0EFDFC56BA330E8B65CE10057A6B727D3E87E
SHA-512:	C36165656DA73632C368FC547BEEE53E0E4E4EC2AA8F21D03CB16E0FC5696CD46755D47B63DDE130E568F36B1C3C3962618CD686F338DA2FE60C7DE1DEE25CAC
Malicious:	false
Reputation:	low
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{.var xa,Ga,Ia,La,Ma,Pa,Qa,Ua,Wa,cb,gb,jb,Eb,rb,Ib,Lb,Nb,Wb,aa,Xb,Yb,$b,bc,cc,fc,gc;_.p=function(a){return function(){return aa[a].apply(this,arguments)}};_.q=function(a,b){return aa[a]=b};_.ba=function(a){if(Error.captureStackTrace)Error.captureStackTrace(this,_.ba);else{var b=Error().stack;b&&(this.stack=b)}a&&(this.message=String(a));this.g=!0};_.ca=function(a){return a[a.length-1]};_.da=function(a,b,c){for(var d="string"===typeof a?a.split(""):a,e=a.length-1;0<=e;--e)e in d&&b.call(c,d[e],e,a)};._.fa=function(a,b,c){b=_.ea(a,b,c);return 0>b?null:"string"===typeof a?a.charAt(b):a[b]};_.ea=function(a,b,c){for(var d=a.length,e="string"===typeof a?a.split(""):a,f=0;f<d;f++)if(f in e&&b.call(c,e[f],f,a))return f;return-1};_.ia=function(a,b){return 0<=(0,_.ha)(a,b)};_.ja=function(a){if(!Array.isArray(a))for(var b=a.length-1;0<=b;b--)delete a[b];a.length=0};_.ka=function(a,b){_.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\X0YR3RNF.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	195278
Entropy (8bit):	5.665910429844535
Encrypted:	false
SSDEEP:	1536:1CLskJcz0GXj9jHk+WWUzdDyGf814a/bqcfN3Pl/vV30LeylyVHfVIxK0WC4Keh6:+ytF2Ds1B7G8Vxc4KeZRH17rD6B
MD5:	376E62C96DA3055627B50823D7ED4CAE
SHA1:	AC743DA14431344E77125A5F1063C17FBB86E05D
SHA-256:	65D06931564AAD9A9611F5904186DC0AF9B616D705457E3645BD13DE84643C45
SHA-512:	57E7F866CE67ACDC1B2FED6F9716DAE73002B171C0A822283A3D40D05A3326EF93052F90002D865EB8899929D561CA4F6AC361B669044406CC4BC76CBC14A4C4
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/
Preview:	<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="IE=edge" http-equiv="X-UA-Compatible"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta content="origin" name="referrer"><link href="/manifest?pwa=webhp" crossorigin="use-credentials" rel="manifest"><meta content="/logos/doodles/2020/december-holidays-day-1-6753651837108829.4-law.gif" itemprop="image"><title>Google</title><script nonce="+YZTOT6PdEMU4tDw2trH7w==">(function(){window.google={kEI:'NrzFX9mlNIK0gwewwomwAw',kEXPI:'31',kBL:'5Uqh'};google.sn='webhp';google.kHL='en-GB';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var c;a&&(!a.getAttribute\|\|!(c=a.getAttribute("eid")));)a=a.parentNode;return c\|\|google.kEI};google.getLEI=function(a){for(var c=null;a&&(!a.getAttribute\|\|!(c=a.getAttribute("leid")));)a=a.parentNode;return c};google.ml=function(){return null};google.time=function(){return Date.now()};google.log=function(a,c,b,d,g){if(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\f[1].txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	736
Entropy (8bit):	5.033570565067827
Encrypted:	false
SSDEEP:	12:I/nEngBSOXOuJtSOXQMEHbSOXu7LSOXPmASOX2kiSOXK1OVKSOXvaRgSOXak4hqw:I/EngEQR4QQFHeQTQ+tQXnQK1OVfQvaj
MD5:	D4A6EFDBB2F1C1362799EB9103FCE30F
SHA1:	5464C62944FC19FB8776501058EC982229FF4B6F
SHA-256:	A24C255143435F356F6CF04E0D667DEF2FE59899D163741EC799B200D97B48A1
SHA-512:	410E00C24B0BA5FC84C9FD946FADED75667F83DE4F0E0B0A3384923336864CBBF3068EFF96C4A3716144755930A887A3BECC8017DB02025AB05ACAECC90D98B6
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en-GB&authuser=0&psi=NrzFX9mlNIK0gwewwomwAw.1606794296592&nolsbt=1&dpr=1
Preview:	)]}'.[[["pok.mon go legacy 40 challenge",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["full moon penumbral lunar eclipse",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["uk eu brexit deal",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["sony playstation ps5 console stock",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["cryptocurrency bitcoin price",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["deepmind ai protein folding",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["set for life results national lottery",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}],["jack sparrow house quibi",0,[362,143],{"zf":33,"zl":8,"zp":{"gs_ss":"1"}}]],{"ag":{"a":{"8":"TRENDING SEARCHES"}},"q":"kyNU9YG3Q3209ZP_3aHlea_tpCE"}]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\m=NBZ7u,aa,abd,async,cvn5cb,dvl,foot,ifl,lu,m,mUpTid,mu,sb_wiz,sf,xz7cCd[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	165290
Entropy (8bit):	5.526562181748252
Encrypted:	false
SSDEEP:	3072:95GALqeWtQaXKW0tyBW0ejrn1FKYHtIja5QlZYwlBv:90AWeWzXKW0tyBW0MFqfYwb
MD5:	A0B0E9B95A04348DD6866DBC8CABD7C7
SHA1:	91CDE8146DBD986555AF487B381F4C47D5836B99
SHA-256:	0200A3E3E5491B4A018FBC3100A9E879FBF742193148F81399A133DCE5E0C956
SHA-512:	051208FBA8D763EF6914DBF0F5809679F77EF5CAAC3768C11E130EECAA28BE249BDF6B2F40332D8F01E69E8FA6386FBA1B3A95DBDF7D1DF40D90D932A4AB1153
Malicious:	false
Reputation:	low
Preview:	try{.var s_Ly=function(){return void 0===google.u?null:google.u},s_oic={name:"LH"};s_f("syj7");..s_g();..}catch(e){_DumpException(e)}.try{.s_f("sy11k");..s_g();..}catch(e){_DumpException(e)}.try{.s_f("sy11l");...s_g();..}catch(e){_DumpException(e)}.try{.s_f("sy9g");..s_g();..}catch(e){_DumpException(e)}.try{.var s_Lpb=function(){return s_Tea(s_Jpb,function(a){return s_Kpb(a)})},s_Kpb=function(a){var b=s_kb(a);return""==b?!1:"istate"==a?"0"!=b:"imgrc"==a?"_"!=b:"flt"==a?-1!=b.indexOf(";e:1"):!!b},s_Jpb={iwd:"istate",Avd:"fpstate",Akb:"sie",ywd:"imgrc",Jud:"flt",Lqd:"aie",TAd:"pie",DFd:"trex",Ytd:"epd",CAd:"oshop"};s_f("sy9h");..s_g();..}catch(e){_DumpException(e)}.try{.s_f("sy11j");..s_g();..}catch(e){_DumpException(e)}.try{.s_f("NBZ7u");.var s_wog=s_N("NBZ7u");.var s_9O=function(a,b){b=void 0===b?s_oic:b;s_ng.call(this);this.wa=this.ka=null;this.Aa=a;this.Ba=b};s_n(s_9O,s_ng);var s_xog=function(a,b){a.ka&&a.ka[b]&&a.ka[b].forEach(function(c){var d=c.listener;c.Gy&&(d=s_d(d,c.Gy));d(new

