ID: Cookbook: browseurl.jbs Time: 10:12:02 Date: 15/01/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 10:12:02 Date: 15/01/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Data Obfuscation: System Summary: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Copyright Joe Security LLC 2018 Page 2 of 94

3 Statistics Behavior System Behavior Analysis Process: iexplore.exe PID: 3084 Parent PID: 548 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3136 Parent PID: 3084 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3188 Parent PID: 3136 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 94

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 10:12:02 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 52s light browseurl.jbs =dumontdaabbstib.irisnet.be&client=023&record0 23abcdedumontdaabbstib.irisnet.beabcdeclic1 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean3.win@5/68@23/11 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 85.2%) Quality average: 64.4% Quality standard deviation: 36.1% Cookbook Comments: Warnings: Browsing link: Browsing link: Browsing link: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 94

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2018 Page 5 of 94

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Networking Obfuscation Data Summary System Debugging Anti and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2018 Page 6 of 94

7 Click to jump to signature section Networking: Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Tries to download non-existing http data (HTTP/ Found) Urls found in memory or binary data Uses HTTPS Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) System Summary: Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Detected potential crypto function Searches the installation path of Mozilla Firefox Anti Debugging: Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Copyright Joe Security LLC 2018 Page 7 of 94

8 Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Behavior Graph Behavior Graph ID: URL: Startdate: 15/01/2018 Architecture: WINDOWS Score: 3 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe started iexplore.exe Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 8 63 comptage.routedirecte.services directmails.fr , 49169, 49170, 80 OVH-TELECOMFR , 49174, 49175, FIRSTHEBERGFR 9 other IPs or domains started France France ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 10:12:20 API Interceptor 1598x Sleep call for process: iexplore.exe modified from: 60000ms to: 100ms Copyright Joe Security LLC 2018 Page 8 of 94

9 Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Source Detection Cloud Link app.purechat.com 0% virustotal Browse ocsp.rootca1.amazontrust.com 0% virustotal Browse api.purechat.com 0% virustotal Browse ocsp.rootg2.amazontrust.com 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 2018 Page 9 of 94

10 Screenshot Startup System is w7 iexplore.exe (PID: 3084 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3136 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3084 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3188 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) cleanup Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab971D.tmp Microsoft Cabinet archive data, bytes, 1 file Size (bytes): Entropy (8bit): true 7D75707BCEDE1005E6791BA62D373C38 E33DF37548FC6595DBA6BF1593A12E9058F1FEC E5BE196FD70B7BF91EAF319CC125DB98105C9DA7A1B0CBCFDA61313 Copyright Joe Security LLC 2018 Page 10 of 94

11 C:\Users\HERBBL~1\AppData\Local\Temp\Cab971D.tmp A3E45C10422FF6660AD753A1E4BE45D3225C0E1584E4785BCAD10A00850FD915BE9B3F5FC8C17133A A582C6FB10DE757DCA445D390B BADE C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): D7D905116CE9A845F13BD253811B9 AF51FD4011F9855D97B4A61D2D437D469C20430E 293DC201796A05A6107AF7A4A82C02EB CC6702AC BAB6AE1FAB F73CDA A0CC6A8F48941E99C7E50D157F952A673E4DD92237CAB1FE1E372230A36263E769D5450 8DE146CEFA1D0ADCEF67F8E7913F C:\Users\HERBBL~1\AppData\Local\Temp\Tar971E.tmp data Size (bytes): Entropy (8bit): CDB BFB2FCBF0D3F86B11F 3C556A91995A3FFC55C8FCD71D687EF4560A1AB A4580B1B1601BC E6E299FD70008CFEAF0FE3AB DE6B3 DC7B3BD3A36D8B02C9D9E475B93E3A4FF3A4D5751A762B40AA5A0C8543D18B047B19DB31F18D1FF314275E3A16 E2E6B3437E3AC825A63AE895F13B82C7273E8B C:\Users\HERBBL~1\AppData\Local\Temp\~DF C20AA.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): FCD6F21EF329738F80DFA3AD031999A 11D8B8DDF9C34C350A7387EF33D8FF3F07900B11 E E9C5FCF40DD1AEF3C6CDA8F043FAD1B5C41712FF428D3532A8C7 6CB5AB5425CE325C C3CB123D2BA187763E1BD D78ACA83FBF4E0E009629BC24D406BAC71A EC1A525CB90CAF89A9C5595FE45C66D77 C:\Users\HERBBL~1\AppData\Local\Temp\~DFAACE71B4B5A01ED8.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): D7EA4BFEF5DA1DBBD87F56AB9814F2F 052B8DC3ED025ABDF1651F0BE971D3D5D6A1EF2F 2DB831A61AD189F4BC DAEAA05524AF26ADF56445C37313E7D7BAF578B D745F4C33620BDE1AC073C977CBA160780C6E33DC1246DC6AE2B91C7E4ABFE65A9AC32D401D41FB10F9 58A8E991CE20F7DAF7736D6B6AD3BBF1AA19E97 C:\Users\HERBBL~1\AppData\Local\Temp\~DFB24826FF7FE8EE0A.TMP data Size (bytes): Entropy (8bit): D810886C5F640453E27C7D51C9B C15FDFC0F31C403D3579B9C6067C C9AB0FB64500FD75064A06A8BA4782EB7D0100A74FFB1D19C2CF37E701DA44D Copyright Joe Security LLC 2018 Page 11 of 94

