ID: Cookbook: browseurl.jbs Time: 00:46:14 Date: 03/07/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 00:46:14 Date: 03/07/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Phishing: Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Copyright Joe Security LLC 2018 Page 2 of 493

3 HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3296 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3388 Parent PID: 3296 General File Activities Registry Activities Analysis ssvagent.exe PID: 3456 Parent PID: 3388 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 493

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 00:46:14 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 2s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Timeout MAL EGA enabled mal48.win@5/394@48/30 Adjust boot time Correcting counters for adjusted boot time Browsing link: 100/temporada-2.html Browsing link: s.com/manga/gintama/683 Browsing link: rpoissy78300.fr/2018/06/wotaku-ni-koi-wamuzukashii-episode-11-subtitle-indonesia.html Browsing link: Browsing link: Browsing link: etrustinsider.com/genre/action/ Browsing link: etrustinsider.com/genre/action-adventure/ Browsing link: etrustinsider.com/genre/animation/ Browsing link: etrustinsider.com/genre/aventure/ Browsing link: etrustinsider.com/genre/comedie/ Browsing link: etrustinsider.com/genre/crime/ Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Detection Copyright Joe Security LLC 2018 Page 4 of 493

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 493

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Detection AV Phishing Networking Copyright Joe Security LLC 2018 Page 6 of 493

7 System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section AV Detection: Multi AV Scanner detection for domain / URL Phishing: HTML title does not match URL None HTTPS page querying sensitive user data (password, username or ) META author tag missing META copyright tag missing Networking: Connects to many different domains Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Copyright Joe Security LLC 2018 Page 7 of 493

8 Behavior Graph Behavior Graph ID: URL: Startdate: 03/07/2018 Architecture: WINDOWS Score: 48 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend Multi AV Scanner detection for domain / URL iexplore.exe started Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET cs9.wpc.v0cdn.net , 443, 49245, ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States started C, C++ or other language Is malicious iexplore.exe , 49207, 49208, UNITEDNETRU Russian Federation a875.dscb.akamai.net , 49200, 80 TELIANETTeliaCarrierSE European Union 51 other IPs or domains started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 00:46:45 API Interceptor 7046x Sleep call for process: iexplore.exe modified 00:46:46 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 2018 Page 8 of 493

9 Domains Source Detection Scanner Label Link crl.rootca1.amazontrust.com 0% virustotal Browse o.ss2.us 0% virustotal Browse corporatetrustinsider.com 0% virustotal Browse 0% virustotal Browse googleapis.l.google.com 0% virustotal Browse crl.rootg2.amazontrust.com 0% virustotal Browse cdnjs.cloudflare.com 0% virustotal Browse pagead46.l.doubleclick.net 0% virustotal Browse cs9.wac.phicdn.net 0% virustotal Browse 1% virustotal Browse cs9.wpc.v0cdn.net 1% virustotal Browse sedoparking.com 0% virustotal Browse ocsp.rootca1.amazontrust.com 0% virustotal Browse st.chatango.com 0% virustotal Browse gstaticadssl.l.google.com 0% virustotal Browse a767.dspw65.akamai.net 0% virustotal Browse a875.dscb.akamai.net 0% virustotal Browse a1001.g.akamai.net 0% virustotal Browse www3.l.google.com 0% virustotal Browse a1363.dscg.akamai.net 0% virustotal Browse x.ss2.us 0% virustotal Browse 0% virustotal Browse s.ss2.us 0% virustotal Browse ocsp.rootg2.amazontrust.com 0% virustotal Browse a1621.g.akamai.net 0% virustotal Browse www-google-analytics.l.google.com 0% virustotal Browse iwallarts.com 0% virustotal Browse googleadapis.l.google.com 0% virustotal Browse image.tmdb.org 0% virustotal Browse 1q2w3.website 7% virustotal Browse d1mr3ahx6fetbf.cloudfront.net 0% virustotal Browse fugitif.fr 0% virustotal Browse crl.comodoca.com.cdn.cloudflare.net 0% virustotal Browse cds.j3z9t3p6.hwcdn.net 0% virustotal Browse serie-streaming.cc 3% virustotal Browse ia.media-imdb.com 0% virustotal Browse maxcdn.bootstrapcdn.com 1% virustotal Browse crl.pki.goog 0% virustotal Browse ocsp.comodoca4.com 0% virustotal Browse pagead2.googlesyndication.com 0% virustotal Browse fonts.googleapis.com 0% virustotal Browse ocsp.pki.goog 0% virustotal Browse serrurierpoissy78300.fr 0% virustotal Browse counter.yadro.ru 1% virustotal Browse URLs No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Copyright Joe Security LLC 2018 Page 9 of 493

10 Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 10 of 493

11 Startup System is w7 cleanup iexplore.exe (PID: 3296 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3388 cmdline: '' SCODEF:3296 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3456 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log File Type: Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): A706AFAE7C1A1AE2506E14FF15C4340 F3F13821A42AFEFC3AB4FBE2AD1ACFEE21081C06 8AA253D9B9895D78EBC6018DD5CB84D55AADD99B54B740ECD6203CF320849CFE DFA6D088519F BC59A3838CD329EDE0E8CDF5E79509CA0EF590D0F9348C42A541CA D695F4F1B E3EF273828D359E4BE9504EC333A564DCA523 Copyright Joe Security LLC 2018 Page 11 of 493