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\m=Wt6vjf,_latency,FCpbqb,WhJNk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	modified
Size (bytes):	5680
Entropy (8bit):	5.487353832033932
Encrypted:	false
SSDEEP:	96:85VbW1oJANPultJGnrt/zxvWHxz+KFoS6DjaP30DPo14UyNzgogiCkkX/Vx:is0G32xC06Hu0GUhgi5MP
MD5:	5C689511FF9CB21C476EC9B1F30CD74A
SHA1:	A70EE98891ECDAA50B6093CED32004C618D0E14B
SHA-256:	B5365E3A991C572BD6ACB436E5C314B98EC4D9DBC0AC98EC5355A10E1C1738E8
SHA-512:	BAF6D739CC0594646B8E8FDA465424C2317F88F9A8F6F12D46318E7BF0F7EF050797DE1E81FC32CE366286E1C2B8872C42C45B73289B33BEBA2D06C62586E4CB
Malicious:	false
Reputation:	low
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._.r("Wt6vjf");.var kJ=function(a){_.L(this,a,"f.bo",-1,null,null)};_.H(kJ,_.x);kJ.Dc="f.bo";kJ.prototype.Va=function(){return _.th(this,1)};.var lJ=function(){_.si.call(this)};_.E(lJ,_.si);lJ.prototype.Pa=function(){this.en=!1;mJ(this);_.si.prototype.Pa.call(this)};lJ.prototype.g=function(){nJ(this);if(this.Rh)return oJ(this),!1;if(!this.fo)return pJ(this),!0;this.dispatchEvent("p");if(!this.xn)return pJ(this),!0;this.Dk?(this.dispatchEvent("r"),pJ(this)):oJ(this);return!1};.var qJ=function(a){var b=new _.Bu(a.vt);null!=a.fm&&b.g.set("authuser",a.fm);return b},oJ=function(a){a.Rh=!0;var b=qJ(a),c="rt=r&f_uid="+_.ke(a.xn);_.El(b,(0,_.G)(a.i,a),"POST",c)};.lJ.prototype.i=function(a){a=a.target;nJ(this);if(_.Nl(a)){this.Mj=0;if(this.Dk)this.Rh=!1,this.dispatchEvent("r");else if(this.fo)this.dispatchEvent("s");else{try{var b=_.Ol(a),c=JSON.parse(b.substring(b.indexOf("\n")));va

