ID: Cookbook: browseurl.jbs Time: 20:56:26 Date: 03/07/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 20:56:26 Date: 03/07/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3296 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3352 Parent PID: 3296 General File Activities Registry Activities Analysis ssvagent.exe PID: 3448 Parent PID: 3352 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 70

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 20:56:26 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 2m 10s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout CLEAN EGA enabled clean0.win@5/67@15/10 Adjust boot time Correcting counters for adjusted boot time Browsing link: omaincontact.com/index.php?dom ain_name=ddni.net Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 70

5 Strategy Score Range Further Analysis Required? Threshold true Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Copyright Joe Security LLC 2018 Page 5 of 70

6 Signature Overview Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Performs DNS lookups Posts data to webserver Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 6 of 70

7 Behavior Graph ID: URL: Startdate: 03/07/2018 Architecture: WINDOWS Score: 0 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe started iexplore.exe Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 74 updates.ddni.net , 49164, 49165, 80 TRELLIAN-AS-APTrellianPtyLimitedAU , 49177, 49178, GOOGLE-GoogleIncUS 21 other IPs or domains started Australia United States ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 20:56:44 API Interceptor 3185x Sleep call for process: iexplore.exe modified 20:56:45 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link googleadapis.l.google.com 0% virustotal Browse Copyright Joe Security LLC 2018 Page 7 of 70

8 Source Detection Scanner Label Link parkingcrew.net 0% virustotal Browse googleapis.l.google.com 0% virustotal Browse d1lxhc4jvstzrp.cloudfront.net 0% virustotal Browse gstaticadssl.l.google.com 0% virustotal Browse 0% virustotal Browse cs9.wac.phicdn.net 0% virustotal Browse 1% virustotal Browse googlehosted.l.googleusercontent.com 0% virustotal Browse a1621.g.akamai.net 0% virustotal Browse updates.ddni.net 0% virustotal Browse www3.l.google.com 0% virustotal Browse 0% virustotal Browse www-google-analytics.l.google.com 0% virustotal Browse afs.googleusercontent.com 0% virustotal Browse ajax.googleapis.com 0% virustotal Browse crl.pki.goog 0% virustotal Browse ocsp.pki.goog 0% virustotal Browse fonts.googleapis.com 0% virustotal Browse fonts.gstatic.com 0% virustotal Browse URLs Source Detection Scanner Label Link 0% virustotal Browse lcnaqum%2bihv2cchsbqbt5ztjot39wzhi4cdqhjqtac%2fhigod%2baux0%3d 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse JKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCEon2R2kXhjX 0% virustotal Browse 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps Copyright Joe Security LLC 2018 Page 8 of 70

9 No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 70

10 Startup System is w7 cleanup iexplore.exe (PID: 3296 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3352 cmdline: '' SCODEF:3296 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3448 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\CabDDA3.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 46BA6CF8C A489238DA0B A0CAF545A4EA1694A62C38617F2902E F 80BD068AB6E55EE508FDA18C7AE8507D7FBD6A28CF D677CC756BC7E43 8B518F4F2126C7A67823FE74B17A1078B42CFB59EAC7588CF8C2932AD6C13CD38F0194ABB3880CC74BA1C36829 BF6A5C68AB89E9D8D3AB F81DB160D Copyright Joe Security LLC 2018 Page 10 of 70

11 C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): EA379916B00641D519CD27ABDABD9 55FC684FEB1B1F8F67D97C3DDCA2934BD5419FDE 42D636FC7C0DD9DAA3E187A9D8EB894FE099FBA4E7BBD5D8DFD648DBDFEFE6F3 2CC72A7AD79E366F70DDDA521F52D7A3C30CB2E252581E593F061738BB4712C9625E27CDED0AF9554CDBD9C41 FD6CAB2CD924A0918CB94EF1B245E8D73BB983 C:\Users\HERBBL~1\AppData\Local\Temp\TarDDA4.tmp data Size (bytes): Entropy (8bit): CE93E08013D491C3209CECE260B9119 EE562301F20A1FBB55B5F7E4CD5546EABA21845F 3B41D93C0113BFFFB597179C36EB0EAB49B B708C223E0496AFFCA 90B5BB22F5CD83F7C2E4F71E589E8F AE3C915ED0CA0DD0A1F71F7816DD09DEEB27D4E31FF EBDC4A328378B74B256AF7135F97C246E5 C:\Users\HERBBL~1\AppData\Local\Temp\~DF TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): D1E1B8F0D91C1D5E3BCCF858CCE5A19 FCC6430F0BC3CEFCB0975AE54986E4A7453B8F08 DF232F943AFF533CA6F310D907F93D FD58DC2D5DC F5EEB0 6F44750A6265B36655FB25C6D5EAEF04BE08B7E14DF030C324F619DDE649F4FA1B7FAFF45D6437BC206A17D5B9 9B483772B0D7EECAD035FC2542EA1C098085F5 C:\Users\HERBBL~1\AppData\Local\Temp\~DF577FF73D8CEF8555.TMP data Size (bytes): Entropy (8bit): C78D2383BFC1F6AB91AE081E6830F8B 0858F2C47E7A40A078DBBB9E5E6750E97AA9EFC4 4ADAE13ADAA308A35B2D FEADCC BCBBA5378 F90C74EAA7C467036E148BE25B39DE469D90CE9ABA829B1F51E228D51E02DDB0CF8DFBBE094CD364219FC5965 5C781DDAF90F2DB42A31324EA0D536B589CB071 C:\Users\HERBBL~1\AppData\Local\Temp\~DF800AEB9911A921C1.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): DCEF99D24C14143BE8EB105F3F2D9EE 7E47CE813D783BE185FD5EC3A64068B5AA946A94 04C128603AB5038D D7D0E485028F D0EAC8DE57BA57E A075BAF4E420BAB8F B D4D5AF423040E17E778F0C7C45DFDCBFB4F5250B398C4D1BC BF968AE2ACBC15C E53B6E02BB446 Copyright Joe Security LLC 2018 Page 11 of 70