12 C:\Users\HERBBL~1\AppData\Local\Temp\~DFB24826FF7FE8EE0A.TMP 6B8D BF9C1BEE6ADBFC62478BED1EF4AA57EFE E4C71E95B02CBC90F0C5EC3A3BCA1C939CE6 AD5D1C6E282BEE291DA1E317CD81276DE826A5A9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E D9D67350CD2613E78E416 data Size (bytes): 2604 Entropy (8bit): AB1579E53AFCCF C19D25AF FA9EF64F2F27D7C6C039BDF0DAD3814B1 FA8F31103CBCB150797C4E49D43F6FF150549BCE3D15511C ACDE12AEE F70E91BE7B8E437C98ED40B633A6E30E8E0EB25EB392BD6EF937D09B2A24CA478F18A3CE76F81ACC513781C2F A70BBF1361AFD8CF58A7AC81A06641E0BD7C14B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (8bit): B93B055F18ED02AC BFA E49C843005A144BE3DE9485B1F9BC4E5A9126D A2649B55B45DF55AC2A B428AD312A749BDA88AA21B6C800DCE6AD4CED 1A7E8C92A1516E9B2E224E239C29EA395C615585A429B5FDF66B794DBBE6336C2BCE435ACD4F145563E5ACB4E DDBE001566E1BB345BF9F6F5EAE0341B9AAB2A6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC _93E4B2BA79A897B3100CCB27F2D3BF4 F data Size (bytes): 1426 Entropy (8bit): AD1307D958140DF E11E8A7E8 C25CF9338E28093C7441BDCB2B71411FB4FEA798 1BCC1F4F02E870188A8DDC9C07A9D3BB09F403E95509E9FD30AB245371CD503E 45EF9FEE8B229996AB1A46DA88742AA949FB0F730C997B461C9F523699F5EEC52C EF6117B8C3 783CDC88B3CAE578C0F8B82ED6B933EBE3CE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 1084F35C75317FBFBEFF D6 DCC3B FF247406F1B18D0D97D0AC0FF70 9CF311AD6888F D0F10CCE8543F3D2B69EE4417BC499BFC281AB3E 612BD67C1D211B885CF90DB2D B522B7A784444D15DF9EC17C05C47AB B97F DF6F8F68D5 CD18C52A BFFF A7708F04 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A6 2 data Size (bytes): 1744 Entropy (8bit): C4828ED CCF3A10C1041DCB CE361B446361EC1A5E16A5E50A5B698F903D Copyright Joe Security LLC 2018 Page 12 of 94

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A6 2 45EED26413DE9019F8B1C124C8B4AE68CF861568E8695EE8D35A703E03A C3AF84598B B573E3EB9902D8B93CDBCD58594BE75662B74CB10B55C370725A3E E07C EB0D09D8213A9E558003A951C1313A5F5567 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD data Size (bytes): 1548 Entropy (8bit): CF55BDADC94F6FD66E54DBEDA3FCA 823AF498D337E4618A3FEC67BC2E AD EC0A9E8A6C0994C7E03382ED6E24893FD00E8CD27751D3AF41AA752A3F 4EAEBED0208C49A614B75CB1A12E9704B410BB0735AA2932B6683C8A42F0E388AF97F1A7B03AD8989F0FF E6AAB2C277BB7FD1412A9DADB64F2D701FA1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC5A820A001B41D68902E051F36A5282_FA02A683BD44A5FE0EE923FE0D data Size (bytes): 471 Entropy (8bit): DE7268FD78E1576FCE98BA3A37CA97 D67350DC94039B64FBB1615E2F81C15FA57CBED5 1BE1979C2FAB57B002D0A89B8BBBA18E72772BFCA7AF4AAC219384DE226D32BD DF70F1257DDF23CB1CC025239E140E00C7AE95AC18100C AB90C61E15AE2D01BA59E79D954DCC0E8818B D11DC1FA1D944A7EC35FDA0BFD6C2C D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E D9D67350CD2613E78E416 data Size (bytes): 460 Entropy (8bit): DD4DA05DB0D4D4CE00F8DC09C 69D77BEF7D7B2BA159E1AFDFB6F46F9A96B8A773 3ED562EBA77FDF80BB3DAFCABE01CAFAAB06AB872B85AEEAE6EDC04AF2A BCD8FBF47671D FA25C DE989EC6AC4DFF979DDCC87970F0EDBD1042D7E5750B AC D0C117376E28EBB851438A54DAD59F0E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 340 Entropy (8bit): B26D14FA9D086E424AD83198A98BE FB9F F843687FC82CFE599FF725BB8E7A1 DC60D95DB92C4E DEF9ED0F440AA6B3EBD8449F7D28705ADEF51B C0709B9BF E03A0D210B1D78C032939CA4B907CECB18388B00E3662BC4CFF0459C9ADD7AA 34778A3B01825B52A8CEF6D606498F4D527FD C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data Size (bytes): 868 Entropy (8bit): FC6BAE467B9FF61E12C1FA0ACF1CC1 Copyright Joe Security LLC 2018 Page 13 of 94

