ID: Cookbook: browseurl.jbs Time: 07:02:50 Date: 27/03/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 07:02:50 Date: 27/03/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations IRP Handler New Device Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Statistics Behavior System Behavior Analysis iexplore.exe PID: 3384 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3484 Parent PID: 3384 General File Activities Registry Activities Analysis ssvagent.exe PID: 3572 Parent PID: 3484 General Registry Activities Analysis WINWORD.EXE PID: 3896 Parent PID: 548 General File Activities Registry Activities Analysis mrxdav.sys PID: 4 Parent PID: -1 General Registry Activities Key Value Created Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 57

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 07:02:50 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 8s light browseurl.jbs ms/describing%20motion%20%20kinematics%2 0in%20One%20Dimension.docx Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 16 Number of new started drivers analysed: 1 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout SUS sus21.evad.win@6/74@15/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time URL browsing timeout Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, rundll32.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: WINWORD.EXE Detection Copyright Joe Security LLC 2018 Page 4 of 57

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 57

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Networking Summary System / PFW / Operating System Protection Evasion HIPS Hooking and other Techniques for Hiding and Protection Click to jump to signature section Copyright Joe Security LLC 2018 Page 6 of 57

7 Networking: Social media urls found in memory data Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data System Summary: Searches the installation path of Mozilla Firefox Spawns drivers Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Checks whether correct version of.net is installed Found graphical window changes (likely an installer) Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Hooking and other Techniques for Hiding and Protection: System process connects to network (likely due to code injection or exploit) Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 57

8 Behavior Graph ID: URL: Startdate: 27/03/2018 Architecture: WINDOWS Score: 21 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend started started started Is Windows Process WINWORD.EXE iexplore.exe mrxdav.sys Number of created Registry Values Number of created Files Visual Basic Delphi Java System process connects to network (likely due to code injection or exploit) started.net C# or VB.NET C, C++ or other language Is malicious iexplore.exe 17 sophiasapi , 49165, 49166, PROXADFR France , 49408, 50323, GOOGLE-GoogleIncUS United States started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 07:03:45 API Interceptor 777x Sleep call for process: iexplore.exe modified 07:03:46 API Interceptor 1x Sleep call for process: ssvagent.exe modified 07:03:55 API Interceptor 706x Sleep call for process: WINWORD.EXE modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 0in%20One%20Dimension.docx 3% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 8 of 57

9 Source Detection Scanner Label Link sophiasapi 2% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 57

10 Startup System is w7 cleanup iexplore.exe (PID: 3384 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3484 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3384 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3572 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) WINWORD.EXE (PID: 3896 cmdline: '' -Embedding 5D798FF0BE2A8970D ACFD9D) mrxdav.sys (PID: 4 cmdline: unknown 06AC E4B2C35AF7344D18BC686) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 C:\Program Files\Internet Explorer\iexplore.exe ASCII text, with CRLF line terminators Entropy (8bit): E790B7D7A34D3781A18116E1CB4D3B C91D22B4EFABCA05699A85746E156EAB F698C60928FC9E CBF1959BBB567FEF5910E36B386316F5BE59824 E219DDAC3D08E97B67B7DF A9024FD0E B3BFAD54E54FFF91E6530D942D7ED B EE70C BEE998D46E375D A6C Copyright Joe Security LLC 2018 Page 10 of 57

11 C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log C:\Users\HERBBL~1\AppData\Local\Temp\~DF4A0B97D2A8B9D5F5.TMP C:\Program Files\Internet Explorer\iexplore.exe FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): BD1E F1E572D54D8DB0AA BAF09C9F0FB9BA5FBA375F65F80BB72B70C58B B291EAB2140E9341C BA7D4B116BE9F4B3F65F86E70DBDF59B FB F7699C85A84BE A1DC915A472687C37E7671FCBC55F9978C12EA45B722C7474B5D5ECB C8A93DE4B0692DDC0C86D8F840F6D5326 C:\Users\HERBBL~1\AppData\Local\Temp\~DF8C5DEBB527B08D24.TMP C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): Entropy (8bit): A2AC40F17AF41D02FBA3B70193FD77DB DD6D8D1C0C4B19245A2B150CB3538F69DE F8D32BA8A423852A329C74658F7644A3CD1A0BF50E424A4095DE30CDD2A EBBB1CCAC48E6B632BB9B3B D3DEE E62BFD9C8FF8A CA76DE29FE8 EEDDCF8D5E38DF43DC4BFC1595EFC763277B2 C:\Users\HERBBL~1\AppData\Local\Temp\~DFB00C93AE61AED5D3.TMP C:\Program Files\Internet Explorer\iexplore.exe FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): BF802E39154C0B53FA955450D6EF E0F382B0A A0168BD2BCCA69E E 0308DDD9EC6DF1388A59E4F811CA7D5E7413ADA648A9A5EEBE2692BC9DF56B48 41C E08A46AF4F3BE7027FF0BAD020872D447EFAB DBF93C2390D E2B70774BDA20 57A79B0B CCD067D244D63F417673E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): 471 Entropy (8bit): B93B055F18ED02AC BFA E49C843005A144BE3DE9485B1F9BC4E5A9126D A2649B55B45DF55AC2A B428AD312A749BDA88AA21B6C800DCE6AD4CED 1A7E8C92A1516E9B2E224E239C29EA395C615585A429B5FDF66B794DBBE6336C2BCE435ACD4F145563E5ACB4E DDBE001566E1BB345BF9F6F5EAE0341B9AAB2A6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): 4221 Entropy (8bit): EBCDD9823F89EC48ADA65C3E6F72912 Copyright Joe Security LLC 2018 Page 11 of 57