12 C:\Users\HERBBL~1\AppData\Local\Temp\~DF800AEB9911A921C1.TMP C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDBADE7DB774141D7E30D50EC69 data Size (bytes): 635 Entropy (8bit): C5D11C595F BA42C8FC28F96E 84DD010F13FC657B41F3AB801516D50F58CEA48F ADA62EBA6AC523DFE8189B001AF50A41CB19AD7A510F717F73B27FF63EEC D8FD800F39FAAA558378E979CAA43DAAC A2513F96E016AC1B8BFB963F9F0B38051E9A291E3D D72E559A1D607D13634CD48D67067 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, 6509 bytes, 1 file B95F90C3BEA1D0E7ECA664B8FA01A720 A2ED44DF03C6971C0A7C335ECEF8D996D6BC0652 D82B D19804D73473CE65D84C4F7D64E453041A9B30CF96C738AA0C 4DB9F495F3B3E39D89685FEDD1F0C715E3C3B0D FB3F51D2B454943E7AC34B1F871C435299B799FCAF3F8 13DAA3BB67C33B221D27C721CCF0F4D67C033 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (8bit): F0210FCA CC216A E2 D10B86C6F353C30D98B55BFCAADD40E7D493397C 397AD878DB2D20AFD65BA634252E B089E1C9526BD D1221F9 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB222089C8BEC0A52ECD39D CF B994898E994C7D29C8C513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 7728A4F5FFCA53E3165CCFB18C585D83 6D23556AA EDE7AF9A4488CFD822718F33 B6F623669BCD3C3F0A4BA80ABA41A0AA2DE A98FE5505D82C6D4 5EA3736B B5B07525F6ECBD499C74031F C9A08D18F756B42A9A03F CDC784 3CF7E207EB52BD68DBA52B56ECC6D3FE344 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 4497 Entropy (8bit): Copyright Joe Security LLC 2018 Page 12 of 70

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F 0B9AB2AEA3E1C155FD0DA5CE57082BD2 C2413FBF D40ECA4D548EAED4D3EB644A F88F05DBA035B61A74B7A96B557B8F5FB7A6368A9C8166A3F10FAC1C56E5B265 BF133FBFE010FA77F8BFD5545C6696BF CF23F11C16229EB0DB0394CCA448991B3A9F54D66131D65800C0 DF E0C DEEEE9B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\85B3F147E3624A14E6A20DB4F6C2C5D9 data Size (bytes): 815 Entropy (8bit): BC66A157E3E9EE64D62B3D2597B8278A 82C3F11D62F2E3C5FA23E093C7ABEA7C84CFEDEE E70E62368F94E96BC2DB007C7F09233A2AD20C4B9D7C006550D060483D7913E4 272CF63EEDBAC3ACA64B2A7F41DD4CCB81EE6F096D35819E0B5B4DCA07D6CB33BD799F8DCEF29AFA6734D67 C1AB9B56D12609B4B441AD1F41B283836C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F82 1 data Size (bytes): 468 Entropy (8bit): D9D754520AE3340AA37CCA6115EEE05B A D99C762CB2EB4B37F776625EF1B33 7DC8284C51C9A38DC1BF03BD28857EA5336E8F5C564EDDBB1C9082EE43C F6A9EA2CE5ECD1FD7CB3D122A6F5F108550D71A9FF5F88F235BE F95C75F66CCF716AC2A EDBDBAFBD114EFF0AD3D98E3DA6A30C94 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_FF9D3097DE59BF460E903E2D8C6AB17 E data Size (bytes): 463 Entropy (8bit): B C5604A382CFC CD475466BA6AD817062A4E73DE01AA3BE4BA48B7 C69DB E24BE4A666B6EFDBD361AEE7B2CC ED3230FC45 AF39FC7660F34717E2CA4807E023967A6B9624A250D7A F33E38B CFF142CA6FF13DE9DD32E 36F84CE654A005593FAB00BEA63F8793C4BF C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\01B16CDBADE7DB774141D7E30D50EC69 data Size (bytes): 182 Entropy (8bit): A591BC872AAD5DD9B43EF2E3E3305F 7B38D53D7E99097EC71A05B5B27D08B6E5352C98 18C306FD349572BADB76477EA415233EA15A6AF49619CCF288D38F7711DFDA96 43DF4CE03817F749A70FE E20D95C9901F307CA3E181733B1A326A3DABA0A807E A8557AE03AC7 2DB68C1E23EF3A20975E86B9E703A588CC67C Copyright Joe Security LLC 2018 Page 13 of 70