12 C:\Users\HERBBL~1\AppData\Local\Temp\~DF BC15CAA8.TMP File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): EFE2AB0A0EC0B30DD55644EE0A3489DD D5A673B39573D8566ED2160CF9E2263EF8B3321F EE508CDB1D889471D0D692B5EAFF0F9B27A0B3D74BE9E08BCF4D3D36BF3A80CF 987B D1DE88EF83E8EA A0FC1AE257FA35C93D3B1CBECDF1B757967EDB90BC332FC7F6549EE FC713E80D6BCCF1459FDB52BE38A20B4969EAAE C:\Users\HERBBL~1\AppData\Local\Temp\~DF57CE561CFC4C8E94.TMP File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): D9ED D4CFECD18CD6EF BEFF691055AADBEBD091E043EB F 5304ACAC5DCEB7AED88B53D2F40B769A04038D1EA3136DD44CE4BD63DA1990AC D3EC0AA829EFFE6DF59BFDDB922C07D44C6A94BB4DA385623DC0319C AB4BFEF045F C061BCE0A455E330E1D895A96FE59288 C:\Users\HERBBL~1\AppData\Local\Temp\~DF9504EBDEACB73F47.TMP File Type: data Size (bytes): Entropy (8bit): A9C7F9A6DEC358E6148AFE6BF6 1334ECA02491B3ECB18A6EBBAE0A00FDFDE0B23A 9D76A3CA30C788281B87BD5FB9C95ACE72A605BB6EBC F F816 A4E7D778C62C9223D97F0BDD02C42A76694CABD145BC56141C7C59E42C3A B6AFCD31A3BDB3A9CB A072E1C4BD567A10FE6659AEE518E865819EDE2 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDBADE7DB774141D7E30D50EC69 File Type: data Size (bytes): 635 Entropy (8bit): C53111C081F65AFF009EDA13482E3AA 8DB0F61229CE4E31FECD76A9C729E74AD85DED0E 26D022DEB73948A F12F1B73D223C912D6C50AF459A99D E4D198B543E2F1ACEC C63CDD460B0E215AF396DD42A043F3B800D CBC2FEE2D2A5C5346 8D103FC20CBBC9AEE8EB7D710A0122D6264F24 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E D9D67350CD2613E78E416 File Type: data Size (bytes): 1302 Entropy (8bit): A230BDAB55187A841CFE1AA E4734F757BDEB89868EFE A327695E D73494E3446B B3CDE3AE1C8584AC26E15E45AC3EC D90FB C899CB1D31D3214FD9DC8626A55E40580D3B2224BF34310C2ABD85D0F63E2DEDAEAE57832F048C2F500CB2CBF 83683FCB14139AF3F0B CDB4689C54 Copyright Joe Security LLC 2018 Page 12 of 493

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E D9D67350CD2613E78E416 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 File Type: Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, 6509 bytes, 1 file CE371CD7EF9CC216BB EBD518D1A89C6F0079BE759A38869DE9ECC399A D858B12945B35906DD709A2FA9EAFEDA3CDE7E342041AEE65BBD43CDF783C C5FB7B6ED27E52F6EF48754DE5D1B9A756961A EB086135BD5C5420D CC8C1D82D845E8AEBD 50ACABDE23EE17A DB0A13C30E2CC1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\620BEF1064BD8E252C599957B3C91896 File Type: data Size (bytes): 439 Entropy (8bit): A76B87E3E2A9F0C864610B7CCBC3C AA0762C939E3155CCC4E051F9B2EF5B1D060299D 2176AE7D47513B54DADD14FF28C141A7BDC92EF6F84D211C B60D8644D D4D41551C97E8E422A9D7D9CEA3953B3A486E83B711DCB11E04CA9613A179272B3A685268F95BF78DB0EFB6B51 2C373A1F B4D2DBA6BC7ABA5DEADA106 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A FD38A8C0F9F File Type: data Size (bytes): 314 Entropy (8bit): DFA0E23F7E78177B8FDB5302C8C CBA7AD3D6945FDBF2C749F BE9F4E9051 4BAE1D5F7AAFBCF365A45B6D A87AA155854FA260811D10653D5E5C9CB 9EC710C92E0AE611C7090AC32C31366A57720E6BD36C641C340FA9E B682E9EECA788E1AE625B7AF8F01 406F4D0CAC72EB6F3C83BD764C8728F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6A2279C2CA42EBEE26F14589F0736E50 File Type: data Size (bytes): 434 Entropy (8bit): CA B3A8B8E912E7D2138B DEEC92073BEA F ECF6F2750B1B4 A7692AA2B5B2664DE344B922A091B7BA6F4FA01A4FFC80F279BAC31D4A3E468B F8DC07C60ABEAB1B60DED14C3D51C25A41F28FA7EC657A06038ECB2AFEF D FAFBD A 8ED5A2039A20B37F3A341518BACDD319C7B6D02 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 File Type: data Size (bytes): 471 Entropy (8bit): Copyright Joe Security LLC 2018 Page 13 of 493

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 F0210FCA CC216A E2 D10B86C6F353C30D98B55BFCAADD40E7D493397C 397AD878DB2D20AFD65BA634252E B089E1C9526BD D1221F9 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB222089C8BEC0A52ECD39D CF B994898E994C7D29C8C513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC _93E4B2BA79A897B3100CCB27F2D3BF4 F File Type: data Size (bytes): 1426 Entropy (8bit): CBB6C15B9218FBC0F51B89156FD11 54ADBB0F9398F A8C5826C5D DAACD40160EEC73F603D0A556E5DDB1CDA DFFA16EAA23AB564991E098 1ADE832C3AC8494B60B289BDE522F72AD89DCA0379A32D051FF5E77C1E05425F158E9269DE871CDB14FE2A60D6 D11ADB0651B09D072E122B3CCE3C7CA03350F1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F File Type: Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true D64F44B1778CCF604D760FF9D641C0E2 D1EDDF3AB1383A5ED63DA3A E2C51B76 CBB3F9CB6D7D8B8E5128BEFECC2A91CE80A1CC3BBB0E64C7C6628F71C8B86EA0 A6C5951C24D5AD469B0FE07BD530955F9F97B22FE48DD93E68348D27385F9D619E361F33145CB07F1DEB0C51598 A F416AF713D8A898B4085E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F File Type: data Size (bytes): 4497 Entropy (8bit): B9AB2AEA3E1C155FD0DA5CE57082BD2 C2413FBF D40ECA4D548EAED4D3EB644A F88F05DBA035B61A74B7A96B557B8F5FB7A6368A9C8166A3F10FAC1C56E5B265 BF133FBFE010FA77F8BFD5545C6696BF CF23F11C16229EB0DB0394CCA448991B3A9F54D66131D65800C0 DF E0C DEEEE9B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\85B3F147E3624A14E6A20DB4F6C2C5D9 File Type: data Size (bytes): 815 Entropy (8bit): BC66A157E3E9EE64D62B3D2597B8278A 82C3F11D62F2E3C5FA23E093C7ABEA7C84CFEDEE E70E62368F94E96BC2DB007C7F09233A2AD20C4B9D7C006550D060483D7913E4 272CF63EEDBAC3ACA64B2A7F41DD4CCB81EE6F096D35819E0B5B4DCA07D6CB33BD799F8DCEF29AFA6734D67 C1AB9B56D12609B4B441AD1F41B283836C Copyright Joe Security LLC 2018 Page 14 of 493