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 8F83B9D438F05C9EDD22F4A9A22D68D96C9EA881 3EFF3E7E111A90248C D8593FB147528C25887D80A3973C2775BEC72AA C29BD D04D8DD9B165EE5BEE3C63828DC770A18D37F1DBA4D7CCF305EE7C97ED27BCE21F8F872A3EAE E017C10CCACE73ACAE65F7CA6F84AD3AACA2D0EB C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC _93E4B2BA79A897B3100CCB27F2D3BF 4F data Size (bytes): 884 Entropy (8bit): A502C238DF6DF47B45C7FA8E83A114AA FE EF46562B8D062B89078DD98B 6F629F1644FECA769D30A214F8CBAC7D82923AD0D1EDB935F62AFCCD8F61DF82 3BEC454A30BC0B5312AA1B4EB033BF098A2A379BAC1ECB90DB6E618BD00B281F2880C4EEB9EB69F87C8731CE 922A5DC375F28B FEBE3EDB23FAC54D0B1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 656 Entropy (8bit): A6CCCAF0FDB66FCBFE4BC D 5D95B9E6DAD5A142EC4DA68F1D8A C F68F42C4B875A6C5BDCFC88A6FBA397C15F3060E9727E8C562D81E500EA2 03F19AB75DF355AE11083A6238CFFF853DD664E629A8DAC87DA303EA7E91AA571743B673BC9FE31ECE51D12FD ADE73E406E3B5A38B50A29E6481F158A7E37630 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A 62 data Size (bytes): 916 Entropy (8bit): C7F714D407854F067EFA7DA CCB71CB56A5FB8F46F8BFCC85C AEF3 41C38DA7DFF85B3A37A0D0BE49762B19E0C1D7271FBE21AF5C51214C6B8140F7 B35ABF1FF22F6F4DC7DEE9A8E EB1937EDE2A4D5258E40D3284A4A2ADB8F955F4DBA311E6A15C4B1 9581BC197DA032C60ED0C1C569D84DF274702D0 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD data Size (bytes): 864 Entropy (8bit): C42D6D EF6E413BC377E11 AEB86548A92580F7B4EF4F990BE678AECF25FC6D BA4645F4AE2EF4DBA27C45A FD4B86A4A1A8AF244E5D631CE9D9B756 E2C5B3A0BFA011CEE10ADF171D1985E1E5BEFB31CEE0CA4A7A8098D2133E65E45088BA246FFE6C32BA C0B97AA FD44FFA9340E9ACF0A212BB54F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC5A820A001B41D68902E051F36A5282_FA02A683BD44A5FE0EE923FE0D data Size (bytes): 904 Copyright Joe Security LLC 2018 Page 14 of 94

15 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC5A820A001B41D68902E051F36A5282_FA02A683BD44A5FE0EE923FE0D Entropy (8bit): E1BE590CCF87B09C617DECBCB3E727 66B7E45A8BB1CDA039964D737ECBE6FE676F0BC4 FF06F6BA62ACF0502CF2F528944A2FC38BC6A99CAF2EA5A7A02D7D8847AB87FC 7C87B6382AA4CDE60FEB62D9D836FDE4172B2DB46EBD66C256CBC438C3BB0D1E532FE986FFA06FD38D2E0A D7399D71F4C504CAB9CA9241D527669D C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 300 Entropy (8bit): PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD DF28916F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\XCC689S4\directmails[1].xml Size (bytes): 429 Entropy (8bit): ASCII text, with very long lines, with no line terminators 01919F4805AF0CAB2C4018C033F808E4 9DE0C4397A9823B3C6C064E0BE0AA87DA045F612 B615CAA3D35638F8E968CE C3EB8E4600CDB9F5D23555D8E C68DAC683429E86C5F34782F040C78A E90579CE28E1A12B4F7A4178AD4C4F126075AD F954DA8 7DDF1895C61186E8A6B4187E9E97BBD5B4E5 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E6306BB52BF6F6D5D891B9D0B1E36F14 3F409FAE3E27D64695D977FF7B92AF3EE06024C4 1E0968E9B5D61EF9203FEE7246B FE954DF36075FA0F2CE1B4677 0A913C7C1546F859CF1B1738D865FDEA38DBBFE4D5B EDA1AA27CB4BC80ABDD1BD9A4D496515D D3EA5850BDA06AE981D95FD6854D87614C5CD8 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3014C921-F9D4-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document Size (bytes): Copyright Joe Security LLC 2018 Page 15 of 94