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 1026 Entropy (8bit): F2A2D82A451302F51AA82139D9BD07B0 1AC4B796143E724F430C71E1828AA27EB27A5931 F9BFD792E5EB644CF90A0BDFBF6BFED588DB07EAF27D D8EE780378E0 4CBA8482E4DD253A3131D6F241F2A24395AF15C0DB79897CD5D F1769E3C1CDFE34F9EBE5329E9B5ECE 25B0EECF1C9D6485E5203A008ABABF C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data Size (bytes): 434 Entropy (8bit): E2F90C47207A EC2BB0505FD7 F4E2F8FB409CA42333A524B8A0B B DB5C52510EFF4265FA21CC5ADCB9AB5CD5DF72DB27062E043FC733EF613AC34 0ECA AC7C4D9CDD117B33F0C595B09B741EFE82BAE5D5AF405B291DB1D4AB8BD5C F3EDE0E0B C62057D80603B5E448B959E18AB80C2E89D72F57 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 1630 Entropy (8bit): FF11D799BE982E5C0B D101673E06E2D0EDDB92BE5ED6A1C5B3E733AD 5A4ED6DAD4226DC1378DA17EDF9E9DAED868039BB122B6744E3FEFAF1663FB7E 04D8B01F0EBB1D5BFCFDBD31A5BCE746C69A0CCAAD634AFF6C1080E3750B DE6723E2489B77C6986 CC727A55CF1B6139EA95B1BB63B0AD2AAC40420 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 226 Entropy (8bit): CACC4C0D23C1EB06CAEE1FBF6C9939A2 09A42CFB0756F354BEFAC29042E7A7449B84D504 F0E837D C0759B0251A8C64A2D53FE54EB84FDE F C 815DB1ADA A4391A69994DEA4C10C AFD342DBF7E7C2C168C4A416F BD60492AD1B41087 CFB63738B D7EDC4304A1D677AF C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9 data Size (bytes): 184 Entropy (8bit): DD01AB9C003AFBFC3C1E C BE2486D80BD9D3F1E963EABEF828B AA5E 0C3E0C55639AA EE91880F6EE229E512DC4CE6633FA0D991A772D9C911 Copyright Joe Security LLC 2018 Page 14 of 70

15 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9 4EFFE705C0956E99087DD84B6D8C8C4D0C2D8F9EAAB4E BA440AF8E5113CBE27897D8BB0653D3BA6 45A401061C2DED57786B033B886E0EE524DD95 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F8 21 data Size (bytes): 402 Entropy (8bit): D62F1F76207D0288C80F8147E34DDAD3 BE2C9763FBA69B61DF488A F54B8 9C2D274F81CA2BA3E4089ED6F0A7C E6CFF96080C88FE547DD6FE B618CCC18B5DF F9FA10FF44F8D AE8A775C7FB73D4DFDAD98AFCD78844ED17B51AA31674 C8B4BDC3939E6EC82B92699D993220EF56C25E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_FF9D3097DE59BF460E903E2D8C6AB1 7E data Size (bytes): 382 Entropy (8bit): C612DE7CABCD4823DE64712A8EE8E A50FE0CC7437A915FEF903EAE C E427F3F397F37B824FD260597DCD8FC5EFC70AA246D99F0C120489EB0812C 7D4E AF0ED2AB5597D6F F0EF9F F84738F61684C9B134721DAE73E309B4 B5D7A85B4F5A3929F306480B8A0C05052AD C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D37ABBE1-7EF2-11E8-B7AC-B2C276BF9C88}.dat Microsoft Word Document Size (bytes): Entropy (8bit): A1E24D77DE B2AF6939DF 88BEF81673AD76B799B05AE D5023DE18 D3EE45E5F5F5C148AC819ED8D594D192690C7597A3B8F853FA09AD731A5277D1 8A11D79EC4BC66FE384763BE69DC027B6E9E2D1B2E3CE8C5C6F05832E495EA644FFF217F1AFA06F7A2FA3B549 ECE8F A E17D2CC0A6B51630C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D37ABBE3-7EF2-11E8-B7AC-B2C276BF9C88}.dat Microsoft Word Document Size (bytes): Copyright Joe Security LLC 2018 Page 15 of 70

