ID: Cookbook: browseurl.jbs Time: 18:45:10 Date: 08/10/2018 Version: Fire Opal

Transcription

1 ID: Cookbook: browseurl.jbs Time: 18:45:10 Date: 08/10/2018 Version: Fire Opal

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains Contacted URLs URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior Copyright Joe Security LLC 2018 Page 2 of

3 System Behavior Analysis iexplore.exe PID: 3228 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3280 Parent PID: 3228 General File Activities Registry Activities Analysis ssvagent.exe PID: 3336 Parent PID: 3280 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 106

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Fire Opal Start date: Start time: 18:45:10 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 4m 3s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout MAL EGA enabled mal48.win@5/153@9/5 Adjust boot time Browsing link: Show All Exclude process from analysis (whitelisted): dllhost.exe HTTP Packets have been reduced TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 106

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample will exhibit less behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Copyright Joe Security LLC 2018 Page 5 of 106

6 Signature Overview AV Detection Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section AV Detection: Multi AV Scanner detection for domain / URL Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 6 of 106

7 Behavior Graph ID: URL: Startdate: 08/10/2018 Architecture: WINDOWS Score: 48 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values Multi AV Scanner detection for domain / URL Number of created Files Visual Basic Delphi iexplore.exe started Java.Net C# or VB.NET C, C++ or other language Is malicious iexplore.exe mc.yandex.ru , 49162, 49163, CLOUD-SOUTH-CloudSouthUS United States , 443, 49185, YANDEXRU Russian Federation 10 other IPs or domains started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 18:45:44 API Interceptor 86x Sleep call for process: iexplore.exe modified 18:45:44 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 9% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link 9% virustotal Browse Copyright Joe Security LLC 2018 Page 7 of 106

8 URLs Source Detection Scanner Label Link 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% virustotal Browse 0% Avira URL Cloud safe 0% virustotal Browse 0% Avira URL Cloud safe skamasle.com 0% virustotal Browse skamasle.com 0% Avira URL Cloud safe estilate.com 0% virustotal Browse estilate.com 0% Avira URL Cloud safe 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 2018 Page 8 of 106

9 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Startup Copyright Joe Security LLC 2018 Page 9 of 106

10 System is w7 cleanup iexplore.exe (PID: 3228 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3280 cmdline: '' SCODEF:3228 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3336 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\CabD993.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 54E559CEF8146FE9AA8B5BA30CA4F6AA 8C53968F786B3D343D375C4B77AEAB85EE464A02 9C086D962C942CFF645DBD48B700191E96E3371B3D006E4EB3C7AC3C842057C9 19FEA345B90D5F6871CFA912483D1D2E3DFD251BE3F9B3DAE89BDCD70318D80B6EAC7502A4F618AC8CB0A219E 331F2EBBF0AD9E8DAA5418F9F78BBD6C78F9966 C:\Users\HERBBL~1\AppData\Local\Temp\CabD99F.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 54E559CEF8146FE9AA8B5BA30CA4F6AA 8C53968F786B3D343D375C4B77AEAB85EE464A02 9C086D962C942CFF645DBD48B700191E96E3371B3D006E4EB3C7AC3C842057C9 19FEA345B90D5F6871CFA912483D1D2E3DFD251BE3F9B3DAE89BDCD70318D80B6EAC7502A4F618AC8CB0A219E 331F2EBBF0AD9E8DAA5418F9F78BBD6C78F9966 C:\Users\HERBBL~1\AppData\Local\Temp\TarD994.tmp data Size (bytes): Entropy (8bit): C291922EA080071ABC B5FA8A2 2BA43A BAE5EA58C84D03AAF45EAF 64CCC7D80A289F07AFE30CF437A23F0D685E7EDF30AF E4DA4D47D B5418FDFFC0230C8354B6A3E21CD8843DB12DE361EFDEA3CAD94B5439CBC7EE009D8DFC49E86F6060C60D7 D54C72F9A3E27B B8FFE908048B29121 C:\Users\HERBBL~1\AppData\Local\Temp\TarD9A0.tmp data Size (bytes): Entropy (8bit): C291922EA080071ABC B5FA8A2 2BA43A BAE5EA58C84D03AAF45EAF 64CCC7D80A289F07AFE30CF437A23F0D685E7EDF30AF E4DA4D47D B5418FDFFC0230C8354B6A3E21CD8843DB12DE361EFDEA3CAD94B5439CBC7EE009D8DFC49E86F6060C60D7 D54C72F9A3E27B B8FFE908048B29121 Copyright Joe Security LLC 2018 Page 10 of 106

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DFBD CB7.TMP data Size (bytes): Entropy (8bit): F6B EFC5E49A803C1CC AB32C59E9DD00CE9B1242C0A564968DEFC58D8 3C57180ED3DF11AD962B7D6657DB3E49A72F359A529D9D0C33B1AC289EEC6F44 6D2C5398C6ACD24B4D242514BF67B4232D23B8E88ADC7505FFFE2970CD71C5D644067B4D24B DFABDAB 043C20AB8F70B739EAFC365435DA4B3A6DD8DD C:\Users\HERBBL~1\AppData\Local\Temp\~DFBF37B086B28291EE.TMP data Size (bytes): Entropy (8bit): DF E25EB4C14 5C54BBB5601FC20E6C446B20B1960EC27277DA67 62BB399BB4558F18375A29C CF4F9A5A7DCFBBDDCC7D69D8F7D6DFE A21681A2E3DD878CE5D3E588CBE19C49797E49F6658F52646D8E25670CEECDA667BE849F1F2E36DC1F152 6C17486E370DF0C26DA40589FEC17F0C6CF465 C:\Users\HERBBL~1\AppData\Local\Temp\~DFCFB4F0D49F9DF186.TMP data Size (bytes): Entropy (8bit): BF46FF259C9163F4E3C9EA839804B9 163E7B238DBC0B6FE232DCA10DAF3437A789BE01 453F24EF8A4FE365BCECA35D3B2E891D75BB2AA9D939E96F01F466E72C2B E1891C37452A3AA3B2A30DDF1D37B697F79BC80A A32DE0A21F8CE323542BE42B E37E34 85A2E67D413093F92C45C61E9E959D6360A5C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\000F7F8FAB2D96E6F8CBD5C9A3B4EC90 data Size (bytes): 1568 Entropy (8bit): D01709FB9CF22C9D8B3A0BEEFEB9DA9 A67FE2C57D1A5864C9B5A92AB04D50E3FA0A6E23 6D103036EF5216EA97A D637C118D72AF513C39FBF5FC5F4755F05A457 89AA7EC7220BB22C746D0602B A24F0DCD6876DDF359A A89A902F1C35522DC383D21C6AEA A67D6E167CE5E4D8BD62C7229AC9B83 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 18D64851E8CA85D0F0255F4899B84D90 0B7909C2D55C2DC1BECAD166CC85BE1E08600C33 E91B D7C8DC8CDDA430C139F9DFAA72F60552CD92B91805F076833D46A 53F8C60D604290E6E BAA484718D724A67885DE CE6D9324A389B8DFE1BE63D1D9A0FC42461E9 5DA56AF1B35D2300EFA6E2693AFD04A1C8625 Copyright Joe Security LLC 2018 Page 11 of 106