16 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3014C921-F9D4-11E7-B7AC-B2C276BF9C88}.dat Entropy (8bit): A B89CED9F6593BE2E8 900D14C3C45718F2BE4F0155A2AAD3CE4F11CA53 A7CA1B699ADAE90DD83572D6F2AC1FAB62AED51F26FD A5189BD2655F 4C B062A0E03F17BB37F7FC003C4F8042F38A7D96DDB B1F343B913DEFD651F768667ABDACE23B0 F8BE95A98B44B10A74DE09976FB3ED7375D33 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3014C923-F9D4-11E7-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): F42E45D973FB51174FBCB35F389229D1 4DFAB5035AC6CA5DF2D16E29D EBFE B7FA6CE0BB153AB3F4BF4B719FAE0E684D7147A71E49E52AAFD81C1CB710AD58 565C030D41DC81C53CD2A73DA68FCAF95AE C700B017E35A27DEE888B03F15D9A6D7324A8FC2271E980 CD347ED396DE0C12F62303C1BFAD175D4CC147 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3A9DD710-F9D4-11E7-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): AEE12011E EB42C6FD0A15D57A C2436CAC69315A19CEAE397F85881B2365A0B795 41EC87F0A34D3D2A411527E9173D47BCFC0704ECD00D939AFDAEB43D5A5877AD 76ED3C7FD14DE2CECF663AADF53EE43D675D26A6BB7726E42ADD ACB01A97532E445E51A79A1C9FB4 1E1BEB025253BCB6C67598CB9835C4C5C0468FC C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB136.tmp Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators A37D5835A4A14C9BFAD7898C3B719F3C F21CF355B4515C09174F5D5E5BADBF3319DD70F0 F0B53707B CA2C39C782DD32BCB60DF970313A029D605B719AC1BF9 079F412666F02FE93F2AA4DEC7CBC22B91BE70B71037C B66EA5A680590C8E92DDEE64D2DD934858B44A 4C97A8CE53660F FD31047E4ED08A25C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB22F.tmp Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators A37D5835A4A14C9BFAD7898C3B719F3C F21CF355B4515C09174F5D5E5BADBF3319DD70F0 F0B53707B CA2C39C782DD32BCB60DF970313A029D605B719AC1BF9 079F412666F02FE93F2AA4DEC7CBC22B91BE70B71037C B66EA5A680590C8E92DDEE64D2DD934858B44A 4C97A8CE53660F FD31047E4ED08A25C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\accueil[1].htm HTML document, ISO-8859 text, with very long lines Size (bytes): 7796 Entropy (8bit): Copyright Joe Security LLC 2018 Page 16 of 94