16 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D37ABBE3-7EF2-11E8-B7AC-B2C276BF9C88}.dat Entropy (8bit): DBB970485AAC BA86428D115A 87BEFEF8F0BF88D44D9784B469E2F50260D7FB3B 3FC0C26D901D38C0278A5BA2BF1B43E78A9D69510D335AF AA3969DA7E F3095F15CA35D21D1B7E08BF22A54F4249B6A85A4022BAC186C6C7FDBCD6E139FCD66F1EE88D49F6E3F 9E8BF5D826D7EA872CEA2E535E858D51AC5D53 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DAF9F5C0-7EF2-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): FEDA2EC5E29561FE4049D977CC 34A48F366B544D0EAEB7F10A3FECFF5E131AD6F8 4765A5600AAC01AB5807FA6DD579EC2D96C8EDDEA B F27761D5 9A64787F326A59FB921874E1950EB8E4DD0B0A62ACB8533BA15E98AD0F AFEF965D786FBA6C27ACF9A2 BA18D3C10CC556E CEFCCD2DE6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ads[1].htm Size (bytes): 3458 Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines 0115DEED75E1363A0FE23C1B7C9B8FB7 7829A017DF64EF565C5C7117C06AC0F46516D3AA B5806E38CF A7DE0245F1C1365D7920A8F9B9E15BDE8288FA6FF 03EEE74AABFF42D776FA092ED28C A73B37AD15A17162DBB681A6BC9791AE6CBAC66C73A45A711DBB3 A8C65A21EB9A85BE42DD A897B2BB1B25B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\background_gradient_red[1] JPEG image data, JFIF standard 1.01 Size (bytes): 868 Entropy (8bit): E78CF3C521402FC7352BDD5EA6 017EAF48983C31AE36B5DE5DE4DB36BF953B3136 FBC23311FB5EB53C73A7CA6BFC93E8FA3530B07100A128B4905F8FB7CB145B D382338F467D0374CCE3FF3C392833FE13AC595943E7C5F2AEE4DDB3AF DD5DDC716DD17AEF ED4C2A1AB7FE6E E36EE98A7D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\css[1].css Size (bytes): 272 ASCII text Entropy (8bit): C8CE452C7CA72D0C1FFE2C C0CA102E1F4C9671D C49D8DC6B 08BD452D5A4798DA643534CD DE520B0440B9DF0F4B37CF09EA47C445 1CC924F31C678FC9828EEF38EAE05CA52CC92F253EF CBBF48D14F365E761E2379B6B7474DD7295C64C7 CB81AAF2FA9D32EE93FD63F1E99EA8BF570A7 Copyright Joe Security LLC 2018 Page 16 of 70

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\js3caf[1].js Size (bytes): 6341 ASCII text, with very long lines Entropy (8bit): DE93E033FD284F64D75CAB90E86FEFD E2CE3665B489B C4A37F04E68E FE6AB38393AAF7675BDB29E1C6E63478B590B41FD3E6AC5EA7F7A57C810BB1C5 0BB6BF DA12500EC50AFB6FCFE9A281F0CE1E9CD232B4789AF25E12FD819E B9ADB5E37 0C885067E76D66E1633CE9312CF2B8367C0622 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\red_shield_48[1] Size (bytes): 4127 Entropy (8bit): PNG image data, 40 x 48, 8-bit/color RGBA, non-interlaced 7C588D6BB88D85C7040C6FFEF8D753EC 7FDD217323D2DCC4A25B024EAFD09AE34DA3BFEF 5E2CD0990D6D3B0B2345C75B890493B A8104DE59C A826E3E0 0A3ADD1FF681D C59CAFFDE B9A0F85828AB751E59FDF24403A4EF D158E6B8A4C59C5B DAF563535FF5F097F EA19A9B0DC4D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\style[1].css Size (bytes): 829 ASCII text Entropy (8bit): F84D0985AF87B4D4F6AE8816F9C5C5 9CF62A3E EB6CAF0AEEB3CB030 93A1109ADA0CD55DEDEAF7E9C4251A7F91AC3C3E1AB85E25E37B6CD4E47D504B 0423C77082E7CEDE3ED0C10219D8DCE268D2F137C2B5BD46D1A9FC1A15EEFD316D190BACD3AC22C60FDE155D C044ED A2C1453EA3B82393ABDCF7D22B3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\style[2].css Size (bytes): 1451 Entropy (8bit): ASCII text, with CRLF, LF line terminators 62B98BE5341C2EDD03514C1A7B D54C E28638D99D24444EC144E97D4A20D 868BF7EAB9E3F916A3B26DB98A11D7F73A6800F56C8AA55FC C9AF 5CBCF71E3DF0C5D8A6AB9FA3C52D70DC27123D4922F5C3CA2FAD3F745EE3813C5A6D62837FED8B270B0FC0E5 A6B5A91F3B719ED986838BEE48E7DEEA1DC41B2 Copyright Joe Security LLC 2018 Page 17 of 70