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F 10D276145E99F2A28F2C24CC86767DD0FC25F3DD 2203AF94B8C5CEBA DAF8103A099A387FF6D9C5F9AA85AEF5146AB FB0C F28F0D4984A9132AC57CEBB E00AC40C07875FB4371E7F7A43FB266B5F7AB162BE2C4 AD5EE8A386A05A6F0E8CECD0995E213E18C93 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): 340 Entropy (8bit): ECCC F699E7458DC3765F9AE F540E382B25B60AAB13D207208BE59776A2FCF72 FA6C26CCE53B7BFFFB5C53B1AB826AF6CF2B116A3D5A21612FC35778B2603DD6 5E1F13C674F12DAD3E5B38E FFE01831B18F10C47F1F14A70D390B956BA9AD54ED690B7EAFCB1DFC2A66 F6A4D39F9A5D9B4E4637E67F2FE84CF4FBB69B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): 868 Entropy (8bit): B3C6C7FE79C4672D553EE6D1349E467B 047B C1838C67894B476AF97AE0D5F EA0470E30A87D9DE79C17D333BB177BFC8E366EE79444ECC9A3ABA E58 1B17128B670B484E9F0B7464D69EDC4B4AD07F1440B1E514FDBB0D58F14C39BA98C479AC4BB12B593BD3E69100 AC2DE9746AC739B44E18000DBFA6FD9EFD82B6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): 226 Entropy (8bit): F994582A79BB31BD6D0F81F09A BA97B32999D234DF9CFA3F8F D7FE6E0CC 58715C24CDCB5BCA BDC1DACB03A1B00C817CFE7D4F421270E795FB5C C2A5B3AF7B38FF1B21D61E61A906001FD20FC4F742DBA9C443EAF3EA08BCFB50F3689A890CD45837CE 27B50C89C2641F77A57EC F9452B5AF1 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 C:\Program Files\Internet Explorer\iexplore.exe Copyright Joe Security LLC 2018 Page 12 of 57

13 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators A4A88F8503A18D435B9BAC09E140B24F D8C74BD4A1C9A00F7F166C CE467745C53918A654C259CB4C1DB6DC5E901337E27CDA78A2CB814125BCA538 D4301A471449CFA A6714B1491A1A3E0E3E2CC6B1F9287E524E90894D FCB448C3CFF CBC267C11284C2E6D81398E54F506D C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{393A C-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): C:\Program Files\Internet Explorer\iexplore.exe Microsoft Word Document Entropy (8bit): B165B0DB463C6A6332A732F372137A4F 757AA56775B14A E EDFD3954FD3778E1799A648E52E4BD1634DE046E0ED265A509473BB027E83B0A BE6758E036B00FD4888DE639E6AF DF60F60C6141A173ABDCD E2FFD93D2F058391DFC281110A CB8E8C469BDC592E71281B8E41DFA3D81 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{393A C-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): C:\Program Files\Internet Explorer\iexplore.exe Microsoft Word Document Entropy (8bit): CCE17DF690AFDCA92E229771E B00DFFC84C9CD8D869F6207F25657CBE C A1F4C06DAFD07AF3BD8846D1CB6C39952C1A3B91D1F3E40452D0B 880F411C9CC58A843D99D8E091C78BE004804B3F749E623DBDC248DDF4DF5ED2C7CF873C620B713675ACDA3E1 718EC4EBAD9BD1C9F73D5DDB7E697B8E0DBA44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{43EC C-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): C:\Program Files\Internet Explorer\iexplore.exe Microsoft Word Document Entropy (8bit): F771D8782AB47DF89B2E030BD419ABEE 8F7B1470D3B788A5D528A5D2D8A53D354460AD1B ADB50F7DE305EA9B237BAE8FA E53A62DEF237BF84845BFEA3 02CADE420696AD54121ED70076D3C43CDFEA27AB0DB8558E6588B989DABBC6EA6BC95D57FA785584C876E0FC ACC3D2A8603E947509F0C5A650E4A8241D4EF4CA Copyright Joe Security LLC 2018 Page 13 of 57