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\accueil[1].htm B5EB14A94353F408282EE2F7C20E64B0 2055B7B061F1980E62A0F26D3EB492E501E6AA87 AB24EA14D39AB1F03E350B EAF9BAB0009A51BE97C91E4F5C511C3EC AD03D7E5B7F7B99E54B7317EC44034C6DDFA913FB407D EC5174F12A E7CD0A02D5F A8FE405E4DBC603AA7EEDB39AF2E8A272 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\boite[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 2918 Entropy (8bit): FDB7BBEAEB838FF510DB4A84D57A14A3 039C AD05BAAF40C5586EB986BF01D4 E52D7254C07444F4A7D52E583CBF6575B157C43AAE0FB8E7CA4F1A75BF49FAB2 4F388EBB5485D19710B68B01469F15F08342B5E808776D29000E78CC800637CD1B32F47AD5FF4F B28220E 9D204F5F9AA3F91EE94EFC A40BE2 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\flash023_1[1].htm Size (bytes): 182 Entropy (8bit): HTML document, ASCII text, with CR line terminators 5D4BC00998C0867F53AA2D43D639EC66 30B9CED16FD5EBCB8CCB7D7A38CAA24A43AB1ADA ADCF84C915765D DB C08152B0F969370CE92920A800C13FDF 009E0038EB61E3A701877C5DFFE0B612CF591F8AF1E556CB4B631DE1B2CC3C22F9DCAE35DBE6E926AA8337DE1 3AEE0F58633CBA1D560B3720C09CC7D45163A72 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\fond_box[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 1302 Entropy (8bit): EE9CCBE30F6ACDC43D75E454E12E792 CD15D1283B48F15966A01CBA1A3F3C20DFAB83D8 BAF71017E74EB6BE9AEC0A2F CD8143CF C12AEA6EDD18 F89127A9976DD123FC61CAA6006DCE9D08D1E7B7F9CA7CD E385BC0D12DB269EFAEF AFB4FCB973DEE68AFF8EA770B64499D8B34485 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\fond_centre[1].png Size (bytes): 186 Entropy (8bit): PNG image data, 1000 x 1, 8-bit/color RGBA, non-interlaced EDCBA853EB9BF23F74CB8 F4B38810F75EF9DE04D11A58C C617B3C D1E966AD70956C1EDF00C17FAABA33F087CCD0573A7EC244A82B7EC E6EBA04974E48EB302A06873FAEB92BCC C118BC2FEC62C82BA2CC BCBAC405A5FF9B62 4C578862FA35D91BEFAD9564F08E32AF0008D6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\fond_page[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 2355 Entropy (8bit): Copyright Joe Security LLC 2018 Page 17 of 94

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\fond_page[1].jpg D0DD8C B520EC00A D9D 5C59D76484CCECD58D082A060B10F7CBF1781ED6 6E36A010149DA1BBFBE370A4717D6C0D2A2E0815E821985ABACE51E237B15F4D A22CB3F6EFD165F75A47D27822ADF1A2AAA64E899B6D40BEC397824F7C F80D04D847E6398D3523C0AD8 E226E57C0D0A2BC92D C4D213B7A5704 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\header[1].png Size (bytes): Entropy (8bit): PNG image data, 1000 x 204, 8-bit/color RGBA, non-interlaced true A01F0157A8D5B0DA278D3205BCD81A51 6EA53F94392D071E54DEA B720D98E77 DB99B8F455DB30BE A85C1F1A2A0960EB51D1FE84BB590411C7255CE6B 0EFEA75FC55B6AB20E02D5F84B3B9986B33839D4E5074C1B12972EA2F385BA728DDE404FBE5AE2EABCEA67C8 C61596BAE0F8E906AF0E3CF2560FB54DDD2992A8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\phpmyvisites[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): D22E4F2D2057C6E8D6FAB098E76E80F B80B11203D97FE01C5597CA3BE70406EA48F5709 AFE0DCFCA292A0FAE8BCE08A48C14D3E59C9D82C6052AB6D48A22ECC6C48F277 95DD0E4944B1541A9BE48A60A1A105FCFA0D69DD215ABAA9C1771ADECC5EE0C0FE91D0EB367B6D46A4F8B2E0 6E6FB962D56DFC1C53F1F62CC8B CB1E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\accueil[1].htm Size (bytes): 7796 Entropy (8bit): HTML document, ISO-8859 text, with very long lines A54383D203BDAB50417E92EAD0818CEB D59A460ABAA2F8451DFD2FD ABF195C5 420A4303EF FF87D0AB8BF0146FEC4486D813F988BDB3656B8182E 196EA3658BDB4658B1BBDBEEF739CD3B874D9099D7D16AEAB0C62A9B5069A0FB D47EC5AF0256C9E ADC393DB819AD05EF56CE4C31349BF18B9A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\centre_menu[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 351 Entropy (8bit): C978318F32BBBC1CF901BBA1B55D34A 131E50466EED633159C48AEB4B29E14B4E9001AD 551C2291F4CDD3B82B1C6360B526E8446CDE4EDE EFB31C4718 F641D82589AFB8FD4E970B26630C75F EAE080392BB20235AACB667E5AEDB2E0DE9B E8C00 C35FAF5C19DC4540A19A9BFA09AAF90A51D93 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\fond_body[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 485 Entropy (8bit): CA39B4C2CD9BFE446650F3A64A140E Copyright Joe Security LLC 2018 Page 18 of 94

