ID: Cookbook: browseurl.jbs Time: 14:05:23 Date: 30/07/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 14:05:23 Date: 30/07/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3444 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3512 Parent PID: 3444 General File Activities Registry Activities Analysis ssvagent.exe PID: 3576 Parent PID: 3512 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 163

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 14:05:23 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 2m 20s light browseurl.jbs -E%3B2ffR0%7CDb Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout CLEAN EGA enabled clean0.win@5/110@27/25 Adjust boot time Correcting counters for adjusted boot time Browsing link: E;2ffR0%7CDb Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 163

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Copyright Joe Security LLC 2018 Page 5 of 163

6 Signature Overview Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 6 of 163

7 Behavior Graph ID: URL: Startdate: 30/07/2018 Architecture: WINDOWS Score: 0 started Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend iexplore.exe Is Windows Process Number of created Registry Values Number of created Files cs9.wpc.v0cdn.net , 443, 49213, ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States started Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious iexplore.exe syndication.twitter.com 1105info.com , 443, 49200, TWITTER-TwitterIncUS , 49163, 49164, OMEDA OmedaCommunicationsUS 53 other IPs or domains started United States United States ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 14:05:44 API Interceptor 494x Sleep call for process: iexplore.exe modified 14:05:45 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link mcpmag.com 0% virustotal Browse cs9.wac.phicdn.net 0% virustotal Browse Copyright Joe Security LLC 2018 Page 7 of 163

8 Detection Scanner Label Link in.ml314.com 0% virustotal Browse nginx-bcp-stacka eu-west-1.elb.amazonaws.com 0% virustotal Browse ps.eyeota.net 0% virustotal Browse d2elgqch7xnif1.cloudfront.net 0% virustotal Browse vpc-dpm us-east-1.elb.amazonaws.com 0% virustotal Browse pagead.l.doubleclick.net 0% virustotal Browse inputs-com us-west-2.elb.amazonaws.com 0% virustotal Browse id.rlcdn.com 0% virustotal Browse pagead46.l.doubleclick.net 0% virustotal Browse pippio.com 0% virustotal Browse www-google-analytics.l.google.com 0% virustotal Browse plus.l.google.com 0% virustotal Browse e6791.b.akamaiedge.net 0% virustotal Browse x.ss2.us 0% virustotal Browse 1105info.com 0% virustotal Browse cs41.wac.edgecastcdn.net 0% virustotal Browse syndication.twitter.com 0% virustotal Browse partnerad.l.doubleclick.net 0% virustotal Browse idsync-ext-weight-2.rlcdn.com 0% virustotal Browse e13541.x.akamaiedge.net 0% virustotal Browse d7mif994hzotx.cloudfront.net 0% virustotal Browse a1621.g.akamai.net 0% virustotal Browse ml314.com 0% virustotal Browse d1w46meym42v0m.cloudfront.net 0% virustotal Browse ib.anycast.adnxs.com 0% virustotal Browse cs9.wpc.v0cdn.net 0% virustotal Browse securepubads.g.doubleclick.net 1% virustotal Browse pixel.mathtag.com 0% virustotal Browse 1% virustotal Browse a.dpmsrv.com 1% virustotal Browse idsync.rlcdn.com 0% virustotal Browse s.dpmsrv.com 1% virustotal Browse sync.crwdcntrl.net 0% virustotal Browse cm.g.doubleclick.net 0% virustotal Browse inputs.alooma.com 0% virustotal Browse platform.twitter.com 0% virustotal Browse cdn4.wibbitz.com 0% virustotal Browse cdn.alooma.com 0% virustotal Browse adservice.google.ch 0% virustotal Browse tags.bluekai.com 0% virustotal Browse ib.adnxs.com 0% virustotal Browse URLs Detection Scanner Label Link 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps Copyright Joe Security LLC 2018 Page 8 of 163

9 No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 163

10 Startup System is w7 cleanup iexplore.exe (PID: 3444 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3512 cmdline: '' SCODEF:3444 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3576 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): B636646D86B5DA26033D5C24B08AFAE C6E5BD9C5CFFC13C3062EEF5C73D52DA8B259ABA DB35BE84F59C BEDD775011D00446BD3894DAA D981A0381ED B27A648946A8F85F97704B984CCA60C88161F268F02F09CB4C88A61A9E62CC1E224490D333A9C7B0D4202A FE54E03C197EC2C64CFAA389EE500BE7 Copyright Joe Security LLC 2018 Page 10 of 163

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DF FDBB8.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): E38A3E7332DF CA3340FDAE1C 4B56D55DA0104CB8BA3531A30AF81C30564E83AC DB52A3F4D241EE261CC58B AE7C15729D14301FF468A3979FB4EB2A5A8 31AC2B7B710E61A74CF058CC8ABB5BB9369DB73FE C119AB0D3B433359B50F26FAA222DF6491D5D0A3D4 6F4B AE25228DBD3C05DB4C7283C608 C:\Users\HERBBL~1\AppData\Local\Temp\~DF7D0F1F519FDF6BA9.TMP data Size (bytes): Entropy (8bit): A8CD9D854575F2C57838D4D57500FB B678753C65D040A7BF4FDCBE61E FA BC12EFF58A194DCA6F873939DC0A78A4B556BD1F B7BE517B787CEB43EE9B02FCBB871FB59CC06542B3AE7B2275C0B28284B23A69F B8C9A B7 16DB618729FA921CB1402D82B62BF36B1ECFD C:\Users\HERBBL~1\AppData\Local\Temp\~DFADC20C72075B85F4.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): FD7DD183742A2F196D5EFBC0AC600B41 EC B A51EAEB103F4319F22BA D3E5B73052CB01AFC EC97704F8078B5F F701891DD93FF 54D872407D791A323B40B639AE3D7DF16210B3746C97DA5B414212E4D2535A87B3F8460EBCE3B55C75C0E7ABB8 BE9B4C345D3C64DAF4F3C6FCFA64FF13155D17 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E D9D67350CD2613E78E416 data Size (bytes): 1302 Entropy (8bit): A230BDAB55187A841CFE1AA E4734F757BDEB89868EFE A327695E D73494E3446B B3CDE3AE1C8584AC26E15E45AC3EC D90FB C899CB1D31D3214FD9DC8626A55E40580D3B2224BF34310C2ABD85D0F63E2DEDAEAE57832F048C2F500CB2CBF 83683FCB14139AF3F0B CDB4689C54 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1D4507DDE4032BB572192CDEBA data Size (bytes): 944 Entropy (8bit): C64AE88AEB2CB31198D FB411 56EE7C D83BAEACC790E22471ADAABE BA75D932E914F23C2B57B7D192EDDBC2181D958E1181AD A1EE8 46D302EB9625FDDB0F0D46A FB045B1A9D6C20A73B7DCEEC994F DE6C6C90D3A2F0CBFAD9 9B41A6A09A466E9C68A2EB485631BE384D404B0 Copyright Joe Security LLC 2018 Page 11 of 163