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\m=byfTOb,lsjVmc,LEikZe[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	36245
Entropy (8bit):	5.46810808920696
Encrypted:	false
SSDEEP:	768:Rp9M8zM7TYCBtDnXUrerVdXJReqxg5BgrnsdFNRuEduuF9hp2IYhJtmUgOCZwZJ:Rp9M8zM7TNuBgrsdVuM9hEIY04L
MD5:	431AF491F28AA2B05468FDC723B36680
SHA1:	9DC8BFCF48D75B90D0121C5B249494568916CAE2
SHA-256:	B69DECE8915E41F4D2469DA37986B598629AA223C5D6D5E180A1A674A4EA80EA
SHA-512:	7DC8AB22D3B6419A80D206CA4D894479C74F59F7C5DAB12A7FBE77B83E654C68C3A921BEB09C711ECB224FB1E2BBD95DB80ECBE22224167CB1441149971FAEDA
Malicious:	false
Reputation:	low
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._.r("sy2n");.._.u();.._.zu=function(a,b,c,d){a=d\|\|a;b=b&&""!=b?String(b).toUpperCase():"";if(a.querySelectorAll&&a.querySelector&&(b\|\|c))return a.querySelectorAll(b+(c?"."+c:""));if(c&&a.getElementsByClassName){a=a.getElementsByClassName(c);if(b){d={};for(var e=0,f=0,g;g=a[f];f++)b==g.nodeName&&(d[e++]=g);d.length=e;return d}return a}a=a.getElementsByTagName(b\|\|"");if(c){d={};for(f=e=0;g=a[f];f++)b=g.className,"function"==typeof b.split&&_.ia(b.split(/\s+/),c)&&(d[e++]=g);d.length=e;return d}return a};._.Au=function(a,b,c,d){var e=_.Mi(a,b,function(f){_.Ni(e);return c.call(d,f)},null)};_.r("syw");./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var Eu,Gu,Iu,Pu,Ju,Lu,Ku,Ou,Mu,Qu;_.Bu=function(a,b){this.j=this.v=this.o="";this.S=null;this.s=this.i="";this.u=!1;var c;a instanceof _.Bu?(this.u=void 0!==b?b:a.u,_.Cu(this,a.o),this.v=a.v,this