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\fond_body[1].jpg C050AAB4F D84CD110563A8C0A2CAA916A FD4668F210B1C368AF58A9DC6461A47F1C5A6F6FA5FF7AA131A3A21E70F F5B871A CB58A33CBD88F7EB6BD8A9A4E3E1169A32F6E2A D8E4C BDB97950FE8E277B FA7453DD157684ED48D3197ED03CA693DCFD16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\fond_centre_promo[1].jpg Size (bytes): 5350 JPEG image data Entropy (8bit): E5E1EA47C01E2D34104CA2F F6B4ACB3CBB B01523FDB1A BADFCE E534A933E2AFE4CDC515A9CEBFFD8286A909ADB24C7C7B2F 1A295A9487F993B3C599C6214BF032FF070DCA0655C167855E4FA0FB1315FD43B DC1CA4E3E7525FE9829 D0CA851F216B2F C4749FEC37CC8E8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\phpmyvisites[1].js Size (bytes): 4520 ASCII text, with CRLF line terminators Entropy (8bit): EF0A801B53357D98025BF794DC7DDC 7CBAD14900FB4175DAB01868E4C39B5F4DE4E01B 37F0A3CDAD034BD53C7DE3174FB38D09A76DAB98DB5A35979E6A528B42AD3C9B E86B11787CBDDAD24DC766A2177FC8E23BEEF5F248952E9736F D64E2D4EF33E6E7F8DAD242A93B64BE8 6E864B64F574DE890255A6EC4486B53B1B8164 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\separation_box[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 428 Entropy (8bit): EDB500F3B96E708D9FE71D700 6A7E7E12477BAA EAF083E4FD0C934F1A A958B A AE801C515CE91DDEAAF E528FC2CEF7C18 0F88F04A2E9C69242E3FD0AF6F2D4B D04846EDC5E792D89C7F2269FF50F179A6B2414E5A BDD F42C BAE7EB1E13AD69D6BB8D544E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\b010-3[1].htm gzip compressed data, from Unix Size (bytes): 323 Entropy (8bit): DEC9CA8ABF38089FB5B326B9D702A12 9FD3112AAB58D37CB1BB CE501B14C7854 Copyright Joe Security LLC 2018 Page 19 of 94

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\b010-3[1].htm BFCAFB935D7DDF7B768E834C D15C4961F879DC5ADFD9ABE7C9F E38162A26683FF22D2E4C1DCCD73158D1FA6B332EB9C6B7BD70283DE3BC01BA5016F5A6F439A9D17B1AC9 98EE41255E3ACB623E6DF A07EB2F0E0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\bas_page[1].png Size (bytes): 4400 Entropy (8bit): PNG image data, 1000 x 45, 8-bit/color RGBA, non-interlaced C32334E1B4BEB67B9A605B7058CAC832 4A F56AF44AD4F4C428386EA8BC C4E6D047FB98AE30474D6695A421C74F010BCD9378BB8980B57C9D06BC0F4 3FC728D0EE8D0E4B9C6E2C758B71DDFC8768A03F978801DB82B2C03A8FEE25F6D6D0C43E15257B D0FEC62AD26DB9B733CC8B3EA6F8F1C90DF91A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\fond_menu[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 775 Entropy (8bit): EF587365B07EE0AF8798D169D753FF F41627DCD66A824D1A C40A6C3990B65A0 8ADF3299B69B6F13C9C60F0A91B687FFE28218D10319A9BCE9982DA5F5D36F96 87B483E8608FF588ABDFE0BD93BBAE0E0FB6683DC3C2E90825ACD8F91A F234379B7022E81D7FBE452 B F57BBCFF0A887ADEE2C189B78EFDDB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\logo[1].gif GIF image data, version 89a, 149 x 148 Size (bytes): 7881 Entropy (8bit): ECE013EB73988D0A9B4F9D4EFA A55991A2E18A37806DAD615C7100D5E2CA8F9C8B 24F7FD56C2441D2418DAF134762DACF6196CC5FDAD3BBC5F5B12C976F38923B4 AB125DC0DC7A493F8AFD50F25C59778EEFBD FE4DB80E9F30F03B EB480076C0A2FC34BC5B9F21 F278451C4927DA5A1A9C9011FCCB7B93749AB4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\phpmyvisites[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): D22E4F2D2057C6E8D6FAB098E76E80F B80B11203D97FE01C5597CA3BE70406EA48F5709 AFE0DCFCA292A0FAE8BCE08A48C14D3E59C9D82C6052AB6D48A22ECC6C48F277 95DD0E4944B1541A9BE48A60A1A105FCFA0D69DD215ABAA9C1771ADECC5EE0C0FE91D0EB367B6D46A4F8B2E0 6E6FB962D56DFC1C53F1F62CC8B CB1E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\phpmyvisites[2].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): D22E4F2D2057C6E8D6FAB098E76E80F B80B11203D97FE01C5597CA3BE70406EA48F5709 AFE0DCFCA292A0FAE8BCE08A48C14D3E59C9D82C6052AB6D48A22ECC6C48F277 Copyright Joe Security LLC 2018 Page 20 of 94