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{43EC C-11E8-B7AC-B2C276BF9C88}.dat C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver14B0.tmp Size (bytes): Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED97 0E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1A7A.tmp Size (bytes): Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED9 70E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD data Size (bytes): Entropy (8bit): AF4D003FA5ED2926EB41A6FCE58A72A D1CE1671E8D5628CD154F00404DD1BB59266D757 8B14BA4B815607FAD87F8E D0FD7ACAC66E9F54EBF2B474CDB76E7101 E1389D4F ABDA54E82FECA5437E4DCD6F3C30C3F325B2EC7FA AB71AEBCA26E1 F283E59CB BBC67D D35ABCE8 C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AD3F35FF-6B8B-43B2-B743-FD1FDAAE9821}.FSD data Size (bytes): Entropy (8bit): D952AEF EE68FC0B A3AB DC5D8CC670D6D6695FA1BB0577E4 0429D919F463EC B94B555A5C D58F507BC62006EB977A2C 639A09FF671819A87178EA26A573569EBE020FDD5E02691D127DCAA66E4E8EAAD6ABC06916BE5C1D1D19C9F134 AA737D67C216F9B714D6B204734BC1EEF0E890 C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF data Size (bytes): 133 Entropy (8bit): BF AE75CA7DDCA302C415B0 E3A319BA F0964CA5B E Copyright Joe Security LLC 2018 Page 14 of 57

15 C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF 39368E88EC8BC1F310630D9CCB695A9BF673F3FFBB348C2F61F575A2EA C2F0B05DD2A4C754D5E7AF4572E8FBAC12593C53DD972A14DCA47B837A3D01A71A EBF084D608D8A39 381F1F373D62B102561CC6E8FF5F7FE87BB2DF C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD data Size (bytes): Entropy (8bit): CB6E0280B BCB9DEB79959DA 3AA088E F235F95309AAB72A8088D7F6CB 959B3B63CE2D6E15ED8EF93C9FECFE48A71735E6D9946D D A 92A3A2E3906E36D2B697DCEBAD537D1E287A71F1F9AB4035F77D54F2BADD AEBCABDE5E8E90EE3606 EAC2B E3CED44280B D27624E C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F3E DD A93B-CB026A4E15E4}.FSD data Size (bytes): Entropy (8bit): D73AF E97A1BCCB2E6C9183E A6BD118B2BF1643AF544FF63451EBDA A663310B9A64F2C5F719B328CF02E7DFE7DE8634C09424B2BBF04A9906BA7E05 FBE8C809B15938E F9E98620AE457BC924EE0E D4F5C554E027D312B3053DDAE03CDAB E3DFB792ED305BA0C8CF1C4C8C3269C0AC C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A CF07FD8988}.FSF data Size (bytes): 133 Entropy (8bit): E8E1E9D752F AC5F4A1A2764 1A7FABE4BDAA3BC357F266A990CE910FBBF2E671 A5C96D23223F946DBBBFBAAADC A29EEF5E7A650C047B DB0BB9526C22820BF D52265E4EF0CEECFCB4370B3CEEEDFDD0AEDC68B1F25BC16E90A333A42B188 DC0B3BA56EC4B3B07A26A4B3EC29BBA6D73D302E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico Size (bytes): 237 Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\navcancl[1] C:\Program Files\Internet Explorer\iexplore.exe HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 2713 Copyright Joe Security LLC 2018 Page 15 of 57

