ID: Cookbook: browseurl.jbs Time: 14:46:55 Date: 31/08/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 14:46:55 Date: 31/08/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Phishing: Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Domains and IPs Contacted Domains Contacted URLs URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Copyright Joe Security LLC 2018 Page 2 of 47

3 HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3232 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3284 Parent PID: 3232 General File Activities Registry Activities Analysis ssvagent.exe PID: 3336 Parent PID: 3284 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 47

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start date: Start time: 14:46:55 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 4m 29s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Timeout MAL EGA enabled mal52.phis.win@5/74@7/4 Adjust boot time Browsing link: icrosoftonline.com/common/oauth2/authorize? response_mode=for m_post&response_type=id_to ken&scope=openid&msafe d=0&nonce=7b032a f17- aab61c3cd3ff&state =https%3a%2f%2foffice.live.com %2fstart%2fOneDrive.aspx%3fs%3 d4%26auth%3d2%26nf%3d1&cli ent_id=4b c-404b-9a80- a4f3f2351f90&redirect_uri =https%3a%2f%2foffice.live.com %2fstart%2fauth%2fsignin# Browsing link: wa=wsignin1.0&wtrealm=urn%3afederation %3aMicrosoftOnline&wctx=es tsredirect%3d2%26estsrequest%3 drqiiay2qpuvdqacgswmluihc_0erp 7gm95E0qRQpKFoV6gd2cJHL9a4etnc hsvx8eq66oymb4iqi4k8oggu3n_0bc olgaiqjic7v8pk-8pbmm7aiywusiix dzwm2hgwqmwtap54nkbfyioxa4dvr- MiY KQr13mq3ef1m1wvf50ZUztJkk Yly1LCyEZL7blPi8y3bHihEaJRbvJr hxllplqzjd6hngvkzqcgynkcmauqyba1wogcvaaebchlktc_gcga1x0y8ah I7kEX_91XxkhoWOOjuhjpMTM69DrmS TaaU4S4qymeg9rs7M2b8B64rPR4OKx uhhxfwhewpkcppqogjvzfy67gh1bxa Qx1JcDwG76XggFeYDKhwIAlTyvRJxC frzz8z9upshjk8h4ykbkuu_daeon-dq59x642k4- d7lwkes59dq7zkq4swdm Do6xAtdtsSdTntlaXXZacmtBgwa23z DalXcMrwf_r_kbw2&id=&u aid=15cce139a b8f52fb562 ac51d3&pcexp=&popupui= Browsing link: icrosoftonline.com/termsofuse Browsing link: icrosoftonline.com/privacy Copyright Joe Security LLC 2018 Page 4 of 47

5 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 47

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Phishing Networking Summary System Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 47

7 Click to jump to signature section Phishing: Invalid links found Phishing site detected (based on favicon image match) Phishing site detected (based on logo template match) Form action URLs do not match main URL HTML body contains number of good links HTML title does not match URL Suspicious form URL found META author tag missing META copyright tag missing Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Copyright Joe Security LLC 2018 Page 7 of 47

8 Behavior Graph Behavior Graph ID: URL: Startdate: 31/08/2018 Architecture: WINDOWS Score: 52 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend Invalid links found Phishing site detected (based on favicon image match) Phishing site detected (based on logo template match) started Is Windows Process Number of created Registry Values Number of created Files iexplore.exe Visual Basic Delphi Java.Net C# or VB.NET started C, C++ or other language iexplore.exe Is malicious 2 84 vs.login.msa.akadns6.net paypaupdating.life , 443, 49180, MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS , 443, 49168, LIQUID-WEB-INC-LiquidWebLLCUS 9 other IPs or domains started United States United States ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 14:47:44 API Interceptor 89x Sleep call for process: iexplore.exe modified 14:47:44 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 4% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 8 of 47

9 Source Detection Scanner Label Link vs.login.msa.akadns6.net 1% virustotal Browse secure.aadcdn.microsoftonline-p.com 1% virustotal Browse auth.gfx.ms 0% virustotal Browse URLs Source Detection Scanner Label Link 0% virustotal Browse 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe b 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe b 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe b 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe XcMrwf_r_k 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe fd1eb7 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 54e b 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe sredirect% b b 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe Copyright Joe Security LLC 2018 Page 9 of 47

10 Source Detection Scanner Label Link 0% Avira URL Cloud safe 0% Avira URL Cloud safe _token&sco 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% virustotal Browse 0% Avira URL Cloud safe b 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 10 of 47