15 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A6E643304C5FBB7CBF4025F1978D6EED File Type: data Size (bytes): 357 Entropy (8bit): E9B69B1C27BBEC14011D085042CEDB 8D98E325E8208DD84F189937DE727A5B7EE0EA5B 3B5625CC7C9B42AF19A3193B770E74803D177E8D37EF9A1F390D86BF4D19CB24 A9C7CB20E5E4E6EB029B5E9708D9816D7D1A8AD60DFA8C7C0B08E9EF6D0CE4DA C1E3CFA5EF2B3EB35 A89A531BEAADEFF241ABB1FA B99A76D48 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A6 2 File Type: data Size (bytes): 1744 Entropy (8bit): A29B70B6DCB9EA0926D12DA57E6A1F1F F4B1B0036CE700A3C85AB666B8DE47334FD26F25 1BBA1A4678C0B9D89DC DE9DDD96DE0E E91C4F49CAD68FB E71662A811C2CC1ADCE4C9D1666F017ED9F2E9F0FDD28E2396FDE4E2E31AA5FDF1583C268B3A88B198FF6463E 2B2B7519B1A9F ED34A0129A6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD File Type: data Size (bytes): 1548 Entropy (8bit): B0E7FC2C5CAC536E5E0F5B0DC2957 6EEEBFCFC2DE86E76C528BF52D2EAC524E46D1EB 78E1226AA AEEE5A9B5FE97434CD58BD AE7273A28FD127FD7 DE63E08827F41273FD F41C74EA9473C775AA2655D5E3CFE90B6F651B92ED887B2A99330F1DFA495BE CFA872A46CB6716E28EC324ECC43BC C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BCB67D7ECB470284AF35679F339E879F File Type: data Size (bytes): 608 Entropy (8bit): BA4BAFED05B83120D4319B565AA08 14A D60E10A0B834EE6C9B9F762F83D FCE2ED7B48D566A1BCD6EFBA6A4AC8C1BA9892B7CFC95AE4BDEA7534A323C6A6 3D9C347BC2687A66F004D4F87773A5F0B3CBBE6505E015AB253B D0CD92E5FE8F37DD735A761203DF3A CACC8C326C57E43FCC7E768AAD3BAFFEEE11A C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F82 1 File Type: data Size (bytes): 468 Entropy (8bit): D9D754520AE3340AA37CCA6115EEE05B A D99C762CB2EB4B37F776625EF1B33 Copyright Joe Security LLC 2018 Page 15 of 493

16 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F82 1 7DC8284C51C9A38DC1BF03BD28857EA5336E8F5C564EDDBB1C9082EE43C F6A9EA2CE5ECD1FD7CB3D122A6F5F108550D71A9FF5F88F235BE F95C75F66CCF716AC2A EDBDBAFBD114EFF0AD3D98E3DA6A30C94 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_FF9D3097DE59BF460E903E2D8C6AB17 E File Type: data Size (bytes): 463 Entropy (8bit): ACE1A21E860BD536FD525EF5A63C3AFF 974B40BC1165D DA02E8E33498F946D91 1F18A0C0C6A4F8E4BDAB2E3CAD1A96B1B8B256E15A499DAB87EA6D31F433A5DB 2974CDDB96C819EC15E FE720C7EA7F1554DA B462725F65FA1AC6DE F9ADD84E14825 E1F46C2B52C30D384938FBDE1A5CECED45BA8 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\01B16CDBADE7DB774141D7E30D50EC69 File Type: data Size (bytes): 364 Entropy (8bit): A8E306C2AB0A034CA00FD69C7800C197 8F5D107208A6594D4052D3D3990BBF059D93D0D6 C5AA E92C84619C2A3FEC4682F339AC92F D0C556ACF824E8E1 1E144F184AD7F7B0922BA20D413FFB12AEFBD3DDFF2A425EBC1E2D0DB796710D12B15CD1F2C965B496C6754DF F BF7F D6F07DCE9C1E04352 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E D9D67350CD2613E78E416 File Type: data Size (bytes): 230 Entropy (8bit): AEEBD84541C C0F1D41E 2BC0C0EF1C0125DBC343279B11EEE7C0258C822A 4FC16A3B9E680A7AE7736E4920DBF0424A98FE B CDA82299D0 7DC45AB8E6BAA30F60CDA39B2CF6DAB11D42EFE0A996B88E653A3FFC321F35055B2642D4B9A8CCF820A0D317A BD463D08130F6D4AAEBF9A663B4113BB1CE844D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 File Type: data Size (bytes): 1368 Entropy (8bit): D86B3480CE0DDB82EDA57D1934C10 029B512909E23AA D2CE6DE01308FE592E B4682E276000EB58BBCAD016D659EAA AAF F4CE96A929 4D3D15C D10FF260F586183FA938D27F2534ABF5722C2C6A13182E4FAFA6FEDA4FC8F119ECD3ED 10CFACA672F0C EEA34C031C1442 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\620BEF1064BD8E252C599957B3C91896 File Type: data Copyright Joe Security LLC 2018 Page 16 of 493