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\rs=ACT90oGnjuwwpk66nUEkpxUZ2ydCHhoN_A[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	663534
Entropy (8bit):	5.590682180114598
Encrypted:	false
SSDEEP:	6144:AV3xg3+TjZQceWP9HkD9VGpgqlDfedg6ztL5XXg7lNYkJFLR4H:J3GycqJVGpgqlDfee65VQ5NYkJg
MD5:	BFAAC84E27BE6E912D8E0AE2901065AA
SHA1:	E08E2247A3A0A60A62BD154F44BE2D63B9A5C262
SHA-256:	87175D82C55EC2108A733F3C7991AC1623A1E16AFD89151ADCA7FE3175F55707
SHA-512:	F84C5F10E32BCBFB21138CCCB51AF7B67E83C0106A092A040D123BC93CBD7D4D0B73ED4BFE88F7911F0812DB4A15EEC683D4C93C3D8E96DD9B980309EF3893D6
Malicious:	false
Reputation:	low
Preview:	try{.var s_,s_aa=function(a){if(Error.captureStackTrace)Error.captureStackTrace(this,s_aa);else{var b=Error().stack;b&&(this.stack=b)}a&&(this.message=String(a))},s_ba=function(a){return a[a.length-1]},s_ca=function(a,b,c){for(var d="string"===typeof a?a.split(""):a,e=a.length-1;0<=e;--e)e in d&&b.call(c,d[e],e,a)},s_aaa=function(a,b,c){var d=0;s_a(a,function(e,f,g){b.call(c,e,f,g)&&++d},c);return d},s_ea=function(a,b,c){b=s_da(a,b,c);return 0>b?null:"string"===typeof a?a.charAt(b):a[b]},s_da=function(a,.b,c){for(var d=a.length,e="string"===typeof a?a.split(""):a,f=0;f<d;f++)if(f in e&&b.call(c,e[f],f,a))return f;return-1},s_baa=function(a,b,c){b=s_fa(a,b,c);return 0>b?null:"string"===typeof a?a.charAt(b):a[b]},s_fa=function(a,b,c){for(var d="string"===typeof a?a.split(""):a,e=a.length-1;0<=e;e--)if(e in d&&b.call(c,d[e],e,a))return e;return-1},s_ha=function(a,b){return 0<=s_ga(a,b)},s_ia=function(a){return 0==a.length},s_ja=function(a){if(!Array.isArray(a))for(var b=a.length-1;0<=b;b-