11 Startup System is w7 cleanup iexplore.exe (PID: 3232 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3284 cmdline: '' SCODEF:3232 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3336 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab979F.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true C80707FEAA56B9F5F9F299A70A89A675 2DD4AA8EB8E0AD265AFA6FDEF00FCC1625CA959C 8573C2B9348FD9364D6DF901D44C5BD80E33278D4D4AD705D22C9757FA2B52B3 4E955F122EFDB59443FD78DD5F599AA7C3E03A0014A B382AE85E40304D2DA68EE402E007424F596682E78 6C7E53E2A1D224342ABFB06F545EBC1A3B1F Copyright Joe Security LLC 2018 Page 11 of 47

12 C:\Users\HERBBL~1\AppData\Local\Temp\Tar97A0.tmp data Size (bytes): Entropy (8bit): CD81F6A51AEC72583E68BF A6C906D3953E7B92BD5CC12DAE27C772E3 540CB7459D0FD892B5C540F293E04AA3A049E65C0FB17F3B2E6245B37530C1D0 33FA38041F42317B1E36F673A7E BA691ECA127EDC0A191D9B4F6F663AD44E8AF84948B77A13FD64D4DF C0CB7A178AF64CA16D5A714F41B E2E C:\Users\HERBBL~1\AppData\Local\Temp\~DF2884FA8EB90A0DC4.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): A352954D92B78BE33BD8317EB7DAFBB 464BA5456CB7E162EA3BA6EEFEB129FCC0CECF58 0C02D92D36DD8C497A771FAC D01A69BF05FB5ED4C66B4A9015AD BDEF0CA0C3C9077F331F7C12C30594D90B670DC20661F815C98D0ED328BE74EA98B6CA41992FC4959BB9C EAF2FB63EE4C07EDA2149C297F8FD28A C:\Users\HERBBL~1\AppData\Local\Temp\~DF579DE71AE2DC209A.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): B2517E002EF74DF52665FF4F38DED77 49A060F73AADCD8E0FE4564D8DAE5D7F65EEC9B9 EE B12F3BD9AB FE96E815ABA F13C77F4E9BAA0 E78FE1F806FB3EC962AD78BD2002B94B41DD8AF1783CCAC7DF44FC43CF58C64D099538FE959CB8C3BD0A6BA11 88D27CA2A7F7A85740DAD428637AF951BB83AE6 C:\Users\HERBBL~1\AppData\Local\Temp\~DFD65619CB260AA352.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): E4E D501C639C635DDA EE975A9CFE9931DA3D06B964991E56F53963D21B AAD90D03425E7F82444DE41CB C68ECE2B146BB693A56DADD4E EE90A48E821C2B11EE C7EFC4A961F9D412B3BD4A3E9B8C B0621C4230F61EDC975170F7063D2D 36E4DDD5C400AD386A669016F1F9AF7C3E97E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true C80707FEAA56B9F5F9F299A70A89A675 2DD4AA8EB8E0AD265AFA6FDEF00FCC1625CA959C 8573C2B9348FD9364D6DF901D44C5BD80E33278D4D4AD705D22C9757FA2B52B3 4E955F122EFDB59443FD78DD5F599AA7C3E03A0014A B382AE85E40304D2DA68EE402E007424F596682E7 86C7E53E2A1D224342ABFB06F545EBC1A3B1F Copyright Joe Security LLC 2018 Page 12 of 47

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A data Size (bytes): 893 Entropy (8bit): D4AE187B C2D76B6DF8A8C1A30 B06F409FA14BAB33CBAF4A37811B8740B624D9E5 A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7 1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E D2809C8CF218D0B9196EC646B0C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 328 Entropy (8bit): CE2D03DAD4D3321AAF5A DFCC 1D6AF8B3DD5405A0E5BAC8957A5EE A0C16EA9028C5E4D A21A03F2F83BAE025E13BA73244BE0E079D 9B132ABE3D1E1BC6FFCBA10C6DF158AFE2EB5BE225DA94C574C F713943DBC A47AB48B13276 A2C3A3EF35BE AEC516AF66CF E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A data Size (bytes): 212 Entropy (8bit): C7207EDDC955694E5B983AA21153F EB28BE AE395BF3418FF7DDEF719E65A C6F299BB532FC649D7C43CE87C457E4FC9D3E11CF27FE95B1F754604BEAD43FB 8FFA0DB5CDC70CA713A1701D7EB2C627F523AE3AA315DCE0CB36AC904F E995E833287B58027A8 B DD746D344475E3805E4D69C838F15A C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CD376F1-AD1C-11E8-B7AC-B2C276BF9C88}.dat Microsoft Word Document Size (bytes): Entropy (8bit): BE8B2D0B56B160F73DC6D80B581C2508 Copyright Joe Security LLC 2018 Page 13 of 47