17 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\620BEF1064BD8E252C599957B3C91896 Size (bytes): 280 Entropy (8bit): B9F955F D2B77AE251D09AB D84BEDBC67EB04C743DC61AE34CD7BEF6FAB 8667FCAEF583F87832CDE A748F3E2642FB24134BF9B0CF14C6CDDE10 806C2E61BEE85E AC51C3E1D5ACE12F473E17F01C46C52A44659BC7A26388A817B150386F0B700530A45 D522D92FAE079E66D73D79A61FB8048BBD345 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A FD38A8C0F9F File Type: data Size (bytes): 406 Entropy (8bit): A612DC643D856EBDAF8F216D2F23BE9D 5081D49C92F2DE1B448C0F41876C6FD2CB30B200 BB D421570F03EB091DD5E7EEC1831C6D502BB141CFD1ECA15F482A9D7 0DDA5FC20A3045D6C3DA315798E5C99DE1A0BF6EBAF8B7906B6E56D6944D15C1FE5AA924072C9985F40C222AF4 8A7EA31347BB7739A923B3F386B6E115C279EF C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6A2279C2CA42EBEE26F14589F0736E50 File Type: data Size (bytes): 200 Entropy (8bit): F041C55E941DC46B6D4E2F71F2D774F 5C1FEDD9A08F DBB2DCD37CB2A320A0 B970A524FDC78828BDA48902A2DCD2E A39E1C BF A33616D9A36AABDC46B06AFEAB15C06290A63BDD106652F4C80BC358CFDA0DB9BB573EA1A47388BF208E680 7EA880EBDC0966E E3AA90E03 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 File Type: data Size (bytes): 434 Entropy (8bit): F0531C6396BD14FFB9BBDC543C880C96 52E792666E21CCDA697BE2013F DD 04F3AC3DF111885CA19D84CA8D4C740C8E021483A74002B13ECB1CBEF7AD0E56 19B40849A DAFB6E84E43E DC18ED24FB750CF973B4191A3CBF53E620104EDC8BB83D2 20E0AF987EA2583DEE67422E01036C76AF1D8 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC _93E4B2BA79A897B3100CCB27F2D3BF 4F File Type: data Size (bytes): 442 Entropy (8bit): F D64EE3E8D75050DD467E CDA038E1744F217E CDD835BEB91E31A 934B62498FABC5CDDD540A49472D79C5D4CFB32D63850DB3DE11BCDEC9255F4A Copyright Joe Security LLC 2018 Page 17 of 493

18 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC _93E4B2BA79A897B3100CCB27F2D3BF 4F 16737E370E127A842FA0DE4C241145FA117CAE6C1AFBCC6A160FD C D10D065F8E18F1A23FA0177 A04270C8B4DC7E30323DE2685A56B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F File Type: data Size (bytes): 978 Entropy (8bit): B0B13630F E20B0A3601 E1F534B5723CBEE7F2FFBE5CF2733DCB1A7E81F0 DA46B17CA53E8182F3DF F2A70F914D011FB7AD741C95F2F31E765D4C B6D549A48131F3CB81CDBD1CBEDB1E B713F6EDA3B7B21A794B0713CADAE42A1B91D1E351 A4220E B3D8A554DE4B6A1FD36ED240F3 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F File Type: data Size (bytes): 452 Entropy (8bit): BE2AF58D508DDE631C9AEC8FC623B 1D C01EB A1FBF E2A97CB587EF0BC6C528EC82EE862B01C3A77F35D4992EF016D3E75BA5 F5919B7E2188BC5B8515D908FEBF02B7B4A9CCFB44C09EF3464A83CABFC88D3236B68C839BD83C33299EA24E08 78B03299CF BD156AD6C7C2E6514 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9 File Type: data Size (bytes): 184 Entropy (8bit): CE1FC6A29E45731D94CEF0AF642CD 9877FF31B395B79FF BAE3F1D00610C428 10B8310EC EF352565BA179A2EA71A4EB263F34A6712A1D E7FC8D1CFA AE513D277E6F1249B8B0C364F EE046385F361D696896B3ABA6432D EF 4E5B DB4AD83BA25187E1E41 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A6E643304C5FBB7CBF4025F1978D6EED File Type: data Size (bytes): 236 Entropy (8bit): EC3BA6BA0CDE7E F8D06B5891 BCB3C4EBC17923F271061FE56EDF088B9AD2A51F 564E7028B866DE5ABA59D8B5FF9AB3F90FA4BBF4F16C2C457CA F2A4 BF93F0BA5858D1B15748E4681BD39417C8116F63317BEC8F5B33D935E31355E2C82F3B B62337C4E4859B B3AF6AFA1BD6D5694B84F9E039BE46777D72 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A 62 File Type: data Size (bytes): 458 Copyright Joe Security LLC 2018 Page 18 of 493