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\phpmyvisites[2].gif 95DD0E4944B1541A9BE48A60A1A105FCFA0D69DD215ABAA9C1771ADECC5EE0C0FE91D0EB367B6D46A4F8B2E0 6E6FB962D56DFC1C53F1F62CC8B CB1E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\site[1].css Size (bytes): 8870 ASCII text Entropy (8bit): B6F CA047BEE1A4BF3FB422C 275FB2104F99CD4AE29A885C195A898843D0FD8F 9077DD1DD FDA970B867623D728D8F77C74706F3BB7F9EE5E282B488F7 E2DB7E209EE7D94A1B59A39F6DEF85B6654BAA03B22AD26DB6B074A8636D2499D53E90497F1EA20E790D1F A0DE0117B8C1FA82EE74BABF4A95BA9E7B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\suggestions[1].en-US data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\accueilsms[1].htm Size (bytes): 7059 Entropy (8bit): HTML document, ISO-8859 text, with very long lines AC188CFA66B2AD9C4C3EC686EC32FB4D 8F779F6568BFA47C050E7AEF0402E90CD04E442A 66CED1948C8228B253166E8B80EE8F774C FA2854B01FB317BAB5CB6F4 0ABD3AAF39B76F633AC21D40F99857D694F A213FA2D5A91523B4F ABAD2228AC38590F9E2ED 01EB9ACE3214CC28B127742E62A8C509A5C1A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\bas_menu[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 1270 Entropy (8bit): E4CA589D32BA2824DFBE4C28E7FD41E 23B29474D F C261E8F9DC1A3D04 C15D809875FD6A3425A67E6E6C064A97964D3BE729F30D3DC46E42CBE4F8F DDF6F3864CFF0D22C2518C414B2B3D663F4A515C128A6091C3C216272E6F747DDF A B99F 4606E8B3DEBCE846233B849E6AC81813DE54 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced Size (bytes): 300 Entropy (8bit): B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE1016 Copyright Joe Security LLC 2018 Page 21 of 94

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico 99BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD1 5663DF28916F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\fond_menu_actif[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 886 Entropy (8bit): FF CB1EA613F4AC1A943DCB 6FF501076ABAB7F5187D24A1275EE52DB42B C33E19918F54D5DBA95140F4E4449B10E0F3FFEEBD0E258DB2FEAC042A910 F3618C69ED5DABC7F440A7ACD2C56ECD66BCE70E78EDE14EA7D17904AA5BF778655B9BAA5E9DE52E49D3A4E E1C06BFB6FE1DCA3F389D1ED7A4D667C3C11578E6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\iecompatviewlist[1].xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E6306BB52BF6F6D5D891B9D0B1E36F14 3F409FAE3E27D64695D977FF7B92AF3EE06024C4 1E0968E9B5D61EF9203FEE7246B FE954DF36075FA0F2CE1B4677 0A913C7C1546F859CF1B1738D865FDEA38DBBFE4D5B EDA1AA27CB4BC80ABDD1BD9A4D496515D D3EA5850BDA06AE981D95FD6854D87614C5CD8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\index[1].htm Size (bytes): 8320 Entropy (8bit): HTML document, ISO-8859 text, with very long lines B7B3F8E73746AB8A22B43D31AE6CD389 E52224EAEFE7912DB7D0C3574AEB8FC8FFA3B17A 1B04AC21C90E03DE3A7CC621D2E60AA5EAD FBBA03E62C26ABC4138 9F087FA80378CAAC74843D62CFF29970ED5E542E4BCA964133C7ABA69C6FDBAFB64B005FD0BE923C0F307B3C3 1A9D34E08C9CFD48FD7BB89F974B087DE7E1D0E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\phpmyvisites[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): D22E4F2D2057C6E8D6FAB098E76E80F B80B11203D97FE01C5597CA3BE70406EA48F5709 AFE0DCFCA292A0FAE8BCE08A48C14D3E59C9D82C6052AB6D48A22ECC6C48F277 95DD0E4944B1541A9BE48A60A1A105FCFA0D69DD215ABAA9C1771ADECC5EE0C0FE91D0EB367B6D46A4F8B2E0 6E6FB962D56DFC1C53F1F62CC8B CB1E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\picto_telephone[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): 1599 Entropy (8bit): B834B96883FA7CA0AAFAC47E74248DFC 41A2EE6FC9877EFBE84A1A722E18F942858E4D96 8B6D2C C8A499C7E4F1F0FE9835F2586FB97B91BB73DB167A53EE7749 Copyright Joe Security LLC 2018 Page 22 of 94