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CD376F1-AD1C-11E8-B7AC-B2C276BF9C88}.dat FB8BFA5C9AACF9608DC167C312AF1C84284A40B3 38C0C40D7AD2AD74671E831474A3175D04E2776DE67083A014AAE9E5D7246F06 F7062BF52EF51A8CA2E2914A CE39D4DC6F666AEB894F18111B238F040A2E40FF489E715BE2DC8446B1A 8F A90D49622AC34635EC24B8496B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0CD376F3-AD1C-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): F01ED1894C3CEB28D65AB3C112CF4E C86EFAC2A184CFE7A73EB3D3DFA4DBB802F D752A57049A4E61DF597833F1FE0C173E F9A838CE7CC7988 5BDCA1B336DB5234BF3300D5E A46E5EC AE93D0B2F65A F11437B3813BA1BB37B92E18 3C28E673C04E1B3C5C1A1E47914CCDF2EFF36 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{154D5530-AD1C-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): A89361C7433BEDAB291C76BC7223C 2D0723D88A33738F8DF06BA6FA62AFFDE852D3AD E6B5FA3934BFD32524BB8AA808D4EC8B4387EFF E5FB6905DB2FE0569D BBD563D17A369CE4D2BE20861F4EE54FE61EA7841AD0DFF2BD52CBCFF86D27770D ECDB59B5F54E A B27D7F1721E4C79D4B8AE9CEC C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat data Size (bytes): Entropy (8bit): E11AD1C9403BEC85A D448E0 8FFDC08688C26BBBA6BF28A4D8FF120ACABFA422 6E47A3FE2D39A6992E509F515055BBF72F7B2B1AEB9CB AF0C6FE 4C8A2144F2169D3AB8856DBBCED728ACA43A06545F79ECDB25B7094FBBC7C695E730C926095E0D7F8B98F47EC 933E07A2E88A638AD1C424D1AD66CD766D0F1D1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ConvergedLoginPaginatedStrings.EN[1].js Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with no line terminators 75B947050EF0E0BCEDA72F06C111F E65CA5F2CF1DE27AC8FB2309CB55C9062AAC8 EB05E2C C6888E CA883E5AC3FA250137CE0EE8850B37B242A8 E921B6DAD86D7B6201BFAD503600AF7705F50827B42D15586E958DB5D FC2FF9888C60BA DBB8 BFB94AF0ED F311CC65F17610D6F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Converged_v21033[1].css ASCII text, with very long lines Copyright Joe Security LLC 2018 Page 14 of 47

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Converged_v21033[1].css Size (bytes): Entropy (8bit): C045FEBA7D C7CACD0F4F4AA EE0D0B6EF40A39B06E1A5DD08928A6B9E07962BB 5D7AD B3FC15E6FB9F67ADAD79D5C61A267ED B1015FDC C4EAF271CF FB1D5D B99A3CF22E6E06F03C8D487EEC19EC7AAC0B3E2B891A5 9A6E7DB75895C44AB9E172E1DA84F3AD74669 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA06901EDB98633A686B11D02F4925F827BF0 8D B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E BFAC A416C09733F24E B96843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\OldConvergedLogin_PCore[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF, LF line terminators 206FAB1D2C1CF416C B67020 D8413D14C69DD310CD A2975AF497F059 1D B45860BFFFDCD8E9A9C56B1E88852ADFD139C4A65060F9C0 8563A6EE8655C0393D219DA0D2D5A40E3BED38331BCAD9033BE7B78B36F9CE50C3D6952C54667F217FBBA3EBB BFBBF91B7EC4FF7E5BEF74376E00B ABB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\background_gradient[1] JPEG image data, JFIF standard 1.02 Size (bytes): 453 Entropy (8bit): F0110ED5E4E0D5384A496E B 51F5FC61D8BF19100DF0F8AADAA57FCD9C BE91E53C2640FE7BAEECBC624530B D93F2815DFCE1865D5B 5F52C117E346111D99D3B A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86D D7C56C25E44B14EFDC3F13B45EDEDA064DB5A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bannerlogo[1] Size (bytes): 4585 Entropy (8bit): PNG image data, 159 x 35, 8-bit/color RGBA, non-interlaced 9F09A27D4F69B3557C A29D726 A D16E6D F3F126E8D07EDCC5976 FC5C3D7D2B298A42EC44DAD2D8CD227B734DB966B4AFA68C0254A497E805F603 27F4FE5FA2CB5343AE820F E0CBC6013F8396E1DE59D53004B5AAEBB171A0CA8847C4ECBEB3975F46F0 CB86EDDA AF86BCCA A1D5D Copyright Joe Security LLC 2018 Page 15 of 47