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\style[2].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\arr_3faad3[1].png Size (bytes): 1048 Entropy (8bit): PNG image data, 17 x 12, 8-bit/color RGBA, non-interlaced 39D59605AE12364A5D9401E0AA7FEA1C C78ECBEA841E7989D761F26CADEDA93F7434A89D 3D48FD8B86194BF4B4E0CB0C55E3E81B85619B692DC6019BFC5F73B7863D1E35 49B B04ACA3A81F826C7AEDD2CB5F3E1C4E77A8CC4F9DB3A956BD18ACE2B02B7D5C9B3EF27E 52322AED3AA3F6541B5632BE0F49D8D16BDA895 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\caf[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): FADE2068E7503EAE8D7DDF5EB6BD A096D6C86486A71D BCD171A6BB3 E586A84D F42E510D78E141015B6424CF67D612854E892A7BCEDC8EC9E A9ADB9FEEA4BC14B9C34ED17CD30F8CB36DC686E9F69A292FE65BEBC195BE FD98EC7B67BFD363FBB B6089C41A0B7CAB5130B50B461748E668CAC75621 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\invalidcert[1] Size (bytes): 5123 Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators DE640A4BFEBAB60DA20EA8D35B E1FDF9A543B44A0B0C3F51379FBC0E59AB2EFAD8 E8EC4E22DDCC6E52E242331CB84DDB1EAC45E8ABD51F1892DE33DC279E0E F57AE5C E0030C4B44A1FAB7C7991F6CFF8FB0C40A40C35D6C26C76BE5EAE8E22C5CFC89EE066 81F08A157B63C0A55B3557C08D331A7EC4B7C7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\red_shield[1] Size (bytes): 810 Entropy (8bit): PNG image data, 14 x 16, 8-bit colormap, non-interlaced 006DEF2ACBD0D2487DFFC287B27654D6 C95647A113AFC5241BDB313F911BF338B9AEFFDC 4BD9F96D6971C7D37D03D7DEA4AF922420BB7C6DD46446F05B8E917C33CF9E4E 9DABF92CE2846D8D86E20550C749EFBC4A1AF23C2319E6CE65A00DC8CBC75AC95A CAB1536C A 8739B D0BA562F48F4D3C25104B059A04 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ErrorPageTemplate[1] UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 2168 Entropy (8bit): F4FE1CB77E758E1BA56B8A8EC20417C5 Copyright Joe Security LLC 2018 Page 18 of 70

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ErrorPageTemplate[1] F4EDA06901EDB98633A686B11D02F4925F827BF0 8D B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E BFAC A416C09733F24E B96843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\HttpServices[1].htm Size (bytes): 9575 Entropy (8bit): HTML document, ASCII text, with very long lines 153B590E5C D0493DD2C67D 1345A4C22C9652F24C99EF8F7553A32CA378E0CB E005CC03D8B67B2037E5656B02875C62F22FC4321DED9C1ACBC13373F64C8083 2DDB1B067F2983DBE2937B865FA22F2730D3FDBEB3865BD1F BCDB4778EBB2C79C35F070A9DF6353AAA AEBE1017AA0C9A CCA0FDEFA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\chalkboard[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): D3E0F565802D A BBEB01B4255F88A0539ED9A4D7897A 9375C DA3973E66793A778E07B4295C310AE9E45E3DCA877F2777F3F AC4992E5B740FCCC221F59C690C8CA070CC74C0584CA8A6A E279E36D3C86E6C691AA0AAB242CD A4CA4C7978C5C647F1B9B43F8324B092185B13 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\down[1] Size (bytes): 748 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced C4F558C4C8B56858F15C09037CD6625A EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 39E7DE847C9F731EAA72338AD B957859DE27B50B6474EC D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE AC191F8F F76 8F4840BCD5B62CB6A032EF292A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ga[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): E9372F0EBBCF71F851E3D321EF2A8E5A 2C7D19D1AF7D97085C977D1B69DCB8B84483D87C 1259EA99BD BFD3102C679EB0A DC526B0452F4D42F8BCDD45F C3A1C74AC968FC2FA366D9C DB9AF1289ADFB165FC71E7750A7E62BD22F424F241730F3C2427AFFF8 A540C214B3B97219A360A231D4875E6DDEE6F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\iframe[1].htm HTML document, ASCII text, with very long lines, with no line terminators Copyright Joe Security LLC 2018 Page 19 of 70