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A data Size (bytes): 1786 Entropy (8bit): AEB4E76C6F68EFD7A48092E9F0F A035C0BDCC3DC09C881E788F7FACA53C6B458 FE1B9A0EABF44FDBE4DDE97C3CC1209FAD2FBB2D2D7476FFBF64066BD9919A4F 50D98FB4C9875B1AED0AEC06A9C934DB5010B6C5F54539E323EC14FD487E1D92D01652E4614DDF308AB2F1EDE A9E9CB1E23030C971255CC106016C6E7BBAF48C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\000F7F8FAB2D96E6F8CBD5C9A3B4EC90 data Size (bytes): 456 Entropy (8bit): AFC190B8D99806CE322D8929 F9A78E106035A981E3C57D0C45258FBE0EDC685D 3D2E65E04F1B4D6131C6673B75338C780E25A6671DC2523ADB39799E0D27BBE7 A36BC2DFC7BAB64558B7080D2329A341CDCD285E D802B656A7D597A80C5CF1A4CEC A1 DFD9D48C191AE436BCA5E40818ED2AD43DD86C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 660 Entropy (8bit): B34D7DA248CECE6BD8B F3111 5BE59E4A91CCA88E7D4F43BD F98B2B B198C47C6668EF50236F1EBE09CFBC5227E88602A496E6A275D23F1CDB252C12 FF06C916D0A6CB78C39F3A2A06CB1214FC20EF A163DADD8A46C9B96D5C67AA39E770525FAB548F1C463 B7022A79D6C4B21016B D1D3C96465A C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A data Size (bytes): 424 Entropy (8bit): A4A3FB6C5F6C11352D462D4D17188 CBF19E5F5B DDFA9C88CF0CC9340B4C 4721AEB8E59AF762F5B91733D45549BB9A901A771FE242D96B79F43876D63A94 0AB015C55F0C7CBE98C3803FE4DEDB82BD2DEC5D401EB898EF56A1ADB0CA4B5D3C95E797C8CC18EE4806C64 FE1AC6B1B514AA5B4D1B1F8132E326F923A5D1741 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): FB559A E77D F6541 Copyright Joe Security LLC 2018 Page 12 of 106

13 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\NIQ1ONLG\vestacp[1].xml Size (bytes): Entropy (8bit): UTF-8 Unicode text, with very long lines, with no line terminators B924B5D68BDF34842D FA9ED2A 468EB9DB1C C E0CAF3C24 88B5E4FC45B7CA1F87C8643B8C18DD2B6E99A5F36A8A9C51303D38C BEBE82AB6C1BB9D11B47D94C010DCC0D35DD42FD6334A8BE250AC18BFCCE AA298BBF704A27 4FF440A1393C2508A62F0FFB4DB31F4FDA67FEE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{97955CF1-CB19-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): D144B2B532DF5FEEFC5D7338D5 B21E2EFC2657F63D59173CC790F37FB FC6B52A125F42D5312D C2438D89851D4B8A9AFE7A1 7BF7E7DE167E6C36AF13CB4945BA15978F74136F69236BFD328ACB351E42806E2F23468D065D0E00A184ED549C8 3E090A49FF3BD C21B816CE4682E769 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{97955CF3-CB19-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): A860A606AB33966D9F062BBFAD852C4 91D52A219531FA10CA4875A12D39D12C C2308D2F E CF5769DBC5628BBE46F61A122CFA4C AA285A1F7C1329E26A30A5FCD0ABD811267AE0ED941E7BE4D1FD247A63CF801D0A600B61E12E61F1269DE06E BE8450E36D8F442C1D5B0EF1F3DBBF79DFC8323 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{97955CF4-CB19-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): E7D13DC121E106CA0B1263D7B6FD6EC6 E37B35EA9099D0B918EA1552CE67F4866F598C D1DCAC91AFEF7F8DBF24B442694C1D45B5EACAC3FF3D E1AB76B65402C621C73F1D245CBE4921A6C9E2F D932837EE2C9A2CB3E9B9B08F0DD90F59F80775CA33E 30884B70A3C8A1617C8D45F1F498DA92FB3333 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat data Copyright Joe Security LLC 2018 Page 13 of 106

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat Size (bytes): 6880 Entropy (8bit): B04FC A359B1466DECD61206C1 C79B646FB758D3249C90B34B4645BC16AAA1A344 F3DBFF223AF31512B417C4ED46DE831AD4C6CA6DC41EE5EB9416CDA2467AE A376960D8C07CFD46C14E70990D102928AB1E632A43F DF061564A517C1B9A8A0876F7752CA209A714 20F66FDCB23B2068F981228DF2BEA16559B5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\2T40DGD2.htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines 7A9AFA6ACE A6FEF99BA8513A0 B59946FFD FFEEB9EF09391EB0271E6C0 64BF01EF1032F620583B3B62AAAA41D1FD49C0BA5BCD6E48A4B6ABDC4BEB1E07 5A B850C05090D46E7E5B1E0A604DF09DC975FB85D86C47FF8F4D864D0059DDB51DEC8A39F0F1F5428B 0DAEE2374AB0D6A33C17872FD605E28EC5F08 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\awstats-icon[1].png Size (bytes): 1286 Entropy (8bit): PNG image data, 19 x 19, 8-bit/color RGB, non-interlaced FA7CDA7C1E75379EF1515D07D4F35130 BF672F4C8A800C0E485009F2E2AC8E6FF0BA1AA7 867F4B37C6FC944E8F210BD52559DDB4859A2AE1A27A729F83F9BE1DF053591B A95C422948D7192BA13A8A80F3AC9ADB6829DC6AA B7C CF0B938C0B72B6C1CA1EA986E62CB7E 7D0FE9C2087D0E68D52CF944441FBFD7937AEB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[2].ico Size (bytes): 6782 Entropy (8bit): MS Windows icon resource - 1 icon, 40x40, 32 bits/pixel E32A8959B456ACBDD9C73B264FD136A9 552F2942E043C2B57DAB3FFCE92A01EB5D70D66B C81C7C4B6A654B244CB5BCA32ADEDA3629E5539F7A C8C2AAE79C4 1FA0AAA47FC14FD87FCC43BF56E820031C75A9952F70A36C7274A4DC89A79D85D16ECC812F5F6DEAA E AD5033D93D462A18390FA4871CD9F8EE22B83F Copyright Joe Security LLC 2018 Page 14 of 106