19 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A 62 Entropy (8bit): D36C0CF80809D56E8C0EB1AA46A27FD D60FC2AA18E2B7CFE9AD719959F45D744AB04AAA 369FFCF6AF9E88617D270FFF04E5E2794A95054FC7BA3676F99F1891A77C449C F986DC2D36F B4F45F5AD34594C021B2123B6B A8D24EDDA1CA0764EF7DCB9CE12BF23313C347 0E5E9BA74EA8298F9237A48E0E7C4356BD0AC C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD File Type: data Size (bytes): 432 Entropy (8bit): FE2CC5E130349E3101BA32A237ADC757 0E44DD28BA6F8ED20EDE967BF57813A5803F4E D C602081AD3C4D00B1CAC6339EAD52B708CDA1B7DBED83ABA10 FD7F0300CFD09E35D6B8C728A EDB4AFF561627EC C8CBEE4E38EC49C698F16649D0710F179A 383CE3B7C2D7E8BAE6E7AB3BAB24ED3AFEE6C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879F File Type: data Size (bytes): 276 Entropy (8bit): C3E57657B710F4A40AF75179FB7AC A08F74D4B5FE077A4FBEDA25EABB713DF29B8CAE 807EE7F6D383008CEE6E1846C481A8D57403CDE51E5D1659BBA230ACFD589CC9 D8AA21AFF66864F059206CDCCB2BB1FAE9A78C16E6AAD67416A59920ACBCE52EFCFBC DE7E6FEE0F9 200B F6624FBC77DD7F61CCD5DBB46AC9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F8 21 File Type: data Size (bytes): 804 Entropy (8bit): DAABA3C DBB95853C131A40F CE20230EB5AF38EFCB09E2CF79B49BA0F8 64ABC916CD3CEEEB21DD64FE9B06F65EAAA61D512C8EB4B7A623AB A6338A41365CD3603C87E11A556833FBACBBB713F609B0DE92A760E00F8A0E50C520C5D3FD F5F79F B0FF3D3E618DCA82F3FC E300E4B9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_FF9D3097DE59BF460E903E2D8C6AB1 7E File Type: data Size (bytes): 382 Entropy (8bit): F6D524392DE43254BB089A5AE1A8EA22 7E7EB545F0CDAAA1CA72DFF120C D9CC 75A96CB24FF8EFBD82AE3FA3C34AD85895F46D60D495302D72C7FCF6E9F5206F Copyright Joe Security LLC 2018 Page 19 of 493

20 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_FF9D3097DE59BF460E903E2D8C6AB1 7E 9609EB07154BAEABBA2437AFF13D4024FD48FC17FF31018C9AE21147CC5F5793AEEB6A18440F80A76BD849ACE EEF02E17BE5CE1FB83E094F4C810FB30A99A579 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico File Type: Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB377EF1-7E49-11E8-B7AC-B2C276BF9C88}.dat File Type: Size (bytes): Microsoft Word Document Entropy (8bit): E4E948588A3E3EA489CB46905F56E8 F3AE0BC0718CEF1C7459ED49FA1E83C22C9B04E5 AA2B0EAC63930AA17DF7886D5EDBF1EC2F787E38A00E6A77925EC8C5BCC5B24C 62D5B7BBAE AF6BF6F02F75190CB34E56B5D6E3026F8597D3A4C480B64B080E0C1887D3C3CEC1CF6B D934F20412AA09532FC41BB2A354423C6F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CB377EF3-7E49-11E8-B7AC-B2C276BF9C88}.dat File Type: Size (bytes): Microsoft Word Document Entropy (8bit): DF7DFEA99C56296E0585CC1E10BF8F A49729A1836DC63A783BB7E55B747A8AC7890CDB 1805C7D0A6BB94877DE5B3828A1AD918A4F390684F689B1430E1109C D B4E0F96155FB4191E3220AB32DD34ABC0EB0FCB3B01EEBA261796AC0B19A643E587BD68303D23E77F 6F889755BEDB E48C76E2F94FCCD5304 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4DCDDF0-7E49-11E8-B7AC-B2C276BF9C88}.dat File Type: Size (bytes): Microsoft Word Document Entropy (8bit): B8C647B C3F1987A AA928DF6819AAFA51EE0B379BA434890F31E54C6 C7F6C093ECD74D1F F05AA41A647BD24AC0A6EFDA A37DC8F 824D48F226A9D71A179C8095E4A461594C4E35533B7C2876A203DB448C9A7D853C4B876BA77F63E51A05DDD E7946F358ECBD5D CDEC6 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat File Type: data Size (bytes): Copyright Joe Security LLC 2018 Page 20 of 493

21 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat Entropy (8bit): A058D304C4ED143B2535E740CF7FAE6 03AC843280D04A0C3E3833B57F61FF8BA D46EC1A6B872E0978C2FA489354C2FFE91B791259E21D1D596742AAE5F701D5 5A609C5B3E A397A2345D8E2C0AFF3DB8DCFCD47B63DF C E649C828DE6D3F805A6 E976AB681329F7F3599A01ED12959EC7188EF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\07[1].gif File Type: GIF image data, version 89a, 50 x 50 Size (bytes): 2941 Entropy (8bit): BB3E69387DF0C5B985A1726E9D50F3 D84FD41E C83A546477E5A0EBF15F87D6D A9927EF9307F379B65F8AF9D A60900B46268C903CC75CBF26 4D4869E4AB3AC68851D7A05190CC6DCC25CBE72AF847AFCF381A8E282D0F4B301E66812DCC62DD87F1CC677A4 50F693F00ABB5E459F575A21D83379DF1F7EF18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\13[1].gif File Type: GIF image data, version 89a, 50 x 50 Size (bytes): 5119 Entropy (8bit): AB02A80F96816AB554FCF3ED4F5BA 8A2BF38D9A1B29B09191E83911E39C1F AE7B81A8B716A53BA776BC63E71F8380ED F000151C6B41FA34166 C5711B337729ED56D F5DA675580B66EC6E211FC0BD50A4D67379CEBEA4DE59FB84BBEA745A2857B 3552D78444B33FB0F97D90BE5C20064AB005DF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\14[1].gif File Type: GIF image data, version 89a, 50 x 50 Size (bytes): 7099 Entropy (8bit): F30AAC8C2B4141FB65F4C4EC75C9D943 8DEBD3FFB5021DA639F64E63F7B85CDDC17B194C 1ABCEE70F30B94DED413F66E219E108481D251CA1FF8F05BCCD1D4BAF0ACCDE5 29BF5A99BE61210C295B08D11D50CB9AF07F859D79941ECF2762BC269C86BA7BE20B22B95CFA5866A0834A23FC 425CC04C8DB4F0BEFDFE666FDFE77217AFC485 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\19f0P2PnQyis9UGAQJyDAHNxVow[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): F EBCAB1DCDCF37D556A0A46 3B18ADF07D49EE93FD5CEC001EAE1AB125C248B9 F B37D35ED0316B8B6B5033C57897B5CA2AD050468C056D7BF26 A23A25AC0EC5A1A6DD31ADD9DE714C7AE6F1CB190DF5F093ECD8615D6357D8C8CE9E4C3AF1E F920A ACE0B61FC52C854555F4B6FA366B972B7E9B3B1F Copyright Joe Security LLC 2018 Page 21 of 493