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bullet[1] Size (bytes): 447 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced 26F971D87CA00E23BD2D064524AEF BEFF2F4F8FABC A13BF26CABAD27D9 1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B A7EABEDC9D41D C62EB51BE301BB96C80539D66A73CD17CA2021D5D A37DB72E E581CC99652F3D8469B CA6C62DAD2A9D57164C620B7777AE99AA1B15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon_a[1].ico Size (bytes): Entropy (8bit): MS Windows icon resource - 6 icons, 16-colors 12E3DAC858061D088023B2BD48E2FA96 E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5 90CDAF E C605D D348116D198F355A98B8C6CD21 C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0 D349B247EB4912EE169D C719CD01 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\index[1].htm Size (bytes): 633 Entropy (8bit): HTML document, ASCII text, with very long lines, with CRLF line terminators E26C31BD9B3F27EEBA770D3E561ABF6F BB75A14078BAAD228903ACD99E9F C7 239E86B720069EBEA0EABFBCF667DA399E87F5364F0AA15EF4AA6ADF0AAF9DD F F4DFF1B322BA75863B342455D7A450FDDEF01F2F2C4FFD4B11FB5C48BD25F3AE2BAFC09B37 2A0E4E2B86058C4A1CB915E70441EEE3320F76 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\info_48[1] Size (bytes): 4113 Entropy (8bit): PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced FCC163AA3A79F0B746416CE69 B97CC66471FCDEE07D0EE36C7FB03F342C231F8F 51129C6C98A82EA491F89857C31146ECEC14C4AF A7A20C699C84859 E60EA153B0FECE4D D3B763B14B9A140105A36A13DAD23C EAAB DEB8C68EF078E8864 D6E288BEF7EF1731C1E9F1AD9B0170B95AC134 Copyright Joe Security LLC 2018 Page 16 of 47

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\info_48[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\login[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with no line terminators 0994A56BB19B5BC2B86A4A20AFAC B844101DF168617E4B5C4FEE01F78F46D28A 9DBFC7D60CF869A31F C0FC FE271A1797D8BA52179 D5DEE2F03FB4353C7D577E8FEC42D7C4AFCC0492BC9ED01AD06C41F752EC59FD5DAB2B0F419EDD3E8CC43735 D56484F607063FD80ED838ED1CD248F4491E1337 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\marching_ants[1].gif GIF image data, version 89a, 352 x 3 Size (bytes): 3620 Entropy (8bit): B540A8E E32C4FE58BF2DBAB 3047C1DB97B86F6981E0AD2F96AF40CDF43511AF 8737D F37B333F08A E7E8B9BDAAA15CDB63C8448B426F95D E3612D9E6809EC192F6E2D035290B730871C269A267115E4A5515CADB7E6E14E3DD4290A35ABAA8D14CF1FA392 4DC76E11926AC341E0F6F372E9FC5434B546E5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\marching_ants_white[1].gif GIF image data, version 89a, 352 x 3 Size (bytes): 2672 Entropy (8bit): DE AB3A456DEFE6DA23 17C6DF4D7CCF1FA2C9EFD716FBAE0FC2C71C8D6D A A7C7C667FD42787CD1E9ADF2F6BF809EFB7596E61A03E8DBA9ADA C1D262BC225A8BA1758DF546E27B5BE8D84CBCF7E E5E05E04AFFEFEC3C0DA EB8A917E1 A8D90F4BAC833B64A1F6DE97AD3D5FC80A02308 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\0-small[1].jpg JPEG image data, JFIF standard 1.01 Size (bytes): 3006 Entropy (8bit): BCEE624FA04EF9B75E86211A9FE0D 23BBCDAAEBD6C9A6E57E96E44493B FCAB F89E BBF1F33B596FF4A2179B355A8E15AD02EBAA2B1DA11127EA D20765E5738F4AC5A91396B5F5D88057C3B BCE42039AC9D5D75B1C3FB9629ACA6290A475625DFE60887C F59D4FB52108D024FF4FA8094C9B8458F9F33 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\0-small[2].jpg JPEG image data, JFIF standard 1.01 Size (bytes): 3006 Entropy (8bit): BCEE624FA04EF9B75E86211A9FE0D Copyright Joe Security LLC 2018 Page 17 of 47