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\navcancl[1] Entropy (8bit): BCFE9F8DB04948CDDB5E31FE6A7F C70FC16F3F361C ACD57D51613CDF BEE0439FCF31DE76D6E2D7FD377A24A34AC8763D5BF4114DA5E E24228 BB0EF3D F4062AD5F27F30649C04C5A442361A5DBE3672BD8CB A31D9F30B70397D A371E73BDA580E00EEF0E4E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\Describing%20Motion%20%20Kinematics%20 in%20one%20dimension[1].docx Microsoft Word Size (bytes): Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe 2946AB7EC92F7DA4ABCF982D48B9A09D 8EE76A7FCA55004EA DF8540D2C6ACA A78F1594B48A3F73AFAB72AE54C3C839FB7D9B942A111FDEACEAB75111EA16BE CE E0D18AB8FE09FA5154FD7F78FB8241DDEDA1F4A5583FE D72ADD20E2295A5FE421306BAE3D 4DE6099D7B3D1A13C6F849A227D72653E58C91 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\iecompatviewlist[1].xml Size (bytes): Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E5C53C B F1D541D440B 81EC E699A0BFA191B2AE1B74320D316CE 7DA1E84B3EE4D8FAD40B8A2B775F2CE1D8C38931D6B403294AE4EE8426FAFB7F 8094EA2119B2D321EB62916CD5584A8DF20A BCDBF2E9F20D5EEB5306D1F30A8607B EFF3F2E31 6F3634DAF3EEADFDC CB1C961644A92 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\suggestions[1].en-US C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 Copyright Joe Security LLC 2018 Page 16 of 57

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11A86C17.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 5461 Entropy (8bit): C F AEE8A3167B B1ECBC927B60163FA2B66B514AF62C5439DF19CE 53A67B47AF4BCEBBD9DB3A02733F FD0BA FFE2EA D331BE68C6ADDE88DA00F2762F90EEC6B02C53E6C17C0DFD3A8AB375EA2F2B62D089E8C9544DFC8D01751CE6 AE31D17C01D5EB4E7BF99A5D60D503679EFB041 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\152728A7.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): D11B86BECD91332FF F45225 F1272CF7494BB2ACFB7AC66EBA9E60D83000B7E7 20E9A59AEB6B0101ACE09F5AF8B8F58F32016B0F9CD253B5B5CB4F287F BCB794A49A40B3780C58E461D245159A3D45D658E8F368F6E2B0DC226128B01E6F8D07039FA ABC43A4 5026F19F8D77EDA402F995BC07B54B950EDB4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\176CDA61.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9804 Entropy (8bit): AA13155CD267C30B49FB731C0 F29B51C8E847602E211D194288B83BE8EEE80B4B 301D7CF D6B80AFCF4354E5437EFADCE2894C64BD54CC8656EC28F0B5D CA7F6F0C3581CD0F8EB5DBFF3B579C2530A69F72F4C5172AB292F2E4FE A7A6D16B B1F FF621A8361BEB4870A4DCC3F7D19CF4E678CB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E26CA9B.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): F B9310E168645A5CE D6918D82A6194AF922EB2DF460E5C4FF1B 7865E5A5FA1DE0F7CFE8DA730E7BC1F9F76EBDDEB3E1EA55AA5FFF38A520B2F8 38CCA B625CDB915E F78EFBB6CB05AC74A0A6ED3C705A41DADDFF78AFF2FBEAD1A C0D02D3F559EF6A0C685B285670A818A66 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9387 Entropy (8bit): CB F40877BDE3383E1B0C 925AD26100CF6C50B7F29F5394AD45D9DE0DEB3B CD3AAF74EC823E9222EB E4EC4E56A2759BA9E88A6F158E CA4927B365B2FBF87735F13A60221A1E82E9CDBDDEEC9F75DC46865E9902AF8B8F9D74030A408884C41B7649B C1D10988D90C0801A0DC86E04BD2DC36DF741A Copyright Joe Security LLC 2018 Page 17 of 57