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1D4507DDE4032BB572192CDEBA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 56DC82B D82FA2C261EEEBEC E32A15A217BBCF1A0C313D61FC2D7F 3FED51AD9528F251EB4D0D8D28AD6C4B539669E872713EBF30C1B C17A 3E048EC52D0188B0B9F D347AB240448D4E7ECA0E52D84EF732D63001A4B173B1736DFAD6C0CFEEB4 9AC7355FA5D3EFE30DD7E B875D4D44 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E D9D67350CD2613E78E416 data Size (bytes): 230 Entropy (8bit): A97FAC0C706C9BFB BB05B64 C0CAFFCCAA422F2EB7C3D005290CF868B DA2E67077C4950DFB67198A6091F803B1B A2CA5AF5B84EA3B1F92E8B6 E0437C9B425D4A51F015EBA19F37D72765C7F2F11DD8E6C0998F8FE038B802D513917FDF1D2EC04462AF47CEEA 9CDC62C05FC1CDCA7B46A980B256436F6CF41D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1D4507DDE4032BB572192CDEBA data Size (bytes): 262 Entropy (8bit): B3F3B80C4E1D66E944F8FA4E371659F4 4E8AD0E8EC744225C A8B2843A0082BEF 8045F2B FF7940D09B612DB5E48CDF27A688EAFA9525A9B 02B4C3540C6A1331ACA30CD738735E81ECA E755C4117BEA78E6A2EA9345C5A2325AC1F8979E532E25F C4E4B060788FF3D0113BE31C3FC609CA852DF9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 2608 Entropy (8bit): AA8B7904A080F2CC1B54F8EABD B192C6CB52D3A9608B A007B3DC6408C 71AD5AEA81A9834B801290B4F0E96E93E21F660B123E93133B994F C3 132B97C7AC8C400FEFA9806F1BECF943229A1B39A677D64E7908BAE1BF5680EBF6D2A6DAC74EB3CE050171A63 4A3EF7A2CA2FDCEB DA141DA28AEB9B4A C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): FB559A E77D F6541 Copyright Joe Security LLC 2018 Page 12 of 163

13 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\FDBXBA6F\platform.twitter[1].xml Size (bytes): 402 Entropy (8bit): ASCII text, with very long lines, with no line terminators 0DA85424D83D6C57C886559FACAF5C22 CA A1E50FC4B555F78E98FFD38D806C D45AFEDCC19FF32CA09460EBC4A971C9DD1E0BFDCAFEF9C9680A38C48D3A 5E7F9598BF97A0528C046C95E493347AEFC D2304C7570E0E81977AD32E6D4C9CC62EF250DF8DC2EAA65 B4C9A2B380579A3A0CEFDA98ABDB51FD9529B1 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\VY5350GX\mcpmag[1].xml Size (bytes): 623 Entropy (8bit): ASCII text, with very long lines, with no line terminators 1DB401F97661D90E839FE279FD49D345 4D3FAD036EEFF4F692FBA96CF0BA9A F09 4E1F8EACE9AC2A63AB4FB41C7AB314284A7C02303EBF03AE7699B1D3020A C932101C12D80D5CC8F9B6A0952E89A77B7CF13EE A5FAFEB1F7CB3E74D67E754D7FB156D C30EC BDA8D7881C38D883AF C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E297CA81-93F0-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): B188C9AA CA985C870A5BF57 BB9BC6C9B6117C339743CD5EF8E D9515 AF82DD7D33B66BEA CBD69D6CC A1F26AAC01861EA14ECFE3 DBFAA2830AAA3B151AFC3E1C988D6D89602BB5541A75C F1FFC42A77C6CACA7E42BCCF AFA 8F92319FC4F6D DA870EC9FB15E529F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E297CA83-93F0-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): BFA68C7BAF5AFD47FE70B619EFB1A4 E1B1A1ABCE23CBD5355EEFB8294F1BF3352D32BD EC8E922AAE5AEB E951D47A4989F2CDC763BF7C6FFE686D9418D693AE BF FD9648E25F1FE9F61B2D4FD2F8BCD1F2B419D5D12CE41A A8FB5F1A414E0C724E C6AD7A5D3C7EDB26F0D52FDA73D8460A9D0 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EABA8F10-93F0-11E8-B7AC-B2C276BF9C88}.dat Microsoft Word Document Copyright Joe Security LLC 2018 Page 13 of 163