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\0-small[2].jpg 23BBCDAAEBD6C9A6E57E96E44493B FCAB F89E BBF1F33B596FF4A2179B355A8E15AD02EBAA2B1DA11127EA D20765E5738F4AC5A91396B5F5D88057C3B BCE42039AC9D5D75B1C3FB9629ACA6290A475625DFE60887C F59D4FB52108D024FF4FA8094C9B8458F9F33 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\0[1].jpg Size (bytes): JPEG image data Entropy (8bit): A5DBD4393FF6A725C7E62B61DF7E72F0 55B292F885FFC92ABCE18750B07AA4ACFA4E903E 211A907DE2DA0FF4A0E90917AC8054E2F35C C26E51B4909F2BEB A05B67EF25492BD50A090F1EC0A0CC21DC4E4EFEB35E19CDC78A98F9415A FA02664EADE87F0E2 D8FA2A2958CD0D FC05689E01DC614 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ellipsis_grey[1].svg Size (bytes): 915 Entropy (8bit): HTML document, ASCII text, with very long lines, with no line terminators 2B5D393DB04A5E6E1F739CB266E65B4C 6A435DF5CAC3D58CCAD655FE022CCF3DD4B9B721 16C3F6531D0FA5B4D16E82ABF066233B2A9F284C068C C09F5E8D6E6 3A692635EE8EBD7B15930E78D9E7E808E48C7ED3ED79003B8CA6F9290FA0E2B0FA C00FB41D5710 E75D17C3C4D65D26F FB A406 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ellipsis_grey[2].svg Size (bytes): 915 Entropy (8bit): HTML document, ASCII text, with very long lines, with no line terminators 2B5D393DB04A5E6E1F739CB266E65B4C 6A435DF5CAC3D58CCAD655FE022CCF3DD4B9B721 16C3F6531D0FA5B4D16E82ABF066233B2A9F284C068C C09F5E8D6E6 3A692635EE8EBD7B15930E78D9E7E808E48C7ED3ED79003B8CA6F9290FA0E2B0FA C00FB41D5710 E75D17C3C4D65D26F FB A406 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ellipsis_white[1].svg Size (bytes): 915 Entropy (8bit): HTML document, ASCII text, with very long lines, with no line terminators 5AC590EE72BFE06A7CECFD75B588AD73 DDA2CB89A241BC424746D8CF2A22A EA9C281D69C4A3D78FF97BB61B9416A BABE5A0C5596F99AAEA B9135D934B9EA50B51BB0316E383B114C8F24DFE75FEF11DCBD1C96170EA59202F6BAFE11AAF534CC2F4ED334 A8EA4DBE96AF D6203BFD2DA69138F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ellipsis_white[2].svg HTML document, ASCII text, with very long lines, with no line terminators Copyright Joe Security LLC 2018 Page 18 of 47

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ellipsis_white[2].svg Size (bytes): 915 Entropy (8bit): AC590EE72BFE06A7CECFD75B588AD73 DDA2CB89A241BC424746D8CF2A22A EA9C281D69C4A3D78FF97BB61B9416A BABE5A0C5596F99AAEA B9135D934B9EA50B51BB0316E383B114C8F24DFE75FEF11DCBD1C96170EA59202F6BAFE11AAF534CC2F4ED334 A8EA4DBE96AF D6203BFD2DA69138F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon_a_eupayfgghqiai7k9sol6lg2[1].ico Size (bytes): Entropy (8bit): MS Windows icon resource - 6 icons, 16-colors 12E3DAC858061D088023B2BD48E2FA96 E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5 90CDAF E C605D D348116D198F355A98B8C6CD21 C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0 D349B247EB4912EE169D C719CD01 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\heroillustration[1] Size (bytes): JPEG image data, EXIF standard Entropy (8bit): B123EB235E6176AE98C02AC5B1C C50CA32B13A2DCBDE0CB6EB2D4F72C252F14AC3F 7E50E406688BD898803F653058D14CA384734CB9B39BA900BC5E2734B59C073B DAE0ECEF268B7B1E5C06C3E29D117A2FE1325AF55F98AB243AA8C11A6BA8B76A0B04982A0082DAF6181DD90E5 3C1C1F7DF3CE0422AD1EB198C4239DF17FDF85A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\microsoft_logo[1].png Size (bytes): 1040 Entropy (8bit): PNG image data, 100 x 22, 8-bit/color RGBA, non-interlaced E4B675007DC6492EE590131D1F7DFBB3 9397E98E13074C09072F6A50E7267C612738C E349F2BF4E C7B2C1FA A8CFA0CEF60A046F5ADD89BD9DE B880DB21F612F257FA94656D632D11FE E7B0443EF8AB5CB753CAB717625D C7DC00EC4596C1E B4C4231B0DD8636F4A86EEC33F6A0CF4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 Copyright Joe Security LLC 2018 Page 19 of 47