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\file_manager[1].png Size (bytes): Entropy (8bit): PNG image data, 1140 x 640, 8-bit/color RGBA, non-interlaced 499D6CF264E46AD9583B3F9DA5606CE7 7BD306792ED19EB491D45748D7676AC40C83C73C 220FBECE F C83538D6E203B99CC06A6B34EB8E2919A274BE 919E3F5A78DB29171E50724FD3FEC991DEA6F678B176FFA5AC9CF144878DC51B4BFFB6B668473D994D6BE285D3 07AAAAD31CCD0FCB10A4F76A21B87AA70E41D5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\flUhRqu5zY00QEpyWJYWN58AfvNeKBU[1].woff Web Open Font Format, TrueType, length 21200, version 1.1 Size (bytes): Entropy (8bit): DF7F3F518F782966DA6A187CF16B19F 8EBB093806D039236F5B985C6F89CBE4929CD81A DE3D171AA7D33CC9CC17BD4F8B8905CFFA819D65321B980268F3B53F892DBF17 74E551EC C70AD5362AA826942AAA7A02762F6AB87B5CC645E349FBF49A54F6DC A948C533BE EA0BB131E89D58ED332548EA8FED1CD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\flUhRqu5zY00QEpyWJYWN59Yf_NeKBU[1].woff Web Open Font Format, TrueType, length 21024, version 1.1 Size (bytes): Entropy (8bit): BB814361CA328AB6BB7641D76C18D16F 8BC4EB7AD109A29C6BFD41BA7EE54F4B90CFFF3D 6DAECFC7CCD82A21BE75FA44B956A652D53AF11278C651CE9487AC4CBA5E E64691DA878621C77C7DDA10A54E736E3BEBE436EEAED2A5A66EFCBD9480D255714D8780CD7B B DA38FFA5F367972AEFD2FBFC0C571BB4AE583B9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\graphic-01[1].png Size (bytes): 1282 Entropy (8bit): PNG image data, 106 x 17, 8-bit/color RGB, non-interlaced 2CEB17FEFDAAF3F8166C92E31CD3EE1F FA783BCADC F7AD709D530DA30718CD3A8 AE1C EF0772A5D AC7922ADDD3B9C2A711BA35CE8D5ADD054 AAA9BAEB0FB133D74A88A43CF36E85FA28201B88C8AA8C4AA38DF1A09CB7AAD9CFC497EC73D4A747DE93FFE EB025D88DB7CFCD3512B78ED83E13EF25AC1AD48C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\graphic-02[1].png Size (bytes): 1290 Entropy (8bit): PNG image data, 106 x 17, 8-bit/color RGB, non-interlaced B5677E1EB59B928494DA16D0DAC9F5EA A8BA77D0E9AD5195BBF E0FCF D39A750B31AF28DC43291DD5E6B19F1734B8750DB62E0C B718D5 1B7097D305C726A172477CB094DECAAA9565A115C529B9C7D9EFD65C4FCEFA2610D1E0E76C6D08A0C29F5993D 89E16CC02255F05A12CC944BC8188BEFB27FB76 Copyright Joe Security LLC 2018 Page 15 of 106

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\graphic-02[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\graphic-03[1].png Size (bytes): 1267 Entropy (8bit): PNG image data, 106 x 17, 8-bit/color RGB, non-interlaced C368AF782184D43A7ED F86C8 2EB23C694B129F64F983B959716D91A121D59807 ABB FB412051F3243CE84C6EC9E0AC9CAB9A7B79AF235D24EBCE768E32 9F2F75C9161F63BAFFA24D7D2467CDC9C54169BA61E9B28D4E7F6CBB0D414823F0976E A19FED3788C6B 03590F9DCA9F9BE426694A22E94A300C3FBE6E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\graphic-04[1].png Size (bytes): 1317 Entropy (8bit): PNG image data, 106 x 17, 8-bit/color RGB, non-interlaced 0C1D326C2BB050362CBFF468C0F832D9 CBDDC2587CB7AF3A9749C A851EADE99 6D63D483B519A2B094231F7DE7ADA20D2E38D5D228A763D1E25B6C0C C 2ADA14E2C8449F0E10FF563EEA F6DA7DBF01CD9594C64FF21ECC329B1289A872D75152F4655A56D F2E77FF67DA55A483B8F1DDC17CFD874B3E04 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\incut-gray-bg[1].png Size (bytes): 165 Entropy (8bit): PNG image data, 5 x 34, 8-bit/color RGBA, non-interlaced B13B1BE386149E32D6247A5279 A62C16283DE6A3E09E59636B4F9B3409E2C90B5D 0317F7A17B332CFD70399A7A3DE1A B8C8D68ADBE627ED499D6F8164D 3053B86A0F40586B0D3004E0A26C372C19FCE21545F509A77BA4F6022CA99E5938AC620C00D2B4BD499E0B0E3D1 B373484FF0439C58EA14589C2B E4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\logo01[1].png Size (bytes): 4544 Entropy (8bit): PNG image data, 85 x 26, 8-bit/color RGBA, non-interlaced 11184BFE7D16E0AF068C058F3E9C3BEF F3140E BD1ED2D C5A3B15F005249EA8B68F4E4EE3D2DCF CD596B36FCABFDC6E A DCCF08A936CB0F1F4AC6DC0A2CBB17CC9F4F BFCE9758E076627FB9BBA278748B1182F189FA92B92C0 D42DCDE9EF308C73A32750A95D110CE0E90F45 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\logo02[1].png PNG image data, 110 x 26, 8-bit/color RGBA, non-interlaced Size (bytes): 3705 Entropy (8bit): F80F8EDCB588DA97D9B A1 Copyright Joe Security LLC 2018 Page 16 of 106