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EABA8F10-93F0-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Entropy (8bit): BE9E3B327CE625617DC3EC06D23187D0 BBDC5E8FA6E7FD80C5B2BC7F010E74DCDF FA63E24D7C4FF395CD5C5D235F1204F8F17E048F1A98A854B789DAE33C95A8 DACF81E90B5858C BF0FB5524EA6F5DEA7B614FA15F584B74C8CD2A22E6CE6BF C47 AFE2973F1C E5BB1939BE4954E6 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat data Size (bytes): 6808 Entropy (8bit): A2443C030D1FE978E29EF655775F9BD1 E66A240F0F4DABF59CB990913ACDCDD4147A882C 3225EA846493A4E8CE532B9103EE30B5F3CA57A6725B0714B486E1C8AC862E E6BC F3AF0B8711D0D5FFA04E7B1594B FA9B41236E4375A646604A41FDC82FA3A56CFECC2 B1670BF523165EFCD01C6E237C9CCB9CC1164 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA06901EDB98633A686B11D02F4925F827BF0 8D B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E BFAC A416C09733F24E B96843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ScriptResource[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF line terminators C565646F50D D21CB52C5C4E A765E0DD F5C235095DA CC3C8F7DD5826D9239BD84E99E89BFC46AD876139C52A988FA9269C5F819 3EC5122ADFAC19E24C720BFA63CF25B3237AE50D021856C6194C2DEB9F012021ADF423261E820A65864F1B3EEE FC1B2083C3CF34CDB E4B9E10E6AA050 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\analytics[1].js Size (bytes): Entropy (8bit): HTML document, ASCII text, with very long lines 64615ACD5DA6E5ACBD0A54B34174AEFE 8DB13CF86FA09D44B60D8E3E480DA B00E 3FAB1C883847E4B5A02F3749A9F4D9EAB15CD D3B2904A1A4C8755FBA3 E FC0A3B8380E9F8DAF79BB521DAA5EA545E9DDB01DE8FD38F70E30C224FD8018C349EC8F32AA9CEC7 470F204378A70DB59EF3EB E Copyright Joe Security LLC 2018 Page 14 of 163

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\background_gradient_red[1] JPEG image data, JFIF standard 1.01 Size (bytes): 868 Entropy (8bit): E78CF3C521402FC7352BDD5EA6 017EAF48983C31AE36B5DE5DE4DB36BF953B3136 FBC23311FB5EB53C73A7CA6BFC93E8FA3530B07100A128B4905F8FB7CB145B D382338F467D0374CCE3FF3C392833FE13AC595943E7C5F2AEE4DDB3AF DD5DDC716DD17AEF ED4C2A1AB7FE6E E36EE98A7D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\csync[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): F31E1BF00674C368D335 2DAEAA8B5F19F0BC209D976C02BD6ACB51B00B0A B1442E85B03BDCAF66DC58C7ABB98745DD2687D86350BE9A298A1D9382AC849B 717EA0FF7F3F624C268ECCB244E24EC1305AB21557ABB3D6F1A7E183FF68A2D28F13D1D2AF926C9EF6D1FB16D D8CBE34CD98CACF79091DDDC7874DCEE21ECFDC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico Size (bytes): 6518 Entropy (8bit): MS Windows icon resource - 2 icons, 16x16, 256-colors 0A8B89FC86ADF8F9B97BA94E1D699B1F 2E8F8449F9BA94C6AB1B513F2F6B1940F539A8DD 7C058A01B494BC5785F48E1F67EBF343B145B47EC20CBD79268EA486EBF0C03F 4D7E5880A2DBC4B75572BE10B2883D28EA431A0A47B428BDDD5EA592A28C69B0BED93139BB3122EE99A8F8069 E4442BDC7D9A A0A53269FED2DC26 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\match[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 70 Entropy (8bit): D1707EDA790F543C6FB8D0DCFF6359 CF A876447C2854CF2BC4DF AAC5 DE9D3FD0EB948BD294477D0EDA60A73B85CAFF D A113DA D6106A6DA0C84174BA7A6307E6F1C4B3F2CC085C8466B6A25D DABC7081AAC208D960D8D37C C0D1C4B77BB4CF254C FEEC1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\plusone[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): AB2C964C25371D987826A83897C E1C02C8BFF3C4155D02584ACCEF CE8 D569036F1E87905F54E8A4AF40718A981CA849EF88B79C87A62A8FF00EBADF BAFCDECD64B441A6819A38D B337809A678DD4926EFA88D11E505518ED595AA491556BF7FCB466D D5B94B2D389C618764E49C76CCAC9A Copyright Joe Security LLC 2018 Page 15 of 163

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\plusone[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\plusone[2].js Size (bytes): ASCII text, with very long lines Entropy (8bit): AC97D297634B6DF30846AAB6C80CAD32 01C89103FD7DEA9D439F56C1FAE4CA5F6E8662C8 AACB3F3D4C188C2BF62F0FE46A5486ED4B41D5336A8ED70BD3ADD0726BF835B3 E474C68DB8E58FAEA4F1E4F8516DE5CFD73F DF97061C6B61F4087E3FFD3A86F6A CF6EBD60 02E7EEB91CFB9AD0F1E374F5666C0D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\red_shield_48[1] Size (bytes): 4127 Entropy (8bit): PNG image data, 40 x 48, 8-bit/color RGBA, non-interlaced 7C588D6BB88D85C7040C6FFEF8D753EC 7FDD217323D2DCC4A25B024EAFD09AE34DA3BFEF 5E2CD0990D6D3B0B2345C75B890493B A8104DE59C A826E3E0 0A3ADD1FF681D C59CAFFDE B9A0F85828AB751E59FDF24403A4EF D158E6B8A4C59C5B DAF563535FF5F097F EA19A9B0DC4D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\tag[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF line terminators 00C416FF8A7C85151C0C6E249C9FBF7F CE70D6EF62F944335CB8889E F5C063D6 2CCD728594CE65FA7E E3BBD61877E548C4DAB5480CAFA6965F358A4E0 20C6D933C75DCE251D81C8E3555FA84F5F6FD0975ADE7B4D192208D EBDC493485D7EA424A5FDF8CAB 9FAEFEFEC153E96C61A35B8A477EC20A00AF36 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ud[1].js Size (bytes): 38 ASCII text, with no line terminators Entropy (8bit): D8DE1E91506D02E8849B3C99F8731DD 8E2117C4B16D2B7A795254E2A3E78AD98FAF940C 33FAC2E50819A4CD ED3C5E25823BD40E0B750BF1FB6AD454088B1BEE 860BD E8B072978A6D362C7C18E3F35053D C3F0C8A73B9B587BF04BC558F69612B85881B76FA 8218AB A5D76AE02DD7610AD8B5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\alooma-latest.min[1].js ASCII text, with very long lines Size (bytes): Entropy (8bit): D8D1FA8CC7CFEB41F4518AA5A0E180E Copyright Joe Security LLC 2018 Page 16 of 163