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\userID-38358[1].htm Size (bytes): Entropy (8bit): HTML document, ASCII text, with very long lines, with CRLF line terminators AD77839CCE01B2E91F1962C4 281EA56562B D7B805046B3715EA25FFFC C1066E9D83434C6ACFAB9684C21FC8CB7FB2BFD587E220A66A61370DA31ECDBA C192F215D71CA243F03BDA7D8FC1ED933EC8C9B827FD3AA76FDDBA52BCC8545D5328E4A57FD7A78393ADD10A 4D38553D3AB1596A46CD7B8A8D41B D78 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\0[1].jpg Size (bytes): JPEG image data Entropy (8bit): A5DBD4393FF6A725C7E62B61DF7E72F0 55B292F885FFC92ABCE18750B07AA4ACFA4E903E 211A907DE2DA0FF4A0E90917AC8054E2F35C C26E51B4909F2BEB A05B67EF25492BD50A090F1EC0A0CC21DC4E4EFEB35E19CDC78A98F9415A FA02664EADE87F0E2 D8FA2A2958CD0D FC05689E01DC614 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\34aqxy[1].htm Size (bytes): 184 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators B1CD7C031DEBBA3A5C77B39B6791C1A7 E5D91E14E9C685B06F00E550D9E189DEB2075F76 57BA053F075E0B80F747F3102ED985687C16A8754D109E7C4D A36AAA D2BBEFDC1EFFB52A38964C4CEC5990A5A226248ECA36F99E446C0C F666BF1CB514E73B D497D3 325ECC646CBD5065C364E92AB6B9C5F1AD4A72 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA06901EDB98633A686B11D02F4925F827BF0 8D B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E BFAC A416C09733F24E B96843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\background_gradient[1] JPEG image data, JFIF standard 1.02 Size (bytes): 453 Entropy (8bit): F0110ED5E4E0D5384A496E B 51F5FC61D8BF19100DF0F8AADAA57FCD9C BE91E53C2640FE7BAEECBC624530B D93F2815DFCE1865D5B 5F52C117E346111D99D3B A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86D D7C56C25E44B14EFDC3F13B45EDEDA064DB5A Copyright Joe Security LLC 2018 Page 20 of 47

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\background_gradient[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\down[1] Size (bytes): 748 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced C4F558C4C8B56858F15C09037CD6625A EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 39E7DE847C9F731EAA72338AD B957859DE27B50B6474EC D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE AC191F8F F76 8F4840BCD5B62CB6A032EF292A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5 BA16B5A64A23AF0C11EEFBF69625B8F9F90C8FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\http_404[1] Size (bytes): 6495 Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators F65C729DC2D457B7A F C9B50108CF582BE308411B157574E5A893FC B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F 717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EAB B356FE759C3483A33704CE9FCC1F546EBCBBC7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\info[1].svg Size (bytes): 342 ASCII text, with CRLF line terminators Entropy (8bit): EB1A3CBDDDF5A79E28D320CFE5A9 1C03296AD1C7EF88DD4115ED46EB8450DA28E93E F A6266F0FEE3C4437A BBAD1DE97BE20A578C07946A8ED41B4F 8F898C26DB923A0453E1EB3BE68A83B8DCD377439B278B90049D A8E2448B68885AD04460A81A1F258B B34F34008BF6B0CBA3D286F8AD0B46073EE2 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\info[2].svg ASCII text, with CRLF line terminators Size (bytes): 342 Entropy (8bit): EB1A3CBDDDF5A79E28D320CFE5A9 Copyright Joe Security LLC 2018 Page 21 of 47