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\logo02[1].png A7AB336E8614D968D6D80277DB996D3E4DD938FD 103D407583FFC4991DEF579345EC049F5BC37AAA6590FF ED39AFBCF8D 195D01024AC74E5DA8FAD0558CC372E6CA7778ED5F042E55D8282E8DB76FDDAC2A86EC AEA925252B9F A234CB36F B82CA5A0E4B98AF617A1896 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\logo03[1].png Size (bytes): 4342 Entropy (8bit): PNG image data, 95 x 26, 8-bit/color RGBA, non-interlaced 8E7F0B03C639C58CD084FDEB07D26BA5 B31D4721B A4D03C0E6B875E04833F582D BCCDD77860F26A43C72E0F3A8C7E76E524BF0B403358F7B11D543B1354FE738C 4D8E55CF20A6980EFB4D2C D314C41BB16662B5969F6BC E4ED8D1E8DC5F68CC051427DD423 F9D1FB2EEBBD1E4B07D547489F6A02866FE2E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\mysql-icon[1].png Size (bytes): 1272 Entropy (8bit): PNG image data, 34 x 31, 8-bit/color RGBA, non-interlaced 659BE09CCF59C80D878C7119DA D BC0FFEADC194029DE624A9A8447CA0E BE68119FAF9C259C594C82CD651E4B7B7FA6E3F473CB44218D8AE57FF8B A27EB4D2276A615D18DF02E24080D2C5CFB D6145A78592D911A0D8DF937AB777A5CE3DFA6DAC7563BA 42E91A7879C3DCA9A45BF3175F504AE17E0C04 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\package[1].png Size (bytes): Entropy (8bit): PNG image data, 1140 x 640, 8-bit/color RGBA, non-interlaced C62EA42DE4A C3DB866185ADC7 814D FCF6B36FAF F3B7A570A 3994E906C9AE3BB4C67F4AFF007972A6C DD7B38FC3D4896DFACBA7B E064CC39DF0B6AE83D89EBB1E E4216E0D4A49E7DA9D6C48124D2413D7B6B6DE6C71CC06A5298AE8F8A BC05D605EF9DCB74D6DC5B24B362672C211C2BC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\php-icon[1].png Size (bytes): 1484 Entropy (8bit): PNG image data, 34 x 20, 8-bit/color RGBA, non-interlaced EE3F27E1B3DF30D405AC86BD5712CC4A 6D68CD3BDF19DFA0C93C476CA12773A3E9BA9284 BBDDE6BE0FECC036A52633C30A42EAC2FA94250C777C546BC1BE599BAA12CE6D 4B8A875BBEF3C B4D74639C9C10D4387C5F F C374D5ECBB C1A77C9F B013920B2CA41276C4A B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\stats-bg[1].jpg Copyright Joe Security LLC 2018 Page 17 of 106

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\stats-bg[1].jpg JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1263x313, frames 3 Size (bytes): Entropy (8bit): A57FF84BD6F275803A65DA3EE411B93 28E431C EC011A5A44F8FB84F2A86AAEB FE07E4C00B48904E28F16C5CDA21920C CA722E1C4B EC EC8AC44F65167C39B7F2F500EDBC A2641F6E048ECAE2BE48B599A5CCF8E4D94385DB116ECBA2DD288 12C255D7C1699F09D AA6E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ [1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 430 Entropy (8bit): E66B8125A543CED3F418CC24A1E7B084 FD471C6D1CBD191772A53B4D4C3BFB19108E2CE2 1CD68A0609FE5B26F42245FC A1BDE7C3B69327F0E16F31C6EE440CFD6 AC426F5B45F78E43EAAD2121E216A8DF573EB90F7F33F2404E8E BD6976E08C E612461A891A AAB972A167A71BA0DD29C56FE91DB7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ utm[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 35 Entropy (8bit): D6814F309EA289F847C69CF91194C6 0F4E929DD5BB2564F7AB9C76338E04E292A42ACE E6763A41E615916C89BAC5B3F1F0ADF60BA43C7C806E1015 1D68B92E8D822FE82DC7563EDD7B37F3418A02A89F1A9F0454CCA664C2FC E0D85540FF9BE0B20175BE3 F5B7B4EAE D5CCA13486AAB4C582C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\aws[1].png PNG image data, 590 x 308, 8-bit/color RGBA, non-interlaced Size (bytes): Entropy (8bit): DC4FDBEF A241CF1950CCBD F86475B7355D6653A787D0974F3F07C EF 97BB7C7949C B1232C E6E005AA907836E0EB FADC3A6910C4F35E3719F6A840AAB41466CC44972E22CBC9FB7BF62A4C5D15BCE E4FADAC5971D1D38 D6933EE67D6FB78AFEFBC A5BFA5F60BC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\cli[1].jpg JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1064x499, frames 3 Size (bytes): Entropy (8bit): DA2DDA1ED3856F7286CAAA3 15E2EE6466A1C4A3F B8F0F67C7FCA45B 128C2E0271CB8B8615D7C91E5DA179BA37F9BB62201BF6CA729CD01EF6FCDFE6 007D89D9E94581FC2DE54BBB2905F533620A0F8E5A3B1E A4E55FBAB6EE3B67D5C38F597F015F8DAC2C3 750E06FEC8B980607CA45F306FB9DDDAE931D3 Copyright Joe Security LLC 2018 Page 18 of 106