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\alooma-latest.min[1].js 6C3FF2933E258B7BAE FB12BE8A5F127B2 111D57BD5C836E78BADCBD782D2C284701CBC21F302E223FD0C7001BD94C2F08 7C84691BA316056A080615A902D0A7E4F54F9B59EA7E283B5392D473C0A2CEC2B28F727385A864D850428FDE0DF DFAF42B686D37B63E4EFBA8486A629A3BDD60 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\csync[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): F31E1BF00674C368D335 2DAEAA8B5F19F0BC209D976C02BD6ACB51B00B0A B1442E85B03BDCAF66DC58C7ABB98745DD2687D86350BE9A298A1D9382AC849B 717EA0FF7F3F624C268ECCB244E24EC1305AB21557ABB3D6F1A7E183FF68A2D28F13D1D2AF926C9EF6D1FB16D D8CBE34CD98CACF79091DDDC7874DCEE21ECFDC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\csync[2].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): F31E1BF00674C368D335 2DAEAA8B5F19F0BC209D976C02BD6ACB51B00B0A B1442E85B03BDCAF66DC58C7ABB98745DD2687D86350BE9A298A1D9382AC849B 717EA0FF7F3F624C268ECCB244E24EC1305AB21557ABB3D6F1A7E183FF68A2D28F13D1D2AF926C9EF6D1FB16D D8CBE34CD98CACF79091DDDC7874DCEE21ECFDC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625B8F9F90C8FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\red_shield[1] Size (bytes): 810 Entropy (8bit): PNG image data, 14 x 16, 8-bit colormap, non-interlaced 006DEF2ACBD0D2487DFFC287B27654D6 C95647A113AFC5241BDB313F911BF338B9AEFFDC 4BD9F96D6971C7D37D03D7DEA4AF922420BB7C6DD46446F05B8E917C33CF9E4E 9DABF92CE2846D8D86E20550C749EFBC4A1AF23C2319E6CE65A00DC8CBC75AC95A CAB1536C A 8739B D0BA562F48F4D3C25104B059A04 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\scripts-min[1].js ASCII text, with very long lines, with CRLF line terminators Copyright Joe Security LLC 2018 Page 17 of 163

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\scripts-min[1].js Size (bytes): Entropy (8bit): B22480A34B8FD3F7C4F226A498F29DE 71217ADDB E46DBF698A4E E2C1E5FBF5E25A971B9E43C72B50751C14F4687D997E4ADB7954D1C5D DFB1479EBCA9632C52A11B94A9980D43D145FB9DE5840C3A5642A82CE25B6E783E389C52481BBAE3635 E834840F6932FFE AD9A0E59DC3F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[1].svg Size (bytes): 1206 SVG Scalable Vector Graphics image Entropy (8bit): EDF1CD3658B16BD19E8BFC3BBE AA C774DE6CC219686B CB 8E178C D1FE4FF147DEF5F5DE352935B13116ED68521C B28F7C AB267B92EA88CCC033CE35744C1AAEFF7E02C9C0FCCC5AE2EC1A30DB1BE4B959777BAF253E2E0A1DB1819DC CA2F8788BAB03DC600AB848EF4AFED62967EE5E4A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\wibbitz-logo-sprite[1].png Size (bytes): 1544 Entropy (8bit): PNG image data, 49 x 32, 8-bit/color RGBA, non-interlaced 68A0135F74508DE81ACF2CBE74A7448C 2F1A54E5D9D8865A8A16910F220C8B430ADF7F2C A4480AC79A412DE4C6A5AD828018AD4DC AC C29AFB8 FDD875FBD8D06D16D41F1E7F4973F96E781CD897ED8FBA5A47F171B66A3CBDA93FAFEBE703E9A17D3CDD26AE 6BCD3D956EB581E4D7ECFE6F168B364D4F1CE44F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\widgets[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): EA6D43E2E4C9A7DA8DADB95B466EC5CD D32111EC95322BE0A06FC25C1681EB495BD96755 E5F8D0CE988D869B287F9498B3C779EADDD47B3E19C5FD82FEE9F286E8F F10C0D524938B5D17D A4F9E7C2E61F2A08F3BF4734FD7CE0F728D59FE039A45CB64E F1E B0EBAA53A76E7C89516EAB89BB1E01683CF6 Copyright Joe Security LLC 2018 Page 18 of 163

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\widgets[2].js Size (bytes): ASCII text, with very long lines Entropy (8bit): EA6D43E2E4C9A7DA8DADB95B466EC5CD D32111EC95322BE0A06FC25C1681EB495BD96755 E5F8D0CE988D869B287F9498B3C779EADDD47B3E19C5FD82FEE9F286E8F F10C0D524938B5D17D A4F9E7C2E61F2A08F3BF4734FD7CE0F728D59FE039A45CB64E F1E B0EBAA53A76E7C89516EAB89BB1E01683CF6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\1105logo[1].png Size (bytes): 3291 Entropy (8bit): PNG image data, 143 x 31, 8-bit colormap, non-interlaced 58F24BA5C547879B40BAF09ADB6CABF C FB0F F761096E24 FFA9B096AD010BEB3FD9CDF2CB A3A2091B2669D64320CEBED54DACC0 C44C66F18D5FFF1F9EC C5606E2B824597E412FB24F5678A89D1CCACE03752F4FBFC8F8EF55F6C94EEA 03CBEC463E6ED4F67E03F92E15984B6A4FE896 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ECG[1].png Size (bytes): 4689 Entropy (8bit): PNG image data, 156 x 36, 8-bit/color RGBA, non-interlaced 11BDB8ECAD0EAC8CF3FC2947C5D409B5 DD7118C238B70B84337A5FE872E26B01D8F9F9C3 D3A6DD E2C868CA647E39C144B4B68BD7AF27164FB0B69A1D7201DF64D A7B C819C669CE0641AC69D64CB9A17D9A7C274D7EF54C7CDC D93795B25C45A2E875FB794A A52232ABA7FAA68B DF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ECGwhite[1].png Size (bytes): 4712 Entropy (8bit): PNG image data, 185 x 43, 8-bit/color RGBA, non-interlaced 6A8E66F13FD33DA191634AE39E177CB5 8BBAD09F347026DC10A6FC74031B2B3FDEDE738F FBEE497FB009B86BFB02E0C0304FC81B16D14A201EC1DDA00948EFCF71718A E1783EB3BDDBF716794C22E6445CB62BFDB1EFFA40CF3BF8A839E4E C80F233BEB1C8BBF73B EC2B5CF25FB7E53BED45E1F6C8E42A60949A225 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ScriptResource[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF line terminators C1BF42575C67298F0A005A A3 AD61D810B331CB999E0EDF082AF8B7D9005DE E FBBB9259DF223257BFC59DEE BD18D66A648B65D FE488D8BF5A7BE84A70A803350F0D074AFDA3AF7229C4E5B89CF91AEB57079C42E15A59FA25FF0DAFF2A3 30FE462FB9378C7F5F596F3C00CDDCB450CBF9 Copyright Joe Security LLC 2018 Page 19 of 163