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ jpeg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): C510627DE09E862E352EFB524670D02B 344FF32AD D9DFB72AD31761FDDA89E08A BDF25F56D38754BABABE6B7C11858DA44C4CD62C10DFA6F350E82A2F882DBA6E 27BAB02FE563A151C3A9F82B1C8C875D96B703BDCF21C7D1C66E40FFFF3CE7A87AE1F08A3E980753A24C159BE 3055DFF2081E2DB94124EE9961FB30DDF0CC65A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25B57BE.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): AAC1D3CC36D6778E889B68093A295A D932A17C98AA95BE2A7507E89A5BAE5EAA CB28C9B7A1FAB53450DEE40E382E A1DB6670B E6ED3824 CA6B1699F1B84B2A6F4E0800C75E265E02A54695B CD84FEECA3CE18840C65BF2D89AE6EBB F838D61EBBCF442BB07F2856D51560A39B4D3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26A40C55.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9865 Entropy (8bit): F490FBD76334EA14ACD48C6B4EFC69A1 C149AF021A566EE4315DBC8715FFF875D75E0E6A 7AC048DC6702D33ECE901E FFDD5180DE7B2C189B5F13EC729D D52B912FC94661C12101AD256FB0DF2B170D1D22FE59E50D2FFB8BF12C481BBE2FDE A41CC68DB F6F1043BAD5C6C86A5908E2C43ADC211DF1B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D6684E3.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9503 Entropy (8bit): F584279C4FB9DC4EFD17122B4BF59E17 D5793AE9B13D97987DE61B3E73FBB75DAE3A5A93 A3E4908DD95B F35DFC FA6F3A382717DFDE612A0647F89BF6 E D695D2793EF78BF1F093A28CE3D9B0C98AC7F40D531574C46C5DAC4BAD33DC0DC32AC2842EB A31EFB4DC64CFF2307C D49A78CC5D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41FA5CA4.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 5703 Entropy (8bit): FF6B03F0C104C0B84D391C248F3FDFD Copyright Joe Security LLC 2018 Page 18 of 57

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41FA5CA4.jpeg 19ACB105F7737D8E873D441ED CCA3D76 68C01249A82060CD417C3E199A0BAB9F F2B1C62AD5E9FA3976E5458B C205B426CCA9766A857897F4AC5C8BAF A8BE33F83B9F582569DF7671E0D6DAFBA4F4223D B 4514C2F33E5145C0249C3DDC42B27F3107A4A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45A8F345.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): B2B1956C463E1E8BE809CBFF84D402 0B90C469C49D452CFE4341CBAD857D6858FD7820 FD7CC0711B50B984B7EFC A78C83465B1AB13F6F1BDC68BF9C15A EFD58D646567A78EC555A FA1779A526C35AB92793A9E0103BD9487B5E23A06A75DAC4927E04E9441 7E73C0DD89B93E8C086B53116D823E1CC702 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4730B3E9.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): C0EC9F8C8A2104F1F9CDEF73C E3E731CDD9C5B672F77E E096805EE 2AB8BBA1CD5F4F598B04D3BD03A15C3671C4C13B09F04F2C2F0B8F1671C9BC7E 98330B33F7D07ECABD877798AA9349ED74F89DD49F34AF990961F0585D A91DF1ECB5782A28E8C2CD3 C20ED0FF216F57912DC692F236C9DB5F2F731 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E20921A.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 915 Entropy (8bit): AE295C78EEE7E9D9BE43CE6EDC19CFF4 EC5578E D1C33C8D4E E2195D 3260DA7927E9FF5EE60FBA9A2EA000161A3DBFA78E9C5BEC767C3FE39B71E F6E2B2DE735C B6E8BB8540BF75D60FE360AD E1E3FD2D2E B1D953C3E396BD39 C11DE AF1D955EECBF1FCBBE55E41FF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81D37C71.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): AA3FA90E605BC334A843CF2BED79623F C0BDE8E730DB67510E823B5E9611E4296A405FC7 B9C2BEB620A8B4DB456C6AAEDC3B8E2B700EDB16E97EF910709F EDEF FD5BDF6E6E87418F4FA03D FB1B1EB50624EAAE5505BD25ADADB5E7F520E6E7250F0116C23C265 A1FA45751EA2818DE45650B3B430F7A2C7A67E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\878B7E52.jpeg JPEG image data, JFIF standard 1.01 Copyright Joe Security LLC 2018 Page 19 of 57