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\info[2].svg 1C03296AD1C7EF88DD4115ED46EB8450DA28E93E F A6266F0FEE3C4437A BBAD1DE97BE20A578C07946A8ED41B4F 8F898C26DB923A0453E1EB3BE68A83B8DCD377439B278B90049D A8E2448B68885AD04460A81A1F258B B34F34008BF6B0CBA3D286F8AD0B46073EE2 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\info_48[1] Size (bytes): 4113 Entropy (8bit): PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced FCC163AA3A79F0B746416CE69 B97CC66471FCDEE07D0EE36C7FB03F342C231F8F 51129C6C98A82EA491F89857C31146ECEC14C4AF A7A20C699C84859 E60EA153B0FECE4D D3B763B14B9A140105A36A13DAD23C EAAB DEB8C68EF078E8864 D6E288BEF7EF1731C1E9F1AD9B0170B95AC134 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\login.min[1].css Size (bytes): Entropy (8bit): ASCII text, with very long lines, with no line terminators 75AADF89DF607C39F774E46B45B442DD 1843FA752027D7A7CE2E93FE2DA412C5F05A39C9 7594C27F0F7DA27B75F8C0BE96DD93EB27D51D D A16667BE CFCD96D761FBFD007D006DF3DEC95B79760ABE89EF89C979E7B F90F9CCFA71AC07394D108A66B4CDC C2EE0564AB03C54E EF8CAF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\login_hover.min[1].css Size (bytes): 89 ASCII text, with no line terminators Entropy (8bit): C B9CA ADEC33573F 0F050C79A457D BD311D4F5116C3ABA99B 91C2B74542E11D0278E02715A980B39582EAE2E3B519DDD2D4F9CA939E58109C BDBC76B5325E80C867F0A A5675E6F3A5600B2D229A2DC3569D90BBD92AAF2F B26304BC0E08E2 4E308DB851605D74E5879A304FBD779C44EE6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\microsoft_logo[1].svg Size (bytes): 3651 Entropy (8bit): HTML document, ASCII text, with very long lines, with no line terminators EE5C8D9FB6248C938FD0DC19370E90BD D01A B781338B5BBF9202B241A5F99EE4 04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE2 3D88B1B1FF60901F053113C5D7C D58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\microsoft_logo[2].svg HTML document, ASCII text, with very long lines, with no line terminators Copyright Joe Security LLC 2018 Page 22 of 47

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\microsoft_logo[2].svg Size (bytes): 3651 Entropy (8bit): EE5C8D9FB6248C938FD0DC19370E90BD D01A B781338B5BBF9202B241A5F99EE4 04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE2 3D88B1B1FF60901F053113C5D7C D58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\WSYF83Y3.htm Size (bytes): 117 ASCII text, with no line terminators Entropy (8bit): FB24BBAD79992DEAC545B1E38931BF C9EC3453ECABCC46F3D30A2F3B79121B18 7CCC10D1B4614B1179C6255C E2E364CC376FE2E3E1BE3E E 9D64A090C7F49D2DEE700A81033E89046E85A F4B2A10865C85DB0900D891AC84E0945E17DF1CECA56 D542F7B37F40F563A3381FCEF6C64B55A0850 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\authorize[1].htm Size (bytes): Entropy (8bit): HTML document, ASCII text, with very long lines, with CRLF, LF line terminators 1E199F3F292B3F7C9931BD3E7765BC1A 6D482313A9F6B82F5F6B332871BA8626ABE066B0 A6F7C88C1792AD000F49D9FE E34B9A3B28F6C1AF0AC8F7F4061B9D6CB 3E404C56AA85D1D49D3341E370732B658464B0647B2D8785D76685FBD1788CC91ECA62C52D C7B06 8DE2E D71AF49DBE29BC305AE09653 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\bullet[1] Size (bytes): 447 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced 26F971D87CA00E23BD2D064524AEF BEFF2F4F8FABC A13BF26CABAD27D9 1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B A7EABEDC9D41D C62EB51BE301BB96C80539D66A73CD17CA2021D5D A37DB72E E581CC99652F3D8469B CA6C62DAD2A9D57164C620B7777AE99AA1B15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\converged.v2.login.min_m0x0cepnkiw3qcb 4ilhq9a2[1].css Size (bytes): ASCII text, with very long lines Entropy (8bit): B45F4084A4D9225B7A9C07888B86AF4 0774B4207ECB7E34F07CA E8E6C5C36CF AC138A6D71E3880F0A50AE C0D153B6484EF69D88CC1B92C E239B0F302C B8C6D612E40C039FC3C8D0B797F475EF5891E01DD93E2F999E5FD9D02A089A4C0E A2891CBAAB E058AD3D45E23AB3425 Copyright Joe Security LLC 2018 Page 23 of 47

24 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\converged.v2.login.min_m0x0cepnkiw3qcb 4ilhq9a2[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\convergedloginpaginatedstrings-en.min_9eyqxjb02i xrn2nkbabbcq2[1].js Size (bytes): Entropy (8bit): UTF-8 Unicode text, with very long lines, with no line terminators F44C905C96F4D885D137634A05A6DB09 9B FE786B0402CF1EF7413DD95F592471D C3B0713CDD1F613E0636CABF1D4DBAD02C42CBB8D1651D99CFC53D688B1764CC AF06FC558E4E9533A1612A703698CD77E2FA67A6E20DDCD832B343F4C4D641E8057F6C7F556B6A D A09BABD5A45D0F19432F57FFD37CE179C7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\down[1] Size (bytes): 748 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced C4F558C4C8B56858F15C09037CD6625A EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 39E7DE847C9F731EAA72338AD B957859DE27B50B6474EC D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE AC191F8F F76 8F4840BCD5B62CB6A032EF292A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].htm Size (bytes): Entropy (8bit): HTML document, ASCII text, with very long lines CB3B8637F26227C C157523AF 1401F C20BEC67F2F638B3EA722D26B A1D5C57B51BF237F964F2A2DE6EEA4B3EBCFB7BA809CA41EF0AFA05E3 26ECE52157CC9F150E6FF98D473007F BADFC51DFAC23EAF04818CEA5C8B F2F312B5D AD2615E669EC91437B64FE6E1DE8BFAFA9E87 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): Copyright Joe Security LLC 2018 Page 24 of 47