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\1ocGKvR6x9QKyEDun0aqGVQu5lt[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): B7A0BF6BD17C34DBA8E203E33DC0F 0A75693D55ABA9B66BD1CCAA2D F8EC10D 3AB C38D454617FD ED6F8CB D247C6F AC076A82375DEF4A17ADD BFDFEEEC756488E8426AD704E6E16E424825C4102C3CC1D904CFF BC92BD265557DE89301BFEB01318F27F7DB28D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\1qg4pXaUcZieeWXU58ckZTAl5JF[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): FC5671D0BE10C40440F269E131FB21 ECF83AE243A37C65A B8EB84B73AD85AD8 A83F29D872BFB1D51CDEBB1C7CFDCCE14B01680EAB5F9204E732C69EBE52FCBD 0987ABC69C E689434C3AA4EDA4E82AA E840D5C917D5CBF3DA6DCDFC95CA819669ACBFC2C EE8078E484E844DD2C CF4573 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\1u2f04uoVGTjmThK71yDDqeQwK0[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): E6D7BCB3D33EBDC4D65DBBE1A60048 B9F3DA9D AE5373F54001F1972D8388D68 99C6248AB330FCB66E03451E4317B CB92826D19A32B1D544D36E6A603 F898A624606F9E6F26060AF3CF6700A2A4F43EC2D829971CB8FA65044CF500FF1A78B09D D37EF40F43D2 2D007DFBBCAEFB8AB1E0373DABBF851713F8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\2yOcTP8s3SD6GVzqKWnk5tBfS7h[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): DC5AC90A A5877D5C8EC7353 7AFE7F691431B C613B678921DBDB 67059D1B4E642833F44CEC71C69195B78CFA969A5A90285B2165EF01CDC997B3 4E26C1B2E81AA05F488A052E0F4BD741284DC216150D5E28D81E0B47C2DC9F B3BB8A8AC8C142C2F045 F7D19D0873AFFC924F0F76AD08861F387CE493 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\34kMkOvCuaVJ9DntejWi1mT5jdF[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): D0B5A9268CFCF5FFCC03263F8E1 8C90304A2DBD FDB1A363F6F4EF9C03471 B680DDAD8E735F192A403FD10264B94754DBCD DBDE9A5CEAC71B08C4 E102619A16450DEC81ED37BD1E49374BFB4081DB1387D91EDD2D3DD20FFF823932FEA37DD0BA3ABF7AC0275E6 1731A866C004B43AC0BB501C4A2DEC0EC0C3A43 Copyright Joe Security LLC 2018 Page 22 of 493

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\34kMkOvCuaVJ9DntejWi1mT5jdF[1].jpg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\3XwGfsOFdtBDnWoJOsMg9xuKzGU[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): BAD94F C997ADFFF5218E8 D D54AEEB2BEA13ABA06177DED3754BBBA CF96F31D8F4166ED EBDD695DA95BFA0C BB66015FAF A7B230269B350B91AA452EA8A8CD322FA91B3CEA308A584C8C6F3DDC6CAF50C99648A64D7913EFDCA9FF 7F2A951D952D F5513BF409E3C4C87843 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\3soYLZ9TKl1QESZRZ1DCACxYxRI[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): D18F1659D0B10AECFB56F46E C C96EBCA8373C8F6911ABA7A 00A3A06C9C12C9E3B1FD27C2ACD18A4741B930CEA0D93E58A2C96BE300F5EFAD DAB6BFD0F C0B052CF3017A8F193E FC15DDCB8D960DB4A48DF3188B3AD1F8840BD3A5 CA3C0033F67DB052B02E0EAFD4D154DD612D45 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\49UYU8YNX0e4irz7ls2zYiR3IBU[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): CA1CCF99FA9B11451FC56241FEF13DD2 693A5D5841F4B91E63EE15CBC44FC8263DE6CB48 A41AAE4E35063D867B99A6F77242D7776CDEAA4C9426C65D083C28BF3C4FBA32 4CB35FACC9561C4DF238513CDB44A2B1D F92356D4B741E691B7481AC2C3E5C9AB9C13ECA818A7B69 EC6F58E1259D8F0255E22912D9014C9A06B238 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\4FfQ1erTzlof6Bu8K0jfRvEdJXq[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): 8625 Entropy (8bit): FC75D6647EB216F5FB7AA008654BCE3 C981154FECC45D4E FCC5ABFC3A04EC C8D5D901F1CCCD43BA69C2E D ADBCB95DD50368AC05 7F4D363718B2349C2ACA8CF2E051090A1CB3C8A6C195CF33D4332EFC DA1ACEE FC3F5779A0842 6A8F722C C19B716075FBF D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\4UnME3icxSspwL0UoGZNSyyp7Xs[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): C309DBC7F854A50B075EDD1167CFB4FC Copyright Joe Security LLC 2018 Page 23 of 493