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\878B7E52.jpeg Size (bytes): 9497 Entropy (8bit): DFCE3C5EC7A469CDE DD1D9F 53312D85FC C09EB8F75ABB7C988E1B E14F76F270FE48FB89A0E0CE83D9E0E1E045FD0D90FEFCF3E57E877C339 04C2C0AB6953D8CFA80C4824FD0B40C1FA0E36F F1978F8AC C82870C4C40F3955B40D22C6 7D BC01E84E19923D251AFB8D6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87E179A6.docx Microsoft Word Size (bytes): Entropy (8bit): AB7EC92F7DA4ABCF982D48B9A09D 8EE76A7FCA55004EA DF8540D2C6ACA A78F1594B48A3F73AFAB72AE54C3C839FB7D9B942A111FDEACEAB75111EA16BE CE E0D18AB8FE09FA5154FD7F78FB8241DDEDA1F4A5583FE D72ADD20E2295A5FE421306BAE3D 4DE6099D7B3D1A13C6F849A227D72653E58C91 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EDDA72C.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 5881 Entropy (8bit): FFE283587B947A B32EF58C4 138E1C1BA3F5A704E4B596A0D3F23D8C1AA9CC25 85C531D64B314B091AAF7D0758AF884FCFC92981DAC673C1D735B7DF7C96A72B 2B6E2517AEE87E305D1B8EB50C947E B8ACD1F6E50C35F5E8AF8701C02804BD381821C22949FC685 76E5F3DFC25AC7EAA5BFB9CF1E83ABD46DE45 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96E8F8D6.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): D3345CB5A974E41E2E57AE E B74036DEB98D4AAB136648CD85EB22EC4CA7B7C A15ACBEE6B B502E316E69A0161BC163D7A3AAD B77 7D7CDCAF35D2B46725A798452FF0D7D CEE7A2ED217E49DBAE83CF5C18BA8797AA4896D2E772D34CEFA 02216FAD9E5EACCF911FFBE CB6E47DE3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C3ED882.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9697 Entropy (8bit): BEB79F74E66BC651F92EDA5F9062DCB 5903F190964C5404CAA20F245DDD62D11A076D9F 85E7B2B0FBD3FBD4377C5550EC216EE EC04F45C2AC9E9483D3A4ECDB 35ED4A40F810683B38B397452AC40DB0DCB74651CB1C85E9B937D6682BE949645B9D7E783249F534BB3BC0D79A 49D7DCCEFAC6EDBC47E18EFDA1674AB266B1F7 Copyright Joe Security LLC 2018 Page 20 of 57

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): CE6FA5CECDC64C8F055CC06EDE6800 9A59AA8172AAA89289A FABEA8C3E068 DEFB4BCBE86C0E63C19DD593B74C9C3D6E7890D0A1051A9D6C309295D3C7EF77 B03F0E98C6009D3D8C766755F8ABD2076F8E74ADCFAD18636CE8A98C0C98B91C C30F3BAA A18D6AB21A2B8F9225E28BBF8A228DA0A19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E21516F.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): FA00A7E58E91B4C2D93C6E42460DB228 C298C2AC7B25CDEFDDED7D47A1EEE7174BF2CCDD 07AED242CEEEE4B367469D3C9F DECA7A7A7BA7066B318878EFD231BF0 8ACE27C311C75FF05B7414B8665FE5D75A2D41505AD EC669202A262D16D2EC821B4B68EDD726A44A94 B21502E25D0675F09EE0AF1277F559CB03A14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A57E9A7C.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9463 Entropy (8bit): EA6566AA61A2E9C358BB18A6418E 37A1E790D7716DFB025FE B54F77B2 2765C6AEA696D55D7CB21B26740DC4E9C7043CB ADFA8D25CED1A 54C1C67D1C25B42863D19101D5D0C154A95D540FFE00FEC22B97E644621F9C7351C8B1E9CC904B30F49A9D05DC 2B5AFA3E3E44130CF772C74C45FFE72A4DB420 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF51F1EA.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9712 Entropy (8bit): CC170D5AE3954D0CA4E294488B3B CBCB49E03B02299B654C498EE05EF515 CB EA F3F CE9E768EAF38E1E4BC21BB46988DCC7A65 F6D6ED6CC720EF65AC9A4BC50DB85CCC2EA350ADFDE50ECD39DAA7C0EF9B4F2E261900F1D815A759ACED881 60C18AE17CE F87A17EAB7396A3F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5D50BE0.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): EA098814FE1D9DA103DA853DA C97CDB9E39CA4B395C7A71B DC1CE 4F E4AAE4DCCFB163ED003B920DA924AE6C46C02E08C722C66C507B83D F12035FBE4B30D4F01D147C6A6A94C771A7C81C E98F0B D0CBDBFC D6ED14240B FD6F D3E0C310980B54AB7AC529 Copyright Joe Security LLC 2018 Page 21 of 57