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\cli[1].jpg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\copmare-module-bg[1].png Size (bytes): 3692 Entropy (8bit): PNG image data, 314 x 173, 8-bit/color RGBA, non-interlaced 878B6C4C53915E B219B0643A 999C6513CACFFC0B77ACD63FE87CB95BC1F1B063 5C815C4D16DC7FCF31DBC6761BBC02813B0E54FBE4CD772ABCF0848DB8028ECF EA3EAFB9D9A5F BF1508D371F221EDDA66F9CE5D5EE BDC785C71F D28C1A006070C12DC 60DB400801A9D3F F95EC8815D6EA93A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\debian[1].png Size (bytes): 1552 Entropy (8bit): PNG image data, 34 x 34, 8-bit/color RGBA, non-interlaced A5E346D B53A833E EB40A2AEFE15E6244AC6E0C02632AB186FB BF83688BF68D41A15D10366FEEA09D255EBDB35D16D47094AA0F520D394DD4 A5AB4B332DC27DAE61CF03CD4707E A7E7CC033159DA098C80D767524A9B4E BDD5CCDA7AEA D005B5B2DC DEB1354A91B10E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\install[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines E0E73BE07B D7B6 C61826FB2F57BA97FDFC39B0BBA247F1C23D0A9E D66CF5E712A2745AE9F17E101936C985B4C937FD481757F879AF15CFC7 3B2FD809C F843C37364FA12C986FB7F2B74965A06392E1019EB83DABAD1BC96E AB34CBB29 B27A94F34AD8F7A743A2E10DDED984E5BB650 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\jquery[1].js Size (bytes): ASCII text, with CRLF line terminators Entropy (8bit): CFCE66EBFCCA66785ED6FAD9FA5 49DDEAC2F7898EFFE25AF2FA7FF1FD0D7EE9B5E2 30FC40BAADCBCF1FF2E F6FC8479A96145B5D A123457E3C 1038EF024CB9DA54C2FE7C6E98A5F49036BB6F8C155E6C8D0AFCDF1436A244056AA3C7E6FB06DD435EF6BF93B 5F40B71B6250F5CAAE6DB63850CEC9CF03CE94A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\mail[1].png PNG image data, 1142 x 641, 8-bit/color RGBA, non-interlaced Size (bytes): Entropy (8bit): Copyright Joe Security LLC 2018 Page 19 of 106

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\mail[1].png D0A8D1700C34A71008D3A5132FCE6FBB C85A F8761E4C787CA19EC2E42C454A 2A35115F8C82F27C57A785EF8CFB33F7D20E7ED37473EB004A3BB0302CB8B7FE B7BA486CCE08F2CBC5475D B6D35AECE EC7CCA58E9DA62908D8D83C613F42CEBB913F6CC 1E18A68C B0136C07AA0A811620D7FAE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\monitoring-report[1].jpg [TIFF image data, little-endian, direntries=0], baseline, precision 8, 620x172, frames 3 Size (bytes): Entropy (8bit): C9756DAF3285ACF56A5C5A0D2595D AC27F807CAC920744C51414EB661D29AA5F AA12E96D0D97DFCCC0EE5FC77B02E0871B1D7B76D7DC83EAE7CBF4140FD 6E9529B11EB6707CEA70AC4F76BB0CEC944E97B6D98F7FBED681DA33E2AD35C8B2D8A264B67E4DD6B0A42594 F474AFABC4C95F F13FF586D2C97F59E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\orange-slash[1].png Size (bytes): 482 Entropy (8bit): PNG image data, 36 x 40, 8-bit/color RGBA, non-interlaced 9AA227670BC756F17B3E DAA9 86B AB24EAD866EEF57D63FC3AC 33861DF9F6F5E D90A549861A39883E1B596C6D750BD4B13165FA291C 85D F7E91C9B0400A B8FE08AD43A11D276C06A22E0C06E0BEB434F41219F701C6FDC889C2A9B C44AA6E08CAC028519FD A6F1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\quote-left-bg[1].png Size (bytes): 387 Entropy (8bit): PNG image data, 12 x 99, 8-bit/color RGBA, non-interlaced C09FBD94CEA40DCFADC FB89201D9B8BCCC2EFAD40AED1CFB0E EE280CDD01EF4185D329C1A52A5061E6A1B727C4D4103BCFF2372C95ADEF EE9912FBFACDCF10419B5C341968C62946FD82878A B46B434CDAD7A2B2D9F53AA CF6C7727 3B41EE2A6A6E4C F42F3B5C0C1C4F3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\quote-right-bg[1].png Size (bytes): 383 Entropy (8bit): PNG image data, 12 x 99, 8-bit/color RGBA, non-interlaced C0694CB0C8DFAE52CC3252F566A A69812FF7DDEED446531D8BF177BB673189EDF6 B4FA61CD5660DE541C5E663212EA2B DC0A638430E1057D6302EDDC2C 5F9C3250B9BB552C868D51D291FCACFAB37E530ACE99C6624A8291C681C27D795E71862A5B2A5F10F13B26B6FB 671C399DBA6A26768BBC1D5614FA887FF8F115 Copyright Joe Security LLC 2018 Page 20 of 106

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\redhat_centos[1].png Size (bytes): 3825 Entropy (8bit): PNG image data, 72 x 34, 8-bit/color RGBA, non-interlaced 98C D412BFF97A6106C1E4 C7AB50823E7E41F0D00D41E3AC465A F E0F436336CEFC3E4B17E10D7A29E896E042A6928CB5ECE828EA35535E3 59CF60A459BB480B5D5B61AC9876C208BF98A9A77B063338C0A418CE95CE945F F3CFEA4761FDE1DE156 9DF4A94769C54CE2CAF6977B188A FA5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\state-08[1].png Size (bytes): 1102 Entropy (8bit): PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced CE539D7A01192A607F18DF7E71C AC8E0F DF3D050C F5BD4308 3B64E9E54A3957BD0AF38F6DC58EE95EB3A94B C3AEEEDAAB2A5C799C6 F070A9EBDA4CE011EF1CD322A8A0862FFFE50A686784D912D8FDEE3FD5EE54663CCE3BAA3CC9D5223B624FE9 FED4AF2A6F2F44664B5B442768D1674ACDF66D2C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\support[1].jpg JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 640x452, frames 3 Size (bytes): Entropy (8bit): A07CCD4211D014F31D8254D836CCCA8 80F7ACD32EE9183A5A5936EF12D32C3B846225B0 7D20F4CEAE29B65AD1D47F390873B3B1E930D92C86C997C020DB1C4575B C0CB1B27340C48A542B3F6D4F316C22324ACFC5B3629F4A531E9D998F21C01B133C0077C351317DC E CB0BA3BA6A2DA BF97A0FE485BF8C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ubuntu[1].png Size (bytes): 2715 Entropy (8bit): PNG image data, 34 x 34, 8-bit/color RGBA, non-interlaced 3AB2ECDC1888FAC1005E95A29FF85A87 2EEB5BDD0E411EE1D24129D057B171B8A0835B97 DAF238DDA159E79E187E B5922FE890AEDBC033B CAADB115F0F 4174DECA AFA D1CCF86115CAD579E96F1DFFA4C688F9759C3701EF75A25C0A926795D23FA6 8AE D AC09C9158CC5292 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\user[1].png PNG image data, 1142 x 641, 8-bit/color RGBA, non-interlaced Size (bytes): Entropy (8bit): CF5BD0DD465300F268C471E2C0DC441A 1A17D5F8B0007B2C2A3FCC1FECF28F848BD55BBB 3E8304AD74CD86B64C48D01EA696CA1BF3E840200A795D92DB CE3E Copyright Joe Security LLC 2018 Page 21 of 106