24 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\4UnME3icxSspwL0UoGZNSyyp7Xs[1].jpg B7B4955EEEED31A99CD293659DDE933EB6 4D1C31AA19E4DAA3E12CF02C91B206380C654ADD16C8039D5593C81B4784AEAA 71B3E5B949235A9CB88E9B9CDF425B A8FAAC E7B35AF3D05CA37327D40B19D286A12 724F9FC71DEAF8BFECC2DEB502A7A822058F5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\4ih0JNyeotEPBFWdKPzsGMOn7wc[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): D5C25293CE0C57ABCBE30E75075ED8 F7ECEC9CAF0F37C7290AC433C10E2B343E267C1A EF1374E343045BABCEDF8DA030857E409C7094D4E6E168662C663CB28DBA F2ABCF25FF741AF1BAAAEC A B93F232C7E6ADA168F C751A56227E6A824761E736AA 75523E75AC B25C882156FE6ECA0E82 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\67exRijfvN5RRmBCqFtk1bhJ7Uh[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): D6D0129DC642F2ABF7EDA43327F6D1E3 3045A8D7A53E7F96C5052E8F32C57C444CCE6729 A123EE7FD94FFC1D0C8412DA4F50B6F6362BE657104CCEBE13A10A45EAD8AB85 87F49DA DDF7B1A24F30C461F21D E5EB56807BED589AB1EFA394100A8E86368D5EAF181C6E3 B390F26EA0F48268A455A9C405A9BCAC588C1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\67loVKGh0DrW5HLwv9ZZ0VTytNA[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): F9B3EB98A0AD2AEBFB B17CB10E BD08C4C6DF1E31605A CE11B1C8D41832ADCB196A61C65FE4B45CFC1583DBA E03E02D34A309 B5B AA59D4EFE080DF F54235FC9DA982B21AA4D00756A7FDC59D417E86EB8E161220F16C51F E899830F4D69F804DBE7F201630E906 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\683[1].htm File Type: Size (bytes): 1421 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 54A00A2592C99255A222C87AF7C2B312 5D07FBE66E52C5CEF1345F38BC2349A825E5CB3F 74C8C31082A15211F5D6457F110E9811F06D2362C6F93FB3C ADEC7DC 1DA095798BDD5F6751B3BC1A331C7D70F0E1ED F3678ABEC744B91FDA7D0F D4808A51062F7 95F273D2158ADA4B6A2D0C9AD3981D11851E1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ dbb05e88daa8c8991bd0e31d-1[1].ico File Type: MS Windows icon resource - 1 icon Copyright Joe Security LLC 2018 Page 24 of 493

25 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ dbb05e88daa8c8991bd0e31d-1[1].ico Size (bytes): 1150 Entropy (8bit): C06FE7050DE8BECB56298D195B701A F5C7527C1325F3F8F2B52AF4089E0C10 1F55274D08E3E7B6AAFC281C EF42FBCE ED788A0B4683EA6 F81166E9F9CF0BDA66F3E9B FDD9DE63B5EDD8161DA0D397BF80B71DC11D4CB591EBB9BB1AE77CD3 EAB CCA291E0EC67D494520DA6E38 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\7u7Cl3rFbY47Gz8l4ZSiJtkFZ6Q[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): CEBDFA32C06E9FD3B912D DC3 10E101EDAE39930A7EC246AC9D9E44B332703EA7 7E1A97266AFB39FE0F B FD8F35DA FC546BDB4 99B2F1DA93D2370E0727D134007E4CCBD221E83A8D3E51B0095DC0DFC FA9043FE56DBF904DF631FE4BA 0C0972D BD3B60FBC67B5074C547FE73 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\8vfRx0uUPdqja0AohHl2Lc1l115[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): B9CC B F550EB3115D1 717DA03161D5362D0EF6FCEA0A9609EBDC9E720F CAB2B8DDC282C7A3941FC18741F161EFBBEB7619B7718BF1D347B A1C 4D9F40DF17CC78C212191CE8BC403E6692D19A DA76685E9A844D099ABD59FB17AA7E1B93C84E B794FEEF9490BE95A929B93FE76EB23DA86E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\9ANrQjudgJg2kivc0EyDXfjBpj[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): AE9C2606AF9754A3534F14945F53A01E D232A3DF3B0DC855DC3ACF108561ABB65D8F9A3B DB38CFDDFC875A817042E9A112F0E50460E6EBBC07D0896ABBCAB51EA 70A8FC39A99C1E6BC2C9D7F0F93C9274AC9BF4FC22466B4E66EFF527DABFC6E12932BF8C4301EFF57FEC5BE73 B4D361AF085B35AE235ED81CB120A11574F1B0F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\9c07ypPe17c0FLTUpTusAz567eh[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): A86F726BDF1E2226ED028661B11FDE2 7D7E50A0D116856DD272D88BE4300E8CCC708C9C 38E1B133B D0315BB5AD075D1A2B6E BC5192E378FADCE0D 9E6E28AE3B78958CDCAEA0C4E2A22CFA9ECD7C856903AB49721B8B4A9BAF1DE37A2D1339FA571D49D7DBC9E1 6A3EAC DB93F341330A54912A745AE4D4 Copyright Joe Security LLC 2018 Page 25 of 493

26 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ApYhHTPIR68F8FPCdzq3iTvmkd7[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): DF2FB686116AF8F927B772D14F4B33C 9CFE01CEF1A6D108D35DEAFCB3152F0BA9155CAC 89B525922B9B DFBD86B09BC65CCEBD8DAD67B9D1953A9874EA0FA CBBFC70C85E2D31D7778BCAD495E10AF68B3C470AC32BCCA7BBBEC93B14BA7A53C707F7EB6A81858A55 6C5A B2C1FCF3C0331EA7E0D66A5AFC1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\D32LXCM5.htm File Type: Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators A3C0D7F5857B3A69BE1A1F5DC9A9D85C 3C648252F7B04D288DD82A808D7039C99F98F0DE FD525D843C5FC3456EBD1D7D9D7C F98B4E92306FD6B7C81A7F2FADA 2BB E387BF16DF3CFD65F3766CC9619ECE3DF9A1FD1C4E571C62B64BD6FB94BBB B EC5CF D6D3B91EF5F407170B77CD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Expandir[1].png File Type: Size (bytes): 554 Entropy (8bit): PNG image data, 960 x 50, 8-bit colormap, non-interlaced 108E9DA7A8FE0456CDC23BD7DED4D912 AD7FA2845D3EACDDBCCC4E7C651C67934B5F5AB9 A1E651E665049C32BABDBC C4B4E F54B479E2E B 5BABAD7D4AACBC5A EB011ACA619C8888D5AEE B57AC255FBAB11AFF220DF0D3D77AD964 B33F836D0B3F0F3239D DE3A0A39A997 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Q6Kgm3SgFC5krNiwP4N8tUPtSP[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): 9822 Entropy (8bit): F69CB683A0F9FD8B92E6D3762FFA0 387F996ACD485234C8A5734F1A99B6254D68A9D3 D004E5C588F9FACB7FA55E62F8D34C16C C24FC350A8B5A6D775D 7C7E2ED82BE11CB04A C24CDA FFFD38A78CF3DDB6E834575E6DDBCC9EE1CD0FB7FA2670B5 5E1A6754C69DA3079DE14BF86D9AE7AC290221A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\TK3iWkUHHAIjg752GT8A[1].woff File Type: Web Open Font Format, flavor 65536, length 18936, version 1.1 Size (bytes): Entropy (8bit): CA70F49A133F08485BD05D5CB28EF8B F276ED6B7D2895CED7175F958FB6C1C5F A7A4038C6FBB19BA AED0FF204D80E19223B1CAB388A290A8D5E47FE 6EFA432ACB4AA8BCE35A342D25E96D804AD06D3E59977FD8ADC C3BF8C2A0DFBE9ABCA E5E 7203E4E28428A5B849E175F2201B4F4C09F0E138 Copyright Joe Security LLC 2018 Page 26 of 493