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ScriptResource[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\csync[1].htm Size (bytes): 168 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators BD35D52580B10F92DB5C913F1506CEA0 F7C7ED50AD9D F5D5B173B6A2DFE9 8B7A0A4C9307B6805D727B3F4869ADCD4D2CE4E1E8FF71E BA232 07E2C0AD865CDAB61C7B5E5752A10E8DB27E D65826BAF5B15BC7748D B2C9B0B B1 0352DEFF3FE9C5D60ACF5F18453C4A331B3E1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\down[1] Size (bytes): 748 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced C4F558C4C8B56858F15C09037CD6625A EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 39E7DE847C9F731EAA72338AD B957859DE27B50B6474EC D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE AC191F8F F76 8F4840BCD5B62CB6A032EF292A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\embed[1].js Size (bytes): UTF-8 Unicode text, with very long lines Entropy (8bit): E65A68E858793FDAE4A9F4B8C11FD 01F5134F DEB659A83DD AD4CC6D3E60352A768E965C7ED096473E9339CF7583A845D5CEF7BF427 86A7CEE0E897C12C0BA349181BB60728FF286AF87DA122D0FA F7BD0575FAF193D90B018BED6393FFB6C 0EF1C0194CA2F9F13D507F65406FAF08D27769 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\gpt[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): F C2A746B0BF31CBB00CA 4AB423C2E F834BE612F45282DB1A3397 8CB1723C10D29BBB E29896A7BAEB77A157692AC FB6B825BABC 9498A5BA9330D143E820ABF7606F0D8803D4980B F084CD896A41EA C C2A B73B104D9DEBE42A4064A3A95A4A9CB9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\invalidcert[1] HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5123 Entropy (8bit): DE640A4BFEBAB60DA20EA8D35B Copyright Joe Security LLC 2018 Page 20 of 163

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\invalidcert[1] E1FDF9A543B44A0B0C3F51379FBC0E59AB2EFAD8 E8EC4E22DDCC6E52E242331CB84DDB1EAC45E8ABD51F1892DE33DC279E0E F57AE5C E0030C4B44A1FAB7C7991F6CFF8FB0C40A40C35D6C26C76BE5EAE8E22C5CFC89EE066 81F08A157B63C0A55B3557C08D331A7EC4B7C7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\invalidcert[2] Size (bytes): 3084 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F927FC64C6CCF8F9E508B5C8510C8D26 9AAAD2E C151FF294A116D66D7286CC052 D1122EFA5A5D7CF93E9DA4CB8525CC7E6CCF50B9FA16C167A5D7E A5FA A70CE43D8497EF7D91D8C2C78DFB52FAE9AA1C39691D46D8EE3A2E65D82482E8F2916C39B3D85CE8B8F9A0647 FCCDC831C1FD6824FD300AA91818D0191AA4C50 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\pubads_impl_235[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with no line terminators 3BD35EED25A292FF6E6CD3C83D7C51CC 40EAB BBBC00AA5D2799EE2CEF2F D2EA6CDE29CC1D3C435D908B962A2E14111AF849E234A7BBA77BA2A7C79F 71C40619FE95ECEA9FEAF11676CFB85C2BC6BC9EC93795B5D00A5268E2F351397AC96B974B50023E64D9305B45 01E4EBE2F217B60F7FF5FDAFA1F06E868B16A1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\track[1].txt Size (bytes): 1 Entropy (8bit): 0.0 very short file (no magic) C4CA4238A0B923820DCC509A6F75849B 356A192B7913B04C54574D18C28D46E AB 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6 E79D560E5F7F9BD058A12A280433ED6FA46510A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\track[2].txt Size (bytes): 1 Entropy (8bit): 0.0 very short file (no magic) C4CA4238A0B923820DCC509A6F75849B 356A192B7913B04C54574D18C28D46E AB 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6 E79D560E5F7F9BD058A12A280433ED6FA46510A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Veeam_logo_2017_2018[1].png PNG image data, 150 x 62, 8-bit/color RGBA, non-interlaced Copyright Joe Security LLC 2018 Page 21 of 163

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Veeam_logo_2017_2018[1].png Size (bytes): 2972 Entropy (8bit): C7216B51F04F656D9735A2305CFCA E719900F CF78D4484DB6DD9D2BC12 E819D055EA263D818C4E DE5F89686E EB4718CDEDFD3B FDBBCEE2A9E945AB7A7EA48D2FC879C69612C8F8A5E70F970EDCA8AB A993564BF684D01BB007766C E4C67AFCE99BB9ABC47F4FE201EF4E8AFFAC05A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\WebResource[1].js Size (bytes): Entropy (8bit): ASCII text, with CRLF line terminators EAC91542A C4A3725CE29C 2987E7C40CE780293B3CDD39C4AD491F471BCCEE 0BA2F BDF934F9D79E8FD1CCF C33A EC9DFD73A E3E3F A D23F213DEFB4042ABAF0C84CB90DA429270D33DF52ACFD537E64608E8BF5FF32E2B CE29EDE55DC0BC82CEC1D1F4CC3A16FC6A83AD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\cb=gapi[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): E59542AC50BC5F43A1CC019E83F506 C258B2C5E338800C7E3923CC556D8D9BCAA17CE0 606D31BAF3BEF63A531D56C25491B010ED0B242C8C3C90B803E3CD04D28013E0 8C722E9091D42FF2AD1D06CF288606E22D7DACDCF52EEE0E4E23DC20AC9A8D34AEE5F5749B2D4C06DA0B5E2A C1472D E910BF31A13138AA05C98E19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\dpm_a93c d cac628d c194c5.min[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): F598DE480696CD77779D029BE551AB 3A5ADE2851E6B06B50138EE740414DCA2CE24E8E 08BB88B84BB401573E457113E70E5121A6299EDADBA4B9AC32893E2B29073BF3 B86951F23F9B7991A063F6C519DC115F13976C899EC59A0CAE AFCD58AC3F0DDC661E69E2A14A3FB27B 54D1B3CEAF7801AA429FC6A338ADA1E908ED3B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 Copyright Joe Security LLC 2018 Page 22 of 163