C:\Users\user\AppData\Local\Temp\~DF24CF9591405FD0E2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	47533
Entropy (8bit):	0.545692668680378
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+vRT6h6GTZ3hXazkk35hXaz1H3k5aL65aLn9+:kBqoxKAuqR+vRT6h6kFkiH3t79
MD5:	56D920EC11F8E3804C6889378A77689F
SHA1:	B9AC2DA23AC496103BA38B1F17FD01198942DDC0
SHA-256:	5674DA2ABEAC538F6F003C170EE7E88B41D9ECBB9114749A2C8B12C954F76D05
SHA-512:	62B3B46C3C540F3FAEF8FF4D0C3F62FDB04EF8F7A98A25EC611D7E7871AF00BAE43AF85E67E363BABA7AEDB52752C062B9F153EC12A22C27292185C498E33881
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2E772EE282E37133.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4740258591926042
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loP9loP9lWG03px:kBqoIQuGY
MD5:	D2B3313FBF7F41A2A524D3F93CCC6D96
SHA1:	B0465FA680E86BF9F18A1C55D90320D376583564
SHA-256:	B552DD09CBFB2EE60D5AE9D2B446E2A620884802C0088E7F5214C6311271A91E
SHA-512:	D483626E0B829C9718C0F963D4D647C3E7DBFB45AD3B6E0A22275E0C48570993C76543D390EC0E00D3BF7E005F3332DCCA6AC10D424ABD9DD537814CE49F82D4
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3BB726D2B389D6D6.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 60
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2020 04:44:36.407980919 CET	49736	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:36.408984900 CET	49737	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:36.424304008 CET	80	49736	172.217.16.193	192.168.2.4
Dec 1, 2020 04:44:36.424439907 CET	49736	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:36.425157070 CET	80	49737	172.217.16.193	192.168.2.4
Dec 1, 2020 04:44:36.425271988 CET	49737	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:36.429352045 CET	49736	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:36.445549965 CET	80	49736	172.217.16.193	192.168.2.4
Dec 1, 2020 04:44:36.445766926 CET	80	49736	172.217.16.193	192.168.2.4
Dec 1, 2020 04:44:36.445797920 CET	80	49736	172.217.16.193	192.168.2.4
Dec 1, 2020 04:44:36.445888042 CET	49736	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:36.445935965 CET	49736	80	192.168.2.4	172.217.16.193
Dec 1, 2020 04:44:57.756187916 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.757285118 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.772586107 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.772670031 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.774133921 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.774241924 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.779004097 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.793339014 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.795341015 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.802489042 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.802534103 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.802571058 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.802680969 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.802711964 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.807199955 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.807780981 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.809509039 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.809861898 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.816926003 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.816986084 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.817033052 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.817117929 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.817162037 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.820861101 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.821245909 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.823832989 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.823880911 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.823965073 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.824048996 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.824513912 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.824681044 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.830166101 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.834367037 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.834398985 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.834424973 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.834542036 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.834573030 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.837667942 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.837702036 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.837728024 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.837867022 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.837919950 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.838550091 CET	49758	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.846050024 CET	443	49757	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.860196114 CET	443	49758	172.217.18.2	192.168.2.4
Dec 1, 2020 04:44:57.864953041 CET	49757	443	192.168.2.4	172.217.18.2
Dec 1, 2020 04:44:57.881326914 CET	443	49757	172.217.18.2	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2020 04:44:30.308911085 CET	64549	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:30.344470978 CET	53	64549	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:31.832734108 CET	63153	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:31.868138075 CET	53	63153	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:32.833916903 CET	52991	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:32.871618032 CET	53	52991	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:33.698545933 CET	53700	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:33.725627899 CET	53	53700	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:34.548789978 CET	51726	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:34.575826883 CET	53	51726	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:35.195887089 CET	56794	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:35.242177963 CET	53	56794	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:35.465684891 CET	56534	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:35.492932081 CET	53	56534	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:36.341984987 CET	56627	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:36.385616064 CET	53	56627	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:36.477996111 CET	56621	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:36.505954981 CET	53	56621	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:36.647777081 CET	63116	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:36.683059931 CET	53	63116	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:37.214515924 CET	64078	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:37.250102043 CET	53	64078	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:37.875897884 CET	64801	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:37.903032064 CET	53	64801	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:38.953083038 CET	61721	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:38.979996920 CET	53	61721	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:39.839886904 CET	51255	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:39.875235081 CET	53	51255	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:40.901830912 CET	61522	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:40.928822041 CET	53	61522	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:52.918476105 CET	52337	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:52.954267979 CET	53	52337	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:55.247128010 CET	55046	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:55.280177116 CET	49612	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:55.290446997 CET	53	55046	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:55.315783978 CET	53	49612	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:56.444890976 CET	49285	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:56.489005089 CET	53	49285	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:56.708379030 CET	50601	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:56.746427059 CET	53	50601	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:57.163888931 CET	60875	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:57.207396984 CET	53	60875	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:57.313808918 CET	56448	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:57.356937885 CET	53	56448	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:57.705447912 CET	59172	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:57.749031067 CET	53	59172	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:57.769062042 CET	62420	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:57.804739952 CET	53	62420	8.8.8.8	192.168.2.4
Dec 1, 2020 04:44:59.503549099 CET	60579	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:44:59.530725002 CET	53	60579	8.8.8.8	192.168.2.4
Dec 1, 2020 04:45:01.800072908 CET	50183	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:45:01.837090969 CET	53	50183	8.8.8.8	192.168.2.4
Dec 1, 2020 04:45:05.166932106 CET	61531	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:45:05.193977118 CET	53	61531	8.8.8.8	192.168.2.4
Dec 1, 2020 04:45:05.815246105 CET	49228	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:45:05.842329025 CET	53	49228	8.8.8.8	192.168.2.4
Dec 1, 2020 04:45:06.169568062 CET	61531	53	192.168.2.4	8.8.8.8
Dec 1, 2020 04:45:06.196949959 CET	53	61531	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 1, 2020 04:44:36.341984987 CET	192.168.2.4	8.8.8.8	0xdedf	Standard query (0)	doc-0o-0o-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Dec 1, 2020 04:44:52.918476105 CET	192.168.2.4	8.8.8.8	0x101a	Standard query (0)	favicon.ico	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 1, 2020 04:44:36.385616064 CET	8.8.8.8	192.168.2.4	0xdedf	No error (0)	doc-0o-0o-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2020 04:44:36.385616064 CET	8.8.8.8	192.168.2.4	0xdedf	No error (0)	googlehosted.l.googleusercontent.com		172.217.16.193	A (IP address)	IN (0x0001)
Dec 1, 2020 04:44:52.954267979 CET	8.8.8.8	192.168.2.4	0x101a	Name error (3)	favicon.ico	none	none	A (IP address)	IN (0x0001)
Dec 1, 2020 04:44:57.749031067 CET	8.8.8.8	192.168.2.4	0xc139	No error (0)	pagead46.l.doubleclick.net		172.217.18.2	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