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\iframe[1].htm Size (bytes): 1163 Entropy (8bit): D3930C2CC3B43DDAB8602B157B32E97A 61ACFA08A4F294E E9F6DFAA 22E848647A670B79B1199F7CFA9A9D822F81B724A8F1C0F9D750D785E671E04E 50DDD6B8602C5ED5B843B36C504C8D95C6D365138B6AA32B66599E8B38CD17948E8AC355E5B9023D014BDB F2B22A6D459A042ABB46C7C58499B4CC9945 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\invalidcert[1] Size (bytes): 3084 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F927FC64C6CCF8F9E508B5C8510C8D26 9AAAD2E C151FF294A116D66D7286CC052 D1122EFA5A5D7CF93E9DA4CB8525CC7E6CCF50B9FA16C167A5D7E A5FA A70CE43D8497EF7D91D8C2C78DFB52FAE9AA1C39691D46D8EE3A2E65D82482E8F2916C39B3D85CE8B8F9A0647 FCCDC831C1FD6824FD300AA91818D0191AA4C50 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\kmK-Zq45GAvOdnaW6y1C9y0[1].woff Web Open Font Format, flavor 65536, length 13508, version 1.1 Size (bytes): Entropy (8bit): D95FBDC74CA694CA85F0E36419DB33CB 818DBD1B9EDE0599FEC6F324BC821A10B5EA AFFADF178770E9BAAA92A9C332678DAA1A5A5121B861611FC184990C342 FAB272F4CD373A34280CFDD82B8F1D8E D8315F719BBEB280E263454E28EEEEA417AC0EDABFECFC2E FD2A7055ED1A7FFE7355B A86 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\webfont[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): C96A5F11D D5E3C42FF6380D7 D3FA2564C021CF730E58FFDDB138CF6B57ED126E 81016AC6BE850B72DF5D4FAA0C3CEC8E2C1B0BA A6766ADFAD40BEE 23C162A2E B580E5035AD6CA9969CFCC5CE58A220817B912E76B38BE6C29C3CA7680CB4E D95A 72EA65BD06FF7189B5C8475E4C1CE501AEAB1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\caf[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): C398B4EE28F6D82EEB A21CB 727A56D292A841EB42B9B4C48189A EF3 D65923FBDA A4B3A D126F ADF3C6EB F50B11313C3EB96FDE8BDE1D6686D0A109E41E1CCE4F9436F4AE02D1D4B2B668E8895FB A4 BE165DD12127EBFDC686568CA94A32BC1D81D Copyright Joe Security LLC 2018 Page 20 of 70

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\css[1].css Size (bytes): 234 ASCII text Entropy (8bit): B118A59CD5D270BC3463BBB183AFAD2 B3BFEE27DC548240CAAC0D AF9B3BC F20B9C23D473B5A2A0C7250ACADBD57ABC077CDCD3F0F45BAFA8813BC3EF C993025EF614F306354D3B892F46B4B401A90F7C60AE11756B660A16AC2BD743AD746CC3DF061F BB56EF8EED88D76EDD6546F5A3F8E870204F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\css[2].css Size (bytes): 550 ASCII text Entropy (8bit): A B4B5775A9C974DA352952A 422CE2E176F55B6E9E7D9DFCAAD1823E5F87A892 0BDF1D1CD52091F3B3D2E9316D9AC927C78D4B9AEC3DD2ECA5DA19BE2E7B6A9F EB BAC9A9C4C5C9FC E F4A E5080C558BB0B30AFD82E3A2AF358D FDF0E41E92F6D E832EF06D70210 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\green_shield[1] Size (bytes): 810 Entropy (8bit): PNG image data, 14 x 16, 8-bit colormap, non-interlaced C6452B941907E0F0865CA7CF9E59B97D F9A2C03D1BE04B53F2301D3D984D73BF BA122F4B39A33339FA9935BF656BB0B4B45CDDED78AFB16AAFD73717D BEB58C06C2C1016A7C7C8289D967EB7FFE D9205A37C6D97BD51B153F4A053E661AD4145F23F56CE0AEB DA101932B8ED64B1CD4178D127C9E2A20A1F58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625B8F9F90C8FA Copyright Joe Security LLC 2018 Page 21 of 70