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5D50BE0.jpeg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9DFE6DF.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): FEA1437B A05A689DCF0CDD6 23C4039C9EEEE49D9BDA7D882D91B334D9CAC514 0C04CE47ED54BD8A46FA198E83A8CA9B0BFC24638F4FEEB73E1E4D9CE4F C3FF7E7117E8076E26D A64772FDA4B3DC942AAC8E531E094FAB93DDCEEF541F5BF3CE975E3A5C6 85FCED1BEC64ED7316B5F738E1663B0D6B2509 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC6C162B.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 8943 Entropy (8bit): E14448D536206CAC9B2C69B6E ECAB05A AB1413F DF 0FD0802D1AFA668D65CC1E6A784A3B2BDC31C141AFD03D621E3F1D2961F0769B 134B7EAD5CD03575B30E9344FF3F77B3385FF4EC93B946999EC21EC88DE11FC93CC4B6A9C6DF00195BD819FBE2 75DEA7B5C93E1A5B3C0ABA57FF0D4301D2D6D7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E302BCEE.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 5246 Entropy (8bit): E06D046A7DE F95733EEE324CE DEFFF3F9AE AB343178DC82ACB8929A058 F938DC6877CD2B0162F55DD0E0043A619AA0E29F5B1BB0AA8880CC3DB491396A 90DEA5EB30323A376CB5FCA89D6C2F02CD7B1D59EE FE92AE68C1CA CD36458E128798C C5F6800B255E2DEC30B407EEDEC133C100B2A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E529053D.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 3794 Entropy (8bit): AE0E7AFBB4FC2C807BA3EE6A023A7ED 66AAD9F136C018F21169B6E3410F5D47D6CD7E78 9AC67973CCB403EC73C9A53C418A47A8F8BA08E909B40C7B10FAE4AA9C30C0C CE437807E2C2CD0A00898A2EB9652CAAEDB016C61DC20CC0EAC570AD618681E8556D0FBE587EAE4FA 516AB2E69E27F9C01218CE406EA2CED04F397B8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF17404D.jpeg JPEG image data, JFIF standard 1.01 Size (bytes): 9566 Entropy (8bit): E9482EDF B71A830B80104EE Copyright Joe Security LLC 2018 Page 22 of 57

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF17404D.jpeg FF7491A929E38D7D F C 5EE50EC7C6944F3471DA6EA0EFE06C54622CE2058B4A32C29D012210F5FD19A8 D64769F832B4CF2A5AB6A6F12A2A9B197529DC262B3EF124C9DA0C5D9E4D7D0AA394EE6DD2730FE1EC810F43C A80637BB7D464AFF6E193607A C469FC4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{34BA7AC4-C232-45FF-9103-E23A39CD7B10}.tmp data Size (bytes): Entropy (8bit): E011B54408DD64542BA0EF3DF1A7437E CAF47B7CCBEE2592D8DB3E2363BF F971E5DF9F4988BDD2CBB8057BB52E17D7985AFC9F49C360E468BE8E5FF 15F0D1F02FB570E89C85BBC27D044A59FBF5C C35A218929E0A91D110DA99E4C7CF88DB4FC AC6 C346431CDA7A3FCA34B541FA96E D889 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{56E7B3D4-7E8C C-29E99C026CD3}.tmp FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FE3AD002-8B16-477F-A16C-D3CACE5EA682}.tmp data Size (bytes): 1536 Entropy (8bit): C68989BD36EAE2295CCC1909C1A64EE 84158A53A41FBE31000DD08647D3AA FC 27A CB8F0347FCA2F68F2FF28CDCD8DD9DD5BEDBC46C DCF95E 64A F6579BB2252E322C D4A8F467F26F37BED38B2C1AE65C09E883C7FE11739BAECB647C622E3 2D11D49CECC66AAA57397B4219C04CB C:\Users\user\AppData\Local\Temp\{0806A82F-E701-4F03-A1CB-7B5CA5B2330A} data Size (bytes): Entropy (8bit): A7FE6C2174F1E182A54265F59FB34 B FD E473A644FB3829FB A98AF33A0E0483EAB87C661AF3F1FA8BE323AAFBB BB54ABD9E4B1C 97A1B8F6E32D45FAF1D7A154C3139EF223736F8C35E81A3DCCC4FDA7D3C63F21E1DC4F7F77ACC D5D0F DF52480EE19C193D6A52C1C38B22A797968D3F9 C:\Users\user\AppData\Local\Temp\{F4BCED86-E91D-4A9E-BA6A-2EFB0D09408F} data Copyright Joe Security LLC 2018 Page 23 of 57