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\user[1].png B31B5C0E C DA EA64CAE524F9A1ACAE8E4621EC CA0953E0B0C3BE8DF A6CF12F4792C2F26E2FE054237D8AE9BAD2B5D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\watch[1].js Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with very long lines 2F511FB48F7C2BE09A58AA3C5DE B06320D72071D44E8D6CBD3B930ADA5B2985EB 5E32C01871CD0E0DFE1A30E916715B305397C6D3A0FF0D7D7FA7CEC3618B812F C1903F4F F9BA C68AAD92AB5C978C0E7526C C96A085B42E947B06C02F069C F48BFFCBF EDCAFB42493DB2 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\web[1].png Size (bytes): Entropy (8bit): PNG image data, 1142 x 641, 8-bit/color RGBA, non-interlaced 3D18FF43BF3CD7695E1AE53FD453C595 0ED8417DD4875CC3D28E0BF9C5B297B97768F894 7CF567557F1F6AB4F710D4A85286EDC5E70DAFB936D8C9C2C44E986A9F AB18D1585AA D1FECA434494E A4CACB1EE8CA32FF11D8F06C D152F06AA54B34A8F1 D30EE3D71437C39803AF E43FC1E36C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\what-input[1].js Size (bytes): 8997 ASCII text, with CRLF line terminators Entropy (8bit): D08A B1B F581E819A7 CDA497563E7B89B76FC45AAED54FDFF49F4B85AE C10C0AB3FE0D7DDF0BEF4DA1EA4272F06B2E5727B597C2FA8FAF7080C999E020 5D36239AD2AB3E4EBFCE96A1A A7D22C A20CC18D38502A641BCCF5DEAA42C5B2C207 40D96E926C91FC96EF29A27134D1278E28EE69 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\LHC5LBFF.htm Size (bytes): 1063 HTML document, ASCII text Entropy (8bit): FFBEB33D7389CFFE826B EA 63809CAD0F0E57A1FF4232C29C16EB139C254BE2 2DD823D398B3D61E5158ABA B86FC4A6DB35824AE83B35ABCEDE66F3AC D6E DFE A14B8136EC3E5857A62A65667C7C829E08B05D67B6903FED9CD3F50F69F3F339BC9 BD473078D1CC3591DA0B62ED3B3B F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\advert[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): Copyright Joe Security LLC 2018 Page 22 of 106

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\advert[1].gif DF3E567D6F16D040326C7A0EA29A4F41 EA7DF B62712B5E73BFFBCD45CC F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87 B2CA25A3311DC42942E046EB1A27038B71D689925B7D6B3EBB4D7CD2C7B9A0C7DE3D AC060DC3F8ACF 3C1708C336626BE F4D0ECAA7F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\app[1].js Size (bytes): 25 ASCII text, with no line terminators Entropy (8bit): F9F899F3D6E0CAB77FFC90646E572FAC 6B82AA76F28E1AA39CD5F5FA325CE604B7B70A7D E22883A BB35FEB658DA4974C D7DF30235CC21E4F3 62D40DA07CCCD9EDC5A20A7E44260E62804ECC42061E0BDA4C6343AC19EFC25E3B975F79C6F0B587861B1BDA0 06D110732AF847772B1E8D613DB17BA28D3C6BE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\cron[1].png Size (bytes): Entropy (8bit): PNG image data, 1142 x 641, 8-bit/color RGBA, non-interlaced B79B07DAE41A5FCFCC9 9F7A31D1AB2DBDD5B7F0F10505D002E09FE65AD1 2A BE0CCF747C26E530DB18121E43845EC9662B2A73FF50E5CD3CFC384 F2A7B398CE0CF4C0CAC633FD1C575BAD0CED1D57D1F0716D70D9458E B1462C2E91C9D0615C49FB6A D0D80C0E4D4AD5F68218FA96A8F3EB63 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\db[1].png Size (bytes): Entropy (8bit): PNG image data, 1142 x 641, 8-bit/color RGBA, non-interlaced B791E12E97E3CF9F80213B131AE30A1E 0B2909D5D C81B12F35BB798518AD9D7 3F2CA8CD0F36C92A5D6457F58C91E3AB432D1B7439A51DCEF6C6430F4546CA80 C784F40AD5731E0E009FAB18BD A2A626056FA9E40FE440698FEF04B F55A38BC6E994DDB250E7F 41F7BBEE1DD64EC2A82EDB18AEB5C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\debian[1].png Size (bytes): 2193 Entropy (8bit): PNG image data, 34 x 34, 8-bit/color RGB, non-interlaced 80A2C03D8A183619E5C2CC45E61DFE25 A9735E845C03C2DE4BA05874F78470C56B30FB08 3D9CFCE5A84738B338BB6912FF2039BDBF4BA3F88A3EB2ADF5F47A559D82ADBB 32D038139C2C5F50A76FC9AFC66EE4E6C03534F6AE40646B CCBF009D A9C8FB93DA6B0CB64 D08F781719E DBA88EA819D0D879CAB2 Copyright Joe Security LLC 2018 Page 23 of 106