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\errorPageStrings[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\green_shield[1] Size (bytes): 810 Entropy (8bit): PNG image data, 14 x 16, 8-bit colormap, non-interlaced C6452B941907E0F0865CA7CF9E59B97D F9A2C03D1BE04B53F2301D3D984D73BF BA122F4B39A33339FA9935BF656BB0B4B45CDDED78AFB16AAFD73717D BEB58C06C2C1016A7C7C8289D967EB7FFE D9205A37C6D97BD51B153F4A053E661AD4145F23F56CE0AEB DA101932B8ED64B1CD4178D127C9E2A20A1F58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\jot[1].htm Size (bytes): 80 HTML document, ASCII text Entropy (8bit): D9592A6C704736FA4DA218D DD FCBB8D048CC536C44F3DB5A7AE4C0C10FD6847AC 90214D E47EA9587A7EEB62FAC1C64A541E373EA76E2B4E8B33E3F88 A6BCD5597B91CA0BE6DFD412BA7B6C67BCAF41A0F5A4B36B498B6B C67B90DD E55C7FBBA50C 0AC6B5135B8B A386BB064ECA5B14F5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\styles[1].css Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF line terminators 6C41DDA033A8C2F17DA0CC5E65E8D EB196B2A2D FEFD6574C07B8ECCA 12E7F11C928CF733F00F469CEC50BA6FA3EB022C8D81D81159F915E1A325D911 4EAD8FE81C3CB8C83CA549ADB75D5ACA2B0E3EA3873BB9573C75A0B4F3EA31E2B40F21CBAEFD99D55812D070 58DD6D2BAD AC8C CFA3618 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\svg_defs[1].svg HTML document, ASCII text, with very long lines, with no line terminators Size (bytes): 3816 Entropy (8bit): E5181EA7CF9DD352802A090CD3FFDAD 597F6AB981A6BF9E762D00E049876AF3210A614E Copyright Joe Security LLC 2018 Page 23 of 163

24 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\svg_defs[1].svg F0839A78FBEAFF1906F939F C47FA0DBD6E6F599B63F3090 F43C77D1006CF2002CDE3F1A6D597DF1010C847AE32418DD439355A339B5733B2019FD87D624EFC2F3D11146DC 506B079D27B485EE6F5A EEBE056AB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\veeam-whats-new-in-active-directory[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators 96E19F007E8904C939E490D3D0164B18 1F150FBB74279F2E2ED594E C7 9FFD4AA4DB1032E7A4228DC28DE15B6C63D52FB3B E044BB709F2C53F1 C35BC AE06B CF29FC827AF71483C24E33B231C021C5BD4586FD54171ED2DEA5F2136E2AAB3F B67E2A2965B838E00EE1EF1079FA EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\widget_iframe.cb6df5c11eb74c4885e17101 a777cb60[1].htm Size (bytes): Entropy (8bit): HTML document, ASCII text, with very long lines 6F4BB CA164541E6B1CE F7E40D4B1A9C7A3851B92D9FEC7BBD8D2 6F3649A4B47BAB28CF2E20555E757A2D A1511A85A0254FB5B5EC9F0C CA32692AD4F354E207A8C4ABF669D67B0DC2D00BD EEA5B2AE F9A9BE8F587E7639E927E1D DEB366BD2C177BDAB62F2B50B9C4569C2 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\096GLP7S.txt Size (bytes): 328 ASCII text Entropy (8bit): A37AC7485CDEC86D70E325B537EBBBA9 D8711B40A87B3F1AA4B6A6629E2E468001AA587C 6E3FA72D00560A613E7F8BEE77AB0690C4BA E2002FB868D24B26B96AB BF00E9EA0BFAD8C9562C83C7188BBC97CF6776ED2B0D124C548A3B13FEEA38051F6DCED1C7CA06D1534B15A44 FC8D2289FB94C7FF4318AC6A F C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0HBTKVBO.txt Size (bytes): 211 ASCII text Entropy (8bit): FAE6B3CEF19D3E C394577F03 479A81A8390F2749FBCDDEC60A5E4B5061E7C803 8F86E9DB F0E623CCA28CF774205B3F5E76EA6ABFC7D286ECFE5FE C1589A173AE71381FAD87C4A661A9C0B6770D7873F0E40F F66F8315F14203F5CC9D836EDDC01D5E F6CDB1C59FA89425A802E0DBC0CDEC7 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1Q2FBJ73.txt ASCII text Copyright Joe Security LLC 2018 Page 24 of 163