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\httpErrorPagesScripts[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\kmKiZrc3Hgbbcjq75U4uslyuy4kn0qviTgY3Kc Y[1].woff Web Open Font Format, flavor 65536, length 33524, version 1.1 Size (bytes): Entropy (8bit): D E75161C0BF9C E258C2F52341AEB9676CD0532EDF9004D30 A45D7D CA25DCF3F050638DF9A452A8658DA2E834E1572DB08DAAD324C 9471ACA0DB01A9AB B991E3C954BFBF B738EA FBC03CF D326D5ED3E 576D3784CC7D1DDA3322E3B28CBF582048A34 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\kmKnZrc3Hgbbcjq75U4uslyuy4kn0qNZaxU[1].woff Web Open Font Format, flavor 65536, length 32752, version 1.1 Size (bytes): Entropy (8bit): DF8DAE64E9B53B5D6C1F8C31B71375F5 BA1C671CF1184EE622B2BC57BB07605B5A413DE7 81DE777BA5FA4D458C66F0A06ECAAFFF45E4E630A37BA8011C987253D43D63FE 7F DAF7D0B0B64AC9C33466C7FB84B45B21BDDCC35D88B0AEC38D3E97FB6EF8F5F24A2946AE1646AF4 1E2CE69B7CC86FE16FBBADD661D32AD001B7600 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\30UCWPFD.txt Size (bytes): 371 ASCII text Entropy (8bit): AE7EA595DBE06CDA13E8444EFE97DD1C 92EF01CBD71743F5028D7AE619C0D672D331B06B 7FA417B45E36310DD699D0BC00A7C50C68557D0D75BF3F17DC95E394780C72A5 3B1CB229B4263CDEAF745F0B533B79CC4C557D3984FE2D5BAE640B1E3A EC00D7577CA848E369F8D18A F8F27293D320E9A27F30BE2F059A C C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\689OZ74Z.txt Size (bytes): 288 ASCII text Entropy (8bit): C6EAED5D62F74B6693FFFD12861D55 1B61C2FE43A6C36CE6A5F435253BECDCB19F1CCD BF729E94AC2FD2F7C44A653F8156CE147F61561C0B41C9BF3C3A26ED4EAE372F E39B8E AB081B92912D12B7953F0A42CA7F9E8BCF3939B899D19107A5EF62824D7FEEDAA7E7B4B84FCB 386B7FCBC02C21142C270BDD16962DFD093B36 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7J04SCCY.txt ASCII text Size (bytes): 577 Entropy (8bit): Copyright Joe Security LLC 2018 Page 22 of 70

23 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7J04SCCY.txt E7093C131ACA8CDDF3CAA39D0FBFA80D A90BB0D0A5606F199904D23581C373C74D94094A 9E57BA8A2EC96141CFF21A0FE08C797CC688C34008BA39C240F8F0D FC E1412FD027E126EDE32457C427AE FF7C1FA42FAEDF3FC10B29D35192DA40492BD0BAC5C7465BC4955F 65FB539336CAEE6BD0EA8467AC05D79CC15760 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\A5OEPL8I.txt Size (bytes): 86 ASCII text Entropy (8bit): A85E369D712CF1E45A62645A775FA96E 14249E05487FB7C48CE4BD2CE657B76F2CE6934A EB1D0FE97B476B1FB57D6CE9FE904EC89710BCD03954B20E3AF9E8E737 39BD293ECB3D229FE DE2553E0F6D10A6D811265A4A8868D339ADB9B0AEC27E296181CF402C1E66FE 878D713F78DC06C4982E5AA8F64B8DD8CE4ECF C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GLRJRZGB.txt Size (bytes): 380 ASCII text Entropy (8bit): B35FCAF FE3B8CB3F9DA7C C16C5789BF9A FD2A5081A05C B4688BA83C0E1C F101AC8F053D306CCC148755AE868C56A0537E6 6DE61D CCA7FA7DCDA8D82441D126C648506B0F151CB8578DA3DA4CDBF783E075F7E92CDC660C58D FCC5547F6E67AD9D3430C9199C50C591D169A9 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\IRGO07WQ.txt Size (bytes): 233 ASCII text Entropy (8bit): D56481EC52CE2D57D1286DD5ED46DEE CB104D55DA37132D857506A72496C5DDFA CC7C5360D9B19FC353FB681FEC1CF258596E1506B2BE07A5EF3DB901E99D766F 6B56BECE975A954D94E2254D B DDB6BEF5FD6902B141CCD0FEB53FBB57F9F3E5BCBF F0999EDA69600FBBD926400FE C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\M9EXN1H2.txt Size (bytes): 498 ASCII text Entropy (8bit): A74BD0BD6B4A E66A2 00A063AC82280FA2C2FF350AB2F368BC087110DA 7D02518D4FD0B28223A08E071AF801C5B0F1907BEEFB72BEB8A6700BBD68393B 2025FA718B43D189A7E A272A6B3B01F37149D8A690D70FDEB4E553DEAD23AD944822F EE987F F852747A98377FA067F05DB433E1CC407A110 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PDKT3BCC.txt Copyright Joe Security LLC 2018 Page 23 of 70