24 C:\Users\user\AppData\Local\Temp\{F4BCED86-E91D-4A9E-BA6A-2EFB0D09408F} Size (bytes): Entropy (8bit): F27BEA9F30A3FEED2A1A46E46DB8 A909C72776A465355E069951E6A2C4A89D316C02 C429F2CFB127C5A47BDC48019ED4ECF25BCDE85D443FEB80EF81AABFD7BF4C2B 4E30A6BE2C42B7D07E3CE06251B39755BDD941A042935D8005E914BFC2E8473BD5ADAF09CBC982D632DB DB FCAFE4C0702E051C77F49E74D56AB C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Chemistry-Exams on sophiasapi.url MS Windows 95 Internet shortcut text (URL=< >), Size (bytes): 79 Entropy (8bit): DB49964A11A4B7C7AD3FEC2CBBDFA523 F9B6C3ED195BC15BB581126F621F56A1D17F1F8B FE847D7E166FC5994B F07E04674C2C8FA5DD2DF648907ADC1303D6EA8 F A630C8E446A1647E40AE0DC59E660682DE222A46B3098E1A5F2D2E23F522F041148B70A5EDEFD5263 C308FAF60069BA0238F0D84D3680FD1941DB6 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Describing Motion Kinematics in One Dimension.docx.url MS Windows 95 Internet shortcut text (URL=< >), Size (bytes): 142 Entropy (8bit): BC B92C830935B7D06A C93BBCBC17014FAEFAB6F5217BBF6873FBBEFEE6 D6468EFB0379EFE277C46868C90A08A5CC0292B468DF6EC6F8D282EDF5E0116C BD4010FD071A4A AD166E5F18F9C6CF E ECCB8CF1F A 47EF776B9939E08E359FB87A63A300B8DCC C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Size (bytes): 183 ASCII text, with CRLF line terminators Entropy (8bit): C5C0394B5564AE9AF8ED52B01E3 2A603C11BBCB4F9D F61465B24FD6B 4DACC798F3C5715E92BA192DC4FE9A9BC0957DD938D877FED9A A A D31BF651FE6751A F82D3073F4408A74CED8F070824C8B06BDFEE6395D20C9E3 8F7C1FC941DCD49CED1C7CB562AC9F15E02 C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm data Size (bytes): 162 Entropy (8bit): FF291ADF1F74826EE3AA31EA36ADEC1C 9E647BCB57789C91D08C9B02D73ECD048239B5C5 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE D30BC8ED4E8A4D E1F5B76F86BAADB18E F F900B671F7951B5FCC39BABB319C5A2 Copyright Joe Security LLC 2018 Page 24 of 57

25 C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Size (bytes): 2 Entropy (8bit): 1.0 Little-endian UTF-16 Unicode text, with no line terminators F3B25701FE362EC84616A93A45CE9998 D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F 0EFAF F9755A9BFDF1C54CA0D84 C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryFR040c.lex Size (bytes): 2 Entropy (8bit): 1.0 Little-endian UTF-16 Unicode text, with no line terminators F3B25701FE362EC84616A93A45CE9998 D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F 0EFAF F9755A9BFDF1C54CA0D84 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GQTY75SVW6HGLQJOW95P.temp C:\Program Files\Internet Explorer\iexplore.exe data Size (bytes): 3358 Entropy (8bit): A6626AA1A9D8BBD8F602F4DDD7790E70 08B9E9BADDB8AB2108C73D627F536F55507E78EF A100E12C4300A9A62B6EACE0C989AF4364B466079A75B6CE15F761B18308A7AD B85DE5136FE4D789D125995DD57E75AB1D53B BF756583CB4BA798667E B24C2630F09DDF160F DBA34C7763DB14D479F047C448C7D43E0D32E \DAV RPC SERVICE Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped F1B772F0109F05D2691B0A77F93DA545 27F1AC4F54C0AA73E5D8A201DB CA FC B79CCDBB83EBAEDB134B1CAB CBF151F5F8F0E1AD 037D0820D6F41AF4BB EE24421F8B1E0F6B55315A48F4F102434D3A4B755876A1378F70F66E551B2A ECBF8160B790AC87EE21BED8C9009 \samr Size (bytes): 116 Entropy (8bit): C:\Program Files\Internet Explorer\iexplore.exe Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Copyright Joe Security LLC 2018 Page 25 of 57

26 \samr Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation sophiasapi true 2%, virustotal, Browse high Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious France PROXADFR United States GOOGLE-GoogleIncUS Static File Info No static file info Network Behavior Network Port Distribution Copyright Joe Security LLC 2018 Page 26 of 57

27 Total Packets: (HTTP) 53 (DNS) TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Copyright Joe Security LLC 2018 Page 27 of 57

28 Timestamp Source Port Dest Port Source IP Dest IP Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Mar 27, :03: CEST Copyright Joe Security LLC 2018 Page 28 of 57