25 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1Q2FBJ73.txt Size (bytes): 102 Entropy (8bit): C5D69FF3FCAF81BE5E3DC8AE99E 3CC563268C0CBCF80F6DB632D6A876DECCA32CCC D714900FA1A2F99FC95A4E367A03E3D C8FBF762A18473DA65B8CEA6A3 5B4782F0D251B3673F86C273C8A747DD3FBF015D136B231DA320CE31571A7358B38139CBA057F690E705163D4B9 E4857A0A34BD46B0C5672CB6BF2C4A0083BF3 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1Q2O3XVA.txt Size (bytes): 85 ASCII text Entropy (8bit): A8EE447FCD8FFD621F79BA F A533AF7F1907CC8687B06C1AA087A36724FE F84BA1BBFFBF47AF1E9F1C1EF3426CBE26BD928D453BDF4CFC1027FC858 04A758EDE991F2F0F325D D6180ABC08DA388AAAF3400F67E1BA535DED064256DCE7F73170A15BD 37F5604D6D9C38D0F665E5E85DEC0A0E76780 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\2YH8F0Q7.txt Size (bytes): 448 ASCII text Entropy (8bit): A7E385BA1EC33A9F50A74FC2E7C5D1F DF83BC532A62157BBBC4ABE96F4C0AA CB EC11B2A9456A6C6612D8F1940DE C926A5F63DA2001F84A70F6902DC 234A9D6DF0B B FB0396EC427C91F4BFCDC18F928E6693D233BF5EC148A22BBD7EE8787F9E29D 4B04AEBB63CD013B48741DD38D5C8D2D220D4A C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3D03PFUX.txt Size (bytes): 423 ASCII text Entropy (8bit): C2CF3D55742B13043A36F31BD5976A4 9D4E30F58FB1D59F89898F9B9EACE6576FDBAC7B 7E42FB67D5589F51DB10455C25D49753EE5FC81395A9046AC2F73D DE134897D300CC57A3CC8E314A26FA1D45D4500D64F6C77F22FD8B36472C4ABE1A478C8B65B34ABCE09DD78F7 E9EA F358C919EAF994FB87FFC8337E C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3GJ7JA8Z.txt Size (bytes): 101 C source, ASCII text Entropy (8bit): D15D0A9471ADFEA FB457 CF61EEF31EEE13827A99937C76309CCEA814A7D2 BF16F0B341106AD4DD6F16923B5593CE88DD9ECFCB38C6EBCACA91A6D2DE2A37 3E9BFD23A2CEB5AEFD38AD70F60914D8DAE4CB23C31C4CBAE691F8BF0384B DBF7BA207ECD2FDEAB1 E2B9BD932C114B BFBB2C2C0E660F24F Copyright Joe Security LLC 2018 Page 25 of 163

26 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3IXZARK2.txt Size (bytes): 884 ASCII text, with very long lines Entropy (8bit): AAC4F149BA7ACDA32331BF1582C7DA08 DC30BD669E0CA7CB5484EE D078F605FC3 595C9CF D46E D5056DC943696D867333D1C62683D4C6F7DBBA 93A1DD1F5A135EE41182E8E5B242287DD09FDD5C0C4BE6278ED26E1EA1FACEE E1A2CE4FC2B68CB61 DB31D9BC623FD67E7639F7DBCB2E7E2B6DD3C65F C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3LIJXX27.txt Size (bytes): 166 ASCII text Entropy (8bit): F806538CD7861F A436B6AAD5465C1992EE7FF394CEC36DE B9060CFF0C5F802E4DC340521C850FC6751E41A34C6A284B45DD38816AFC74D6 D2EDCA57C1C25437A4138AB19BF4572E40062C7FDB92A11354D113D00060BF5B2C050FEB41FFFA1C F87D EC3CEAE9963FD002EFDF03609DCFEF C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4CPMLMCF.txt Size (bytes): 80 ASCII text Entropy (8bit): A B0FDF273336A8CFF C179B4236A97FA50F3F2749DDE70660E FA2604BE5B7345A219150C5C9B67A80C357117CF87EE A2BA A38B3C E4ED87E4D239F2406A EB7E247DF1AABCEE552BEF ED2EF3B6DC9E07 0A15578D389A080F8645D249F9E5883B9A7C17 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4JXWJLPE.txt Size (bytes): 778 ASCII text Entropy (8bit): B243B1E5FE8EDD7B2DE7C27230E6123 1E882EF92AA DEC1D8AF4C11A90E5668D B8DE097EA52780FE531B28CFE8D51003B23D864F55B6CF12920A10C43CB502B1 FED BF04BD2A4C55814BC44116F462B61423FFBFA40281FA3FAC821F6EDA77A6D04A8131B1AECFBBEC A27D59C79D65E C1D22FAB25 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4MCK85MD.txt Size (bytes): 204 ASCII text Entropy (8bit): A18C44B4F F4A60D5E682DBA6A E81240CF78BBB8B6C0E97D8C43C073D1 BE9E05F3BCC2F21431F4C02AC4018F5B773AE92426D1F66E4017E11869A9A690 27AF81FBD7E64A49AE9AF3A38BE19C86AB7EBC7514F1C295D59F55575C0A8C9F A726ED3DF8FB0C8C BBE8D03EFA664C41B1F0D7E7345C7E3160DEBC0 Copyright Joe Security LLC 2018 Page 26 of 163

27 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4MCK85MD.txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4OODEP73.txt Size (bytes): 329 ASCII text Entropy (8bit): B17B5574B29233B50BBC40A8C7B28B6 12E96C41D03558A83DF0E3C9B85030D03DC5EF28 828C FD F F3DC470435A255506DBB9EC0B5B6821 4F0598D7CB71BDF764CC82F59442DA6187BAB5F6C AA0E4B5ACAD7196B8A1E42B6B52C320E65485FCF4A FB80026D9A4C8CFF15F B06E7 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\56OW0FAN.txt Size (bytes): 90 ASCII text Entropy (8bit): CB9D48198F2CD1A36BA4185A7D52A D547B3961EF2E C4EFF4A6F7DEE45 697FB52FF78B3A7C195C0DDEB19C72D7C9314AAF3EBC66C5DE61382DCE43902A 7F8F78263FAED23E5077E0BCD27F6A63D F61474B55ACE9B156396D29FC9FC29A89626FD3E72E22F03BAC 2B4E367EC902A71055C712ADC71CB4AD19A37 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\5EFD7G33.txt Size (bytes): 212 ASCII text Entropy (8bit): D3C14F8B0A4AB4918D833235F3B8 286E80125C54CE38A068A F54894EBB CC65AFF683C0D987779E03DCDA50C4371BFAD2D87F46EA43092B7ACC548 F114D287828C69FCBD28C3B6F628F004EAF41A3CF4E65C821652AC81039A47C0B9E540B1C74824A215F4452DB5A 4C4ABB3AACC5FC341228B418A4695BC5E53C3 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\6UTMRM77.txt Size (bytes): 214 ASCII text Entropy (8bit): C927FFEA5A1A7031B7B2F4A6B6B1E7 62A85F0517B378D0AB3F2A9D213996A053D6B84D 99EB5C4E3646C35C EE5F9C E76477D6C1A5E029D FC64EC50F91104EFD1C2F914AF61B9F4ACE6ADA925C34285CD1A19A9805C89D68E0F15FFA6604D B B4A CC7CDA81943DFBF CE2 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7CCJEG8L.txt ASCII text Size (bytes): 339 Entropy (8bit): C33D0EC903EEDE0718B817CA651A65B0 Copyright Joe Security LLC 2018 Page 27 of 163