24 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PDKT3BCC.txt Size (bytes): 577 ASCII text Entropy (8bit): DE4C8D9AEB0D917CC689F6EA8C F DCCFB9846EBF0B327476E0A5 0A30E7586C449DBFA5F33A2D1B82FF7E0476F54CC7109D7E971D416F5B438B67 81DD0E35ABBE7AE238C5E524BC79E1D84731DD8D896467E306F7C919F71B6520B3D35A126628B86BD C FB1EB2353FDA4FE7FBDE5A63FF604875F892D C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\R1D3H5RW.txt Size (bytes): 90 ASCII text Entropy (8bit): F20D978C9DDF159F7ADBD48BD30 A4FBA70439D DD210370E509ACEACC4605 3E7B2CE51B274568A37BEF9F63B84B9970FAFFC92D0D9F84CFD166A38C784C4C 69C4BA08783D2AD11638B0B B8C7F4EC3E9990F4D582E7E780E15E8BD0237E42F1090C55A DA5FDD47EFE263904AF139EA32D18783 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RC427TYU.txt Size (bytes): 131 ASCII text Entropy (8bit): D64A037482F235C92DE293F168B6D F720E537147EA749FF0D9ABBA8DD38501C F EB24AB23BBC249EF163E9BC5E9B01D E7B57321D1F42 15F4CFE0B4A2A5178FE148D8F93381F419A5C35C7F5EBF35CB1394D57D045C4ABC17C050EBD27FBC0D FA9AECE17C A7BC607BB7987D59E4 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RMY9O1BI.txt Size (bytes): 380 ASCII text Entropy (8bit): FBA5D7627DCB D6A3CDA 1ADEA0DA973706DC92C40428CCB20533ADDB108F F99F9F D26DAA51D72DD931BDDFD8FB9ED224EB5D229566EC115C2D A9E81B6E4886CB24A7087C FDBFDEA5CCB7CC4A83F3D2AA4C63767B8197BE0B5FB69993CEEB6BC489D F B299D8E56ADAF41927ABE41BB3D10EEE Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation googleadapis.l.google.com true 0%, virustotal, Browse high parkingcrew.net true 0%, virustotal, Browse high googleapis.l.google.com true 0%, virustotal, Browse high d1lxhc4jvstzrp.cloudfront.net true 0%, virustotal, Browse high Copyright Joe Security LLC 2018 Page 24 of 70

25 Name IP Active Malicious Antivirus Detection Reputation gstaticadssl.l.google.com true 0%, virustotal, Browse high true 0%, virustotal, Browse high cs9.wac.phicdn.net true 0%, virustotal, Browse unknown true 1%, virustotal, Browse high googlehosted.l.googleusercontent.com true 0%, virustotal, Browse high a1621.g.akamai.net true 0%, virustotal, Browse high updates.ddni.net true 0%, virustotal, Browse unknown www3.l.google.com true 0%, virustotal, Browse high true 0%, virustotal, Browse high www-google-analytics.l.google.com true 0%, virustotal, Browse high ww38.updates.ddni.net unknown unknown unknown afs.googleusercontent.com unknown unknown 0%, virustotal, Browse high ajax.googleapis.com unknown unknown 0%, virustotal, Browse high crl.pki.goog unknown unknown 0%, virustotal, Browse unknown ocsp.pki.goog unknown unknown 0%, virustotal, Browse unknown fonts.googleapis.com unknown unknown 0%, virustotal, Browse high fonts.gstatic.com unknown unknown 0%, virustotal, Browse high Contacted URLs Name NTk1NDBlYjMxYjUzYzA1NDU0MWM0OTMzNzI3MzljNDU0NTVjY2ViNDM5YjdiY2NkMDA2ZTgzYmNhYmVm N2Y6NWIzYmM3MDI5Y2U5Mw%3D%3D IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D d8k4ujpndnaxlckg0iogfqz%2bukscceon2r2kxhjx DY0NDIyNi42NDI3OjIwNTk1NDBlYjMxYjUzYzA1NDU0MWM0OTMzNzI3MzljNDU0NTVjY2ViNDM5YjdiY2NkMDA2ZTg zymnhymvmn2y6nwizymm3mdi5y2u5mw%3d%3d l=de&adtest=off&type=3&pcsa=&optimize_terms=on&swp=as-drid &uiopt=true&oe=utf-8 &ie=utf-8&fexp=21404%2c &format=r5%7cs&num=0&output=afd_ads&domain_name=ww38.updates.ddni.net &v=3&adext=as1%2csr1&bsl=8&u_his=1&u_tz=120&dt= &u_w=1280&u_h=1024&biw=767&bih =473&psw=767&psh=473&frm=0&uio=ff2sa16fa2sl1sr1-wi666st22sa14lt33-&jsv=13945&rurl=http%3A%2F%2Fww38. updates.ddni.net%2fhttpservices Process Contacted IPs Copyright Joe Security LLC 2018 Page 25 of 70

26 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States GOOGLE-GoogleIncUS United States AMAZON-02-AmazoncomIncUS United States AMAZON-02-AmazoncomIncUS United States GOOGLE-GoogleIncUS United States GOOGLE-GoogleIncUS United States AMAZON-02-AmazoncomIncUS United States GOOGLE-GoogleIncUS United States GOOGLE-GoogleIncUS Australia TRELLIAN-AS- APTrellianPtyLimitedAU United States GOOGLE-GoogleIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTPS) 80 (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 26 of 70

27 TCP Packets Timestamp Source Port Dest Port Source IP Dest IP 20:57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: Copyright Joe Security LLC 2018 Page 27 of 70

28 Timestamp Source Port Dest Port Source IP Dest IP 20:57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: :57: Copyright Joe Security LLC 2018 Page 28 of 70