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\picto_telephone[1].jpg D95F26156A28DFEC4994F88309B5AE9BC8F488C8245EB2523E93C30D41AAEDA54C0115EB0017D1D4DBB F35E2245FE79A08633D275C89D E8A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\widgetscript[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with no line terminators 911DFCE772B ACA8FE50BE6DE DC6E84E0E3EB3FF8EBB3E9B7F919E7E520 C CA18BD3FB6F549A19D DE57B24EB840DBDC85922A04F62891 D8E F8C62029F6AA5F113444B7D576FAED14949A0F0F15B0684BA3EBF5C C2E216957A79C36F3 B641C1CE67F7BF8F7310D0B6906E76C9699B C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1MJYUEKP.txt Size (bytes): 358 ASCII text Entropy (8bit): D C6F8AEFD47808D7DA0F75C4 231A64FB130D9F7B C1F86661FA939D925 F1DA6508EF1BE8B07AB98150E6A8F408F7BEA779F0D15BB1DCFEC84D82833C04 FE44A4C58CCFA E B7DA8E72C2E9045E67A403EE1A310D0CAA59DEC625590C E225E72 EC8E6F66D50C1CA54CAD0EB AF0B2CF7 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\L3WSW9E1.txt Size (bytes): 356 ASCII text Entropy (8bit): CD736330BFB6D354F568E1FB5DF10 01A19564F8BDE6F9501AB7D BECC8AC F DF1E B418B7B666C431B8C52EE85D459353C1B9DF565 52E5C EC9E52BE0D3ACC8D207D3B5BD4F4AEB65A3775ADABE D527FA1EEF1801B936FB991 15D9AC6B35C56A EDAEC2B0F3666 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OTF262JE.txt Size (bytes): 354 ASCII text Entropy (8bit): E64B753B13DE857407F132DEE84E5948 0C7C6DA41029DFF2647AEBBE55F0EAE32EF AE21AFAD333F461B D F4C7E2646EE10D2C0A99CC51B0 2BFF7ADFE96C5DFA FA4E0E4E7EF69E0E742AD617E055F9F091BB CB87B1AE0BB0DE DF50ACFC43609B889B1AFCF1ABDE27BA863BB2 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PS7HMAY2.txt ASCII text Size (bytes): 356 Entropy (8bit): E956CEAA65F0FE72D F66A0D AEDA8DC48B84E1ECD4D FA23CDBD40D 8E1CDDD8A7A7C0E8D9204C83CBAF45FAE848BC995B3A1D43603F808ACC8A6199 Copyright Joe Security LLC 2018 Page 23 of 94

24 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PS7HMAY2.txt 85B6D1EDCB6839AD642E698B50BCF1268A84FC1B2D996C06D043458A5B E2E1C3A58E82E848A FF30A3CFB423E6C299BCCB86F4F08B66D1C9D C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WETETE7UR08CHFD8U3MA.temp data Size (bytes): 3358 Entropy (8bit): B34B14BD8A793929CEEB7D36EDD4DAB CEDC4B B287E029AF93CC8D719A95BD 3EDA4EFFB5A93752DEE6A87B05310EA80A98D315BFEE97CF7C1BD C C62F6A07D6598B7A8D3498B07A39230EA4E72EBF9D645C17CA8B0D37E4FB3B4055CC04FA9DC9BA6F7AD55154D 3E890BD6EC77E33D3842B8A56B77EA936738AEC \samr Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection app.purechat.com true 0%, virustotal, Browse ocsp.rootca1.amazontrust.com true 0%, virustotal, Browse api.purechat.com true 0%, virustotal, Browse ocsp.rootg2.amazontrust.com true 0%, virustotal, Browse o.ss2.us true ocsp.sca1b.amazontrust.com true comptage.routedirecte.services true directsend.services true directmails.fr true true x.ss2.us true Contacted IPs Copyright Joe Security LLC 2018 Page 24 of 94

25 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States AMAZON-02-AmazoncomIncUS United States AMAZON-02-AmazoncomIncUS United States AMAZON-02-AmazoncomIncUS United States AMAZON-02-AmazoncomIncUS United States AMAZON-02-AmazoncomIncUS France OVH-TELECOMFR France FIRSTHEBERGFR United States AMAZON-02-AmazoncomIncUS United States AMAZON-02-AmazoncomIncUS France FIRSTHEBERGFR United States AMAZON-02-AmazoncomIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTPS) 80 (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 25 of 94

26 TCP Packets Source Port Dest Port Source IP Dest IP 10:12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: Copyright Joe Security LLC 2018 Page 26 of 94

27 Source Port Dest Port Source IP Dest IP 10:12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :12: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: Copyright Joe Security LLC 2018 Page 27 of 94

28 Source Port Dest Port Source IP Dest IP 10:13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: :13: Copyright Joe Security LLC 2018 Page 28 of 94