24 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ext-ftp-bg[1].png Size (bytes): 1306 Entropy (8bit): PNG image data, 262 x 66, 8-bit/color RGB, non-interlaced C7BA2D8C7F98C94467FA39F15CEEC3EC 6DF69BF8964ED7ECFB208B158F5B4996E58C41CC 76F1EAA1F21B6D74593DCE75A56D6E92C5E86A63FA757FA8DFA311BB681D558E E6397EB D BA8B47DE6D A92BA E95D22613D BBA6F9 65F1878BB51DDC32A5E911BE5E3DBA7A853 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\foundation-icons[1].eot Size (bytes): Entropy (8bit): Embedded OpenType (EOT), fontcustom family 92827F088B9EDA87169BDC2B9888CE52 D FD510D8F04CF21E6E77FCE CD8788A2D42F89ECB72F08D55CC366A3ABC441C3413D9CECA66EC3144E46 A69AC55DB5D2CB6AF8C113EA79A8D5C411D89599A682F628A8899C10411D698D5085E2E17ECF4F8440C3E931E5 C0DE66ED71EF21833AA572DCA0F43A63B085CF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\foundation[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF line terminators 24E3C6144A9D4FF6E60FAE02D7E01EA A1EFA3160F3883D78ECA20C40BF7BAC16 D60D31DCCDF14AFB176A1D C2EB5F91448CDC5FC2EAFC2ABD99C9F 4F9EEB862312F2F3693ECBA2809EEC9316D946E36E7FA311D2B1B765A7AEB5B EC05DFF3AD29B0758C FFACB2A2A2DD5BC56BB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\incut-bg[1].png Size (bytes): 927 Entropy (8bit): PNG image data, 5 x 1, 8-bit/color RGB, non-interlaced BD36C2866D19AD72037E9DC9D8B6550E 7A E6F90E1FC37E46F8ACC3B88A45E 6FC52AFA907F1C025EE7B987A75AD821194D60AC7DC6C7B9C0E7453FC7EAE52A 578DDC24E4ABCB596F8C A5B FEDFFEA1E4B441270B9976B4DA8A45D6BE95ECEEEB664D461 C547E5F0C6B149EA897E0E83B750AFBB3C919F0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\manage-icon[1].png Size (bytes): 1172 Entropy (8bit): PNG image data, 27 x 29, 8-bit/color RGB, non-interlaced 5F33D75403C931E70D9707EE2FAA163A D0D9AC3CAC F297EC35FF78EEF04 79C65442D3EBC24AC2AF9D8400BDB4E01E4F961DFC49AC9FA7089C211ADB33E0 A09A6D3933B04387A9919E918D12E9143D90E325A38F4B0BE98607BA5608CCACBE4F38BAB3B F3686D5B CC5CE0C93A E8BF277D7798E5FA1 Copyright Joe Security LLC 2018 Page 24 of 106

25 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\manage-icon[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\orange-stripe-pattern[1].png Size (bytes): 380 Entropy (8bit): PNG image data, 23 x 19, 8-bit/color RGBA, non-interlaced 3B2BD33C3A1D975D2C8108FB6781CD78 D4C485A4EC187EBFCB22423D9D EE68B 62E44DE506DD5551D31C41ABA92CA03ECFADBAA33B337A063C9EE78CA4C0D917 31A06491EF1C5C FCB629C5C7C3511F1A46C34534FA7A1D9F31AA4DF1691CEB4987ED241EA16F096E2AC 4D836F5616C222F88DCA12F444C6186DD2D4FD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\redhat_centos[1].png Size (bytes): 3751 Entropy (8bit): PNG image data, 72 x 34, 8-bit/color RGBA, non-interlaced CA3F3EB4E4AF773D CD513804AD6AE9D3FD9AE6CB04B0D58D8BF881E5 06EF54C B53E97650A F5D6B9F4AB65E67B088CB023AE386DFFC 889CF0FACE0F9B6B4F62FA7F137C0482B02D49D1FB D8AC538912DAD2E58C CC3 3754AC506A2BEA6E2AFD1BFA8480E8B3E234 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\slash[1].png Size (bytes): 375 Entropy (8bit): PNG image data, 28 x 28, 8-bit/color RGBA, non-interlaced 69B35E996AC691BC822C1C237D2CB1F7 9D51D80A D BE5C 962DEEEB82E804050CFC22087C150719DFC205D0AFE786091F5F0D3A94A8DC6F 146FE92F448AA3B9B B0408E8F722E52FAEC75C5B01D08E648E5FDBCEC991E8DDF59B4A293E4671AD161 8F9D62033CDCE379F48D159D888D33C9A11E75 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-02[1].png Size (bytes): 1094 Entropy (8bit): PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced 7D870E8983A594A005657AD5221D635D 210FC3B4DC7A1C27BBB04A3457BAE EC5 FFD24401CEDB5A391DFAE25F9D41D72A416D0CC1F7DB29A E6C8A0FD AD1D8E EA125D3BF22EF50A067F7CC4A400134CC1A364EEE4469E D63A240F16576D49ABB DCA25CAA595B885B5B23DFDB3D9D3A1E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-03[1].png PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced Size (bytes): 1076 Entropy (8bit): BC53A1985E541B394EE1EA284D8FC3 Copyright Joe Security LLC 2018 Page 25 of 106

26 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-03[1].png 8045E1EEC1FEF4C0C6CC884A0E2C493FCB5210FE 82F87E633BD329A9A224E57AF973BA47D327DB54BB58D067897A6D74631A610D C2E545158F0A994D6EDCCEEB8A935C9D8F4653C29DB33E5DF6105AC4BFE4018AE32E2BFB914039DD0B2 F EC8F47D54AE81C1E99A289A77F50D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-04[1].png Size (bytes): 1103 Entropy (8bit): PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced 8550B15C8E62E56BBAB71E73D507B0B9 F6284C3EDD5207A A8E6A48030B3A8E11 8CDF BE41FF8836D6998DFF582F8C5C49A3A8B5FC26226EA6F7 29D6A6609B07F0F8499C60E6DC8530AEF824052BE27EAC3156E5063B87C743D04AFE D00D863C17D016C7 A83EC1A8411ED26F320B0175A91CD B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-05[1].png Size (bytes): 1100 Entropy (8bit): PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced 8EAE998ECC790A6CBC2A24B80FCCE E07198AD BCF7ACB47F84 F C8839B81CB0836D2D98D CDC8F18A0A3C2D7B7C B 8EE8A851E18D988C0EF17B195E6D4F8315B180F8112DAEA3B035C613DF2343BBDB1F36CB4D E0A0F1DD 15D904799CDFCD CF128 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-06[1].png Size (bytes): 1083 Entropy (8bit): PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced B69C69F30B76A9CC F337D66C7 3CFA123DD ACCB95739FCB111424C7 7EEFFA2C596EE4B677889BDC4CE97B496E2197A2198ED1666F561BF7577EF7A E1F D9C0AF2C84CABAD384F3BB1A331A0D0CCFD89A13A1C798F EA59D5CE1093AC B64EEFAAA6F7FFC23F9681BDCC4DC11E1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\state-07[1].png Size (bytes): 1082 Entropy (8bit): PNG image data, 19 x 11, 8-bit/color RGB, non-interlaced 7B9BBCAAA15FB68AD55C BC0 C34D47ED583BB1D06FA890C9FFB1E848ECB3FED1 51C365D3298D3349C99F0FAAF6215FE2343B670E50B350A534528BE48CD00D8D E4BDB5D110417F1BE97BCE4AB40AA5AAF6D902EC92E950F6A926960AB0C521FFAD94849F5ACC5F688A83F48AB F127F6A279785F8FB6C04C D51FE27 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ubuntu[1].png PNG image data, 34 x 34, 8-bit/color RGB, non-interlaced Copyright Joe Security LLC 2018 Page 26 of 106