28 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7CCJEG8L.txt 834CB6D70D9EB B8CC254DFCE82976E46B F3C8752E6D57B01B7148CED23C581D3127A4B7A9B5A2500C0135A D01 5C519AD6602B7F8FB0384EC139B BE0E3AA1FE09F1D78E9EF4F12E7F3D6F22A2CC9C615EB4443E2376AC EECBD72FC69E2E C72E04CB989D65E1E C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7RY8MOXQ.txt Size (bytes): 237 ASCII text Entropy (8bit): E3A7B32DEB7A3F6C75C90DD531C1 CB45F5B49C68DF6F0B9FB588121DD4E74C4BE74D B0AFD8E851330CF7EB C6CEBEE5F39A2DD9641AC1E687E3B54CCE3F6 2FBE8F7C2D1B59864D3A73C0B7F0DE2B0BCA4EA02E163A7CD5E785AFD60EB4839A2B9ADB AD3A DC97CB2D0B40365EE206D23CE453CA3C C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\8HI1L3EC.txt Size (bytes): 327 ASCII text Entropy (8bit): B5DD579AB3FD463F7CD E2B0 D68939DCDB2533B33EBE804BDFA799518D1B096A 4474A861C91AFC9A0997C5E162DA9F37D E1FB5EA9D80759DA94D08E35 D7C AEE6E47E1FD106B31DFA8CE89436B90DCBACA0EE624ACD35199A9499C18AA4E32C3B519D51E3 107BBCAA705F65BAB42105DA9C2B076E906408E C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\8WCPNYJU.txt Size (bytes): 576 ASCII text Entropy (8bit): ED8D69F6B1ED E005D B53459B A47BE1BE71BC1DE8BF7B1F EFD01C1C3E34EDDA1634FFC81F528C7E8BFD4F0832D8965AC055DAD2D36 BAC5BDEF7E31C50BC77127ED5D5F0218A0EFEEAC52DD09E4299BE8DF2A7429D6909B5027D4710EDB2D3B3BC5 4765B5E EAF8C37D8F C317 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\BGJ902LU.txt Size (bytes): 77 ASCII text Entropy (8bit): D EDAD FDB40D3B 67C045EC62CEA F728083AFF53B6BF88C 4B6AEF30631AB1F84FB631CC2157CE8F DEEBC62C4D1239EA46F A52CD878EE5E A24B3F B7225A7E6B2CBF96FD174035A5DDB67E4CF24B02A3C A A94A181AC0AC548345F83F7FBE9042D81B716 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\C6JEXNXV.txt ASCII text Copyright Joe Security LLC 2018 Page 28 of 163

29 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\C6JEXNXV.txt Size (bytes): 662 Entropy (8bit): B2D53BCEE7085DB36F5DB5A65695BE ED181EF0C C092AE41507E 5D1F8E240BA28D484582F23D5A3992BC2E6966E3C0CB62EEF2EA4D19A073189C DE A3034F1CD920A7CB7B9CBA93DF7FE3DDA675A96D264B54F783878C035BB85ED6FEDF987835FB388A4 8F8E726FC5B042707B72AFA4C40EB016D734E3 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CFHALCTA.txt Size (bytes): 327 ASCII text Entropy (8bit): B5DD579AB3FD463F7CD E2B0 D68939DCDB2533B33EBE804BDFA799518D1B096A 4474A861C91AFC9A0997C5E162DA9F37D E1FB5EA9D80759DA94D08E35 D7C AEE6E47E1FD106B31DFA8CE89436B90DCBACA0EE624ACD35199A9499C18AA4E32C3B519D51E3 107BBCAA705F65BAB42105DA9C2B076E906408E C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\D6YMPOIY.txt Size (bytes): 170 ASCII text Entropy (8bit): F7FE208038FFD284467F236C F48E99469E5F27170CAFD9C9E5ABC8D513B667E1 76B53865AC1C4603F6B1D2E6CF29A93F FCAE E1869CA257 64A00DCF8335B263EB83B97EE38B7D9265C21F7821FFF8121DBD7BD1D0D9334BD4C32FAD8188AE9B B 0482B1A758646A2D1928D6DBEB50D600470A8C C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\DX2INX6O.txt Size (bytes): 423 ASCII text Entropy (8bit): BA2109C3B0579C0E A2463A19E 281BEE49CB0B90882A6A7AE0ED984DEA FAB95F4B A31D56E3C5CB DA23024E53D73C833E12FC90 F7E32F192CF7AFDE3A99EFD4CD648E F4CB11FB72FC48865B475F12D51F234E7AC15FAC0A5A CB272232A22CC94ECB78841F0CEFC0FBBBC C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ERARJ1MZ.txt Size (bytes): 185 ASCII text Entropy (8bit): AF521B BDF28BC372F257C6 4729DFE9C6883C639DFF377BDFFFCA24183F5A79 20BFF920E465C25431BB09AF35FF37D009F4F EC8291F8164D015B892 64CA32861DB2E792737C9D8EE2BE77BBEC1913E26DA474E9D EFBE17329A238FD9DDFD0948CBB A2171BAE3A53D0A679FCECB8C5D791E257E07 Copyright Joe Security LLC 2018 Page 29 of 163