doc-0o-0o-docs.googleusercontent.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49736	172.217.16.193	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2020 04:44:36.429352045 CET	78	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: doc-0o-0o-docs.googleusercontent.com Connection: Keep-Alive
Dec 1, 2020 04:44:36.445766926 CET	80	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1561 Date: Tue, 01 Dec 2020 03:44:36 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
Dec 1, 2020 04:44:36.445797920 CET	80	IN	Data Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 1, 2020 04:44:57.802571058 CET	172.217.18.2	443	192.168.2.4	49757	CN=*.google.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 03 08:33:42 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 26 08:33:42 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Dec 1, 2020 04:44:57.802571058 CET	172.217.18.2	443	192.168.2.4	49757	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Dec 1, 2020 04:44:57.817033052 CET	172.217.18.2	443	192.168.2.4	49758	CN=*.google.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 03 08:33:42 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 26 08:33:42 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Dec 1, 2020 04:44:57.817033052 CET	172.217.18.2	443	192.168.2.4	49758	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Behavior

• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5844 Parent PID: 800

Function Logs

General

Start time:	04:44:34
Start date:	01/12/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6cd470000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 1376 Parent PID: 5844

Function Logs

General

Start time:	04:44:35
Start date:	01/12/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5844 CREDAT:17410 /prefetch:2
Imagebase:	0xf00000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://doc-0o-0o-docs.googleusercontent.com

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5844 Parent PID: 800

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Created