25 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[2].ico Size (bytes): Entropy (8bit): MS Windows icon resource - 6 icons, 16-colors 12E3DAC858061D088023B2BD48E2FA96 E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5 90CDAF E C605D D348116D198F355A98B8C6CD21 C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0 D349B247EB4912EE169D C719CD01 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625B8F9F90C8FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\http_404[1] Size (bytes): 6495 Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators F65C729DC2D457B7A F C9B50108CF582BE308411B157574E5A893FC B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F 717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EAB B356FE759C3483A33704CE9FCC1F546EBCBBC7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\marching_ants[1].gif GIF image data, version 89a, 352 x 3 Size (bytes): 3620 Entropy (8bit): B540A8E E32C4FE58BF2DBAB 3047C1DB97B86F6981E0AD2F96AF40CDF43511AF 8737D F37B333F08A E7E8B9BDAAA15CDB63C8448B426F95D E3612D9E6809EC192F6E2D035290B730871C269A267115E4A5515CADB7E6E14E3DD4290A35ABAA8D14CF1FA392 4DC76E11926AC341E0F6F372E9FC5434B546E5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\marching_ants_white[1].gif Copyright Joe Security LLC 2018 Page 25 of 47

26 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\marching_ants_white[1].gif GIF image data, version 89a, 352 x 3 Size (bytes): 2672 Entropy (8bit): DE AB3A456DEFE6DA23 17C6DF4D7CCF1FA2C9EFD716FBAE0FC2C71C8D6D A A7C7C667FD42787CD1E9ADF2F6BF809EFB7596E61A03E8DBA9ADA C1D262BC225A8BA1758DF546E27B5BE8D84CBCF7E E5E05E04AFFEFEC3C0DA EB8A917E1 A8D90F4BAC833B64A1F6DE97AD3D5FC80A02308 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\oldconvergedlogin_pcore.min_nf4gxouxoj y1bcf754knla2[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF, LF line terminators 9C5E20C685313A3CB50427FBE7890D2C D5C3E45BA82D C0FD1B1007BB95AEFB3 6A8EC DB5ECDC5696FC62EE9BAE65F97E37CC879F E27EB CAAB3AA3A4AB7B7D21E771547BB673C F77EDC24FCF8F9F03D95696F1BBABA9031EC0C5B0837BD89 4A5FF0DB7FE8CCD7BBD32C7332BCE7B1352D897 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\userID-38358[1].htm Size (bytes): 254 HTML document, ASCII text Entropy (8bit): A6E61F4F1BEA799BB68ABC FC 861BC3B849AA94A7E F9B8BC6A8244CBED 07231C FB6B1DFDD86EEEAFCE765EB F9CCEC64D0E555C18D 2F562C6FEA46244D E0754B9DE36A43312B17F10D5B39433D6159FA A81C97D B9ACD8602 BD5AF C7CD7EDC BA55C60 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\HSFM1QBS.txt Size (bytes): 411 ASCII text, with very long lines Entropy (8bit): D8FE520F9B0AFA6963D3752F1882A F627BDB9D6C65B50EC07E935EB8407B9BA71F ED2D23FCF82EDE0C872DD8102C6CC1089ECE6AB4938AE8F7F9BD038F338372F6 C531EDC4578EDAA9B238E56D623BFF34A8DD584BB37B16C87362B03C804695DC23A41986D E77C492 62A01E223C516F7FDB7DB72A933E9B9601BD9 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\NY3ESB9Y.txt Size (bytes): 480 ASCII text, with very long lines Entropy (8bit): AD364642A825B DF98EF 0BD F7B21B62FAD DB 7EDBFB699A426E20248A913BC BC3E2D3D9F20BE4A9D0E82A294D BEF571B990EC892DDCFFBFE1AB6623B9D59B625ABD5D2CA426B2B7E3D62FD72659CB10F E769B B10BC6533E59CC5DDF95FEB7F64E7A177027DB Copyright Joe Security LLC 2018 Page 26 of 47