27 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ubuntu[1].png Size (bytes): 3159 Entropy (8bit): FC70F7D0FC1B3EBF232071E9C231502E 1190C311AAC447851DE371F7A593121C BF057CCB00A7B0695E7DC649DE EF5320AB6C8B9FCB7070CB5C0D2E5 CE1B01473E85C863FD6B1E191547BC8DB3204B49E9F54C770E0D23F72DE62B3BBD0E95DF860C45CB40FC F5DA EC6E64B54CA19F D70BC5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\webalizer-icon[1].png Size (bytes): 1056 Entropy (8bit): PNG image data, 14 x 16, 8-bit/color RGB, non-interlaced A7E6B2FD A8D42BCA C678317F1059EB35DDFC4092BA1DEFE6640D AB531C8D7C1EEF1CD F3C3FA975F91F24D88D35DEA47BDA4387F08676 BA28CB3404AF178A6B5A624B6A66F7DE74A186CD5B270DF8ECEF3B54E3D164171B545D924EAC D32AA 7DBF485D9121D379529D5EBD0DA93DDCBB6B0EA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\app[1].css Size (bytes): UTF-8 Unicode text, with very long lines Entropy (8bit): B73ECC895DAFC6FE5028C1D561BFEB A7A867530FB6D87C A8AED308BDB7E 65E47697B9E2722C8F8B991BF6A46FE3B57A42D842EDCF4EB05AE74B22C4B167 25C7AE4175A59587E45C40FE5C2F7720E85CA35BC62A49D01FC84F860CAE9BFF2CDED256B67092A E4D 2D40C7FB7673A5418F56F1AC2CF2D67C33BEAD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\backup-arrow[1].png Size (bytes): 1075 Entropy (8bit): PNG image data, 59 x 13, 8-bit/color RGB, non-interlaced 20F8DB3B399493B5E25E9C0C4B9E A94F20BA4E193B08D652B787D6B643A2BB0B1A A711AB3632B CE434354BC82B11B85DE44DA467B5B62A6C2546AB 8AB EFC28A8F3800DC4B84670A1DD44AD4DC5C4D B163CFB8D F05D E792FEB5EC30DCDFBDEE1F90D359377FD45E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\backup-stack-icon[1].png Size (bytes): 1606 Entropy (8bit): PNG image data, 31 x 49, 8-bit/color RGB, non-interlaced DF59E1117F88B0AAAA AECB8C E4F5672DE309CD0192 AB310A79175C E9E49519F6C5DE7C2DE37C9E61EB601E95AC75E025D 74515BF3C39AAA8B55BD34A8EA4F6FF873F89A32F0269B7C535820B61F83DD0BDE31C875B9031A0C603E5D94A3 094AFC731A768FC855DD4FB3C30E13BBF52202 Copyright Joe Security LLC 2018 Page 27 of 106

28 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\css[1].css Size (bytes): 504 ASCII text Entropy (8bit): FA8A899CAAADB18BD642B591A502F0B 4D8A988FF0EEF0C854B5170C76D8B77ADF361CFF B712595F1852D011E16FC252E0DB059ACEAF8BCD64FA4C17AA07EDDE B B4B8D36107EF FEBEA17E60CD63C6AAEA43BCD98BB1C92892EFA5A2DE17AF504FCCD6CD473455F57A7 E9FE DDEC4EB7E2D3F18C7DFCB203 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\fast-module-icon[1].png Size (bytes): 2379 Entropy (8bit): PNG image data, 38 x 38, 8-bit/color RGBA, non-interlaced 2C191DE0AF9EE26EB07B0C32D7C6DB1A 1E9368A6F7679B4C386EC691A52FC365DCD2DCD4 AAD1A4D6B8A596BA4EB15A1240AE61060F89A9BAE4B3CB0C36B4585CD485178D D3B08F28C369BE3AB85D20C119B6CB5AC1DC7D3565C1B4DD8759A08675D2A5F8AB92219F440A1902E6C3C99C1 BC7AB6B341A2AEDC1F0832B8B6C284D C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ga[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): E9372F0EBBCF71F851E3D321EF2A8E5A 2C7D19D1AF7D97085C977D1B69DCB8B84483D87C 1259EA99BD BFD3102C679EB0A DC526B0452F4D42F8BCDD45F C3A1C74AC968FC2FA366D9C DB9AF1289ADFB165FC71E7750A7E62BD22F424F241730F3C2427AFFF8 A540C214B3B97219A360A231D4875E6DDEE6F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\graphic-05[1].png Size (bytes): 1264 Entropy (8bit): PNG image data, 106 x 17, 8-bit/color RGB, non-interlaced F4406A04DC7473C5712EABBB22364B3D C853BAD6D5BDB789A10EFF7E52E33C1427AA1DD3 8CE9F7BCA69AE931DDEF134B33B3CF8E3E3DC8A2E35395DF1479D43FD2F6553D E618243C72F F61EC F2FD92F3D35B19C0FFB FE67E6B7DF0DD25150A49687F7B65FCB C0A9CD35BBF21B8F2E1C000C6FD7EAB032AE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\graphic-06[1].png Size (bytes): 1311 Entropy (8bit): PNG image data, 106 x 17, 8-bit/color RGB, non-interlaced 77170B6C6A284A698545C E216FBE04EAD7AF5DA893FC9CB013AC12E2 ECD793EF91437FB A483DB93CB3931BC70048BAD7F C8 D7D97240EBF58571D0B29A5181CE1FB68EE37CCBC46DEAD D5487B106EACAB6ED0C53C7708D2DB8DDB F5D4F5BF865586B2AC9D42FA2C F98CF Copyright Joe Security LLC 2018 Page 28 of 106