27 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\TK3iWkUHHAIjg752GT8A[1].woff C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\YTQ8ACVN.htm File Type: Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators 6C01948CB07ECCB7951FFD09A87D587D 3FEC3868D FA5B02C37960B75A44D67A 06727C9C94E24F0F10013C127C D74527F0C29EE1A90849D12A769AE2 9FA33390B A77CB8EB CF1049FF81F2C3B263061EB6D72F B2B54808AAC814B4FD ACB CDCBE6DC8C6DD5313F20E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\action[1].htm File Type: Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators C3061AB97841C8F304035C8B3E E E5D0E7EED4F296E CB2839DE4BCDAE7274E FF A06F3190C61E0ED104EB D1A762F1BAFD DFBF4FC5EC4493D5C24F669B9A5FC E9A66204E99E4DBEF E236 57A9E7F2E37927D27142E6C01C41B3167C111 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\addtoany.min[1].css File Type: Size (bytes): 1401 Entropy (8bit): ASCII text, with very long lines, with no line terminators 87C21BE56342D377BE60F97D96398D80 0F2BFF1F737E4B CBE15B66A52C9B01B08 CCE3AE7F8A62EBD28490F351E8E29954F15AE E43ED7D09915EC7959E9 5544BFD6DBBBF38BCB4BA077EEBC514CBC3F2748B6EF85E7BEBA6967B44EAA297C2AB1A5C15F82C614A9D042 B4ED24E91E3FBFC6EFBFCDAEC D5B6CA29 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\aevmNtJCNG4ZlfEeEGZ79frMUes[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): C3C A E5F57BCD928 E687F2912C0C46972DB94E57B A0F0E7F3 65AA7265E53CCCEF21FD7F7C4D4DBDCCA365771B0178F4630D49CE3450C38AC BC705DDC005CE97111D7C4D1A66836F6DFE8EEB96AF3B8FFDA091F6FF703E0A8B74A73C0BC5C332BF A7B8FB34394DD EAEA2C6D60B5B21983 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\animation[1].htm File Type: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators Size (bytes): Entropy (8bit): FBD465FB0ED81D7989D79DC435E741 Copyright Joe Security LLC 2018 Page 27 of 493

28 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\animation[1].htm 01975BB89A03BFBD96B952B62F2C6445B571B5E3 DA3E607501F16507C733F89D67F50C C34BCC AD13C39D E7C9A107C8ED0DCB98296B01E625AA3A9F2E617BE78A6704A9DA7EC0ED8EE980BE62689CB CDF7 50DCC68B99B46CC4EDBB2B46E1E192BAFA6FB30 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\aueRciW1Wo6215P9nsh3SZP2J21[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): EFFBA64AB30441E5580FD3310E7FBD 84BF53FD6C1FBEE60DB9A070094C4A57ED238F6A FB52AF07C721F693F F9784D9C51E59A3D66E CD14E319C E84CC0D E556D4C91EE C31B30761FB6D9EDB D19F5E0353D BBBA85BFCD5EA4 26D441090BE28696A132062C1B71CA66049F0B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\avatar[1].jpg File Type: Size (bytes): 6901 Entropy (8bit): PNG image data, 120 x 120, 8-bit/color RGB, non-interlaced 1EED20A37E F670E2449C6 5D1ED CF544BEB3562A0DAB C9 3BB DD9F8E003D8738F286C36BCA3D918DD370DA062BA0E9AD58D3195 C7799C5E3EEA52ECC44AA EADB69A BC0693F83C9FF9AF2F1B7E852E080149D06206D EC55C4F6B4C945BCF109AE6BF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\aventure[1].htm File Type: Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators A96C29FCBB63B76636B225B4596DD2D9 08FDE25CA75CD6284C10778B561EEB908ECEB501 98BAA69C980865D9A5F9CFBC108FFB CD8E B220D9C97A6A 271EC09EF1E46D895BE54A3904E58DEA9B154D81A9C1E38A14D1C9182F7D728C1D7FD0C5098AC A7B980 3CD5F6EE AF4BF5BAF3AC88DA0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\aw0HfsCaJ9jIQAi4KNIQvhTTyrh[1].jpg File Type: JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): AA1D14A455B2F197A6EC85DDA C99B2580ADB343DEC D4D54C2D94AB 2063E9E0ADE2EF711BBC65A0E42D32474B6F584AA26522ED00505DA8ED5F4F45 95E242B30156F4C6DF8DE13A75A54AC7308C94AF61185BA2F05D70222CD DE51B7A4D7710C26BCCA8E 27F59A34C237BF9033FB19FD79F CD7B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bootstrap.min[1].css File Type: ASCII text, with very long lines Copyright Joe Security LLC 2018 Page 28 of 493