ID: Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version:

Transcription

1 ID: Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version:

2 Table of Contents Table of Contents Analysis Report js.jar Overview General Information Detection Confidence Classification Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Malware Analysis System Evasion: Anti Debugging: HIPS / PFW / Operating System Protection Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains URLs from Memory and Binaries Contacted IPs Static File Info General File Icon Network Behavior Code Manipulations Statistics Behavior System Behavior Analysis Process: cmd.exe PID: 3264 Parent PID: 3068 Copyright Joe Security LLC 2018 Page 2 of

3 General File Activities Analysis Process: 7za.exe PID: 3272 Parent PID: 3264 General File Activities File Created File Written File Read Analysis Process: cmd.exe PID: 3296 Parent PID: 3068 General File Activities File Created Analysis Process: java.exe PID: 3324 Parent PID: 3296 General File Activities File Created File Written File Read Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 293

4 Analysis Report js.jar Overview General Information Joe Sandbox Version: Analysis ID: Start date: Start time: 10:01:15 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: CloudBasic 0h 2m 4s light js.jar defaultwindowsfilecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Run name: Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: EGA Information: HDC Information: without instrumentation HCA enabled EGA enabled HDC enabled Timeout CLEAN clean1.winjar@6/478@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Warnings: Failed Failed Adjust boot time Found application associated with file extension:.jar Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Created / dropped Files have been reduced to 100 Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: java.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 2018 Page 4 of 293

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 2018 Page 5 of 293

6 Signature Overview Networking System Summary Hooking and other Techniques for Hiding and Protection Malware Analysis System Evasion Anti Debugging HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Networking: Urls found in memory or binary data System Summary: Enables security privileges Classification label Creates temporary files Executable is probably coded in java Reads software policies Spawns processes Uses new MSVCR Dlls Binary contains paths to debug symbols Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging HIPS / PFW / Operating System Protection Evasion: Creates a process in suspended mode (likely to inject code) Behavior Graph Copyright Joe Security LLC 2018 Page 6 of 293

7 Hide Legend Behavior Graph ID: Sample: js.jar Startdate: 26/09/2018 Architecture: WINDOWS Score: 1 started cmd.exe started cmd.exe Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 1 started started 7za.exe java.exe Simulations Behavior and APIs Time Type Description 10:01:43 API Interceptor 2x Sleep call for process: 7za.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link js.jar 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2018 Page 7 of 293

8 Detection Scanner Label Link janino.codehaus.org 0% virustotal Browse janino.codehaus.org 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2018 Page 8 of 293

9 Startup System is w7 cmd.exe (PID: 3264 cmdline: C:\Windows\system32\cmd.exe /c 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\js.jar' MD5: AD7B9C14083B52BC532FBA B98) 7za.exe (PID: 3272 cmdline: 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\js.jar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) cmd.exe (PID: 3296 cmdline: 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\js.jar' St >> C:\cmdlinestart.log 2>&1 MD5: AD7B9C14083B52BC532FBA B98) java.exe (PID: 3324 cmdline: java.exe -jar 'C:\Users\user\Desktop\js.jar' St MD5: 02E26F23B FB5E33DB36BF08C) cleanup Created / dropped Files C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c46.timestamp Process: File Type: Size (bytes): 51 C:\ProgramData\Oracle\Java\javapath_target_827509\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: F4B5D0CD05803ED7F5A56FB1071EBAD7 7E9A91F708526B5E7AE23F4B917ABA1E A22C26D9443EA9EE D84EE09DC4F2D6E5D183C7CDA3D5C82751F21AFD 224A001E5F20764CFC93E0A207B2F6C73F887758DD6DBD5ABC7D8FFF67D F3E4F1CCA7C129001A EACA8DE02EE128E05094F32F24D0A5DB286 Copyright Joe Security LLC 2018 Page 9 of 293

10 C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c46.timestamp Reputation: low C:\cmdlinestart.log Process: File Type: Size (bytes): 197 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: C:\ProgramData\Oracle\Java\javapath_target_827509\java.exe C source, ASCII text, with CRLF line terminators 2012A09F0392C9240AAD23505E1A6FD3 1F84B5A782680CBB4C43FA36962EB65E164754A E64B8083F3763FEE64EE68F5F43D357145C44C981BDF3BFED0A1CC E6B5FE0AA069E8DDFA96E0F9B EDCA8A BC9A8986FCA618C929AE079AC3F9AE1B1AFB6D F7EFBEA442E5B9E0F02B8F0E292BF48BE7F3C35 low C:\jar\META-INF\MANIFEST.MF Process: File Type: Size (bytes): 212 C:\Windows\System32\7za.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 9F8F737AD74B6FD68E9699B969D38BE6 9764FDA71C ED526E8CA04782F313B4235 A15F9C6DEE18C322237EC81E57804AE165CB8B2EAC0E94C1BF61AAB322A0A4E2 AF027ADE6BA9AD5C90F9F5427A63AD1FBFE9ACFA23E30BCBE29F00B603A59E3C014468AC BCAEF9C02 2D1AB6B AF9F690906CF73FB671870E9 low C:\jar\META-INF\maven\org.codehaus.janino\commons-compiler\pom.properties Process: File Type: Size (bytes): 105 C:\Windows\System32\7za.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 95FAEBBDC C742E262C104E9CD 045D975A7F8CF2C3EC16DAB20A8BB1564FBEB48C A10B BCE00BAA7EAD90069E49B181B37C29B9015F52DC6B43D1B893F6B F9C19163AD270086E81FC0D6CD71A668ECEF5A021EDFA1633CA7CD52D2212A603D9DFDA0C55237ECE F35FF49CE2039C9ABB192B1200E55F4D0C low C:\jar\META-INF\maven\org.codehaus.janino\commons-compiler\pom.xml Process: File Type: Size (bytes): 1166 C:\Windows\System32\7za.exe XML document text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 736DE65F05058D5C6519DA3B3B4B4EFD E181AD0C6C3730CBAA2DBC8C1925B1ED9D850A28 304B0671E3EA49A2BBBE9A7EB22F9142FCD24A1C5853E0381D242A4D179AD335 F3DB C07CE7952D3EF73E4485C36285A974FB512A17B1E416F490CC2A0C0E67ECACC01809B066D1F72B C2A9A9FABDA D5AE5D42245B8EDE03 low C:\jar\META-INF\maven\org.codehaus.janino\janino\pom.properties Process: C:\Windows\System32\7za.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 95 Entropy (8bit): Encrypted: MD5: EF15C21DBFCF27242C80E A37C SHA1: E62167F9E15FC1A0FDE3109E46A84C426F56B74A Copyright Joe Security LLC 2018 Page 10 of 293

11 C:\jar\META-INF\maven\org.codehaus.janino\janino\pom.properties SHA-256: SHA-512: Malicious: Reputation: E061B5143EB50CE27B573D4CB472C00F96DD65964C7B47C19D37C6EE9A0C06D5 08C3A30B256D8B6F7B6E7E62A971BDA45A258F849BAFF15DB23B500A761177F73CBFD565DE07E7FCC F7E532E18EC4D91CC3BB415C9EA28E1CD8A2A4 low C:\jar\META-INF\maven\org.codehaus.janino\janino\pom.xml Process: File Type: Size (bytes): 1985 C:\Windows\System32\7za.exe XML document text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 189AE7C2A40446D DC28C09864 D1E753B8C58A890C248FEFEE352A73A4FC60074D BC00C3241F0C3C23E1F97F97E1812C34F3D4744B5DEA154B6EE5CA59312D94D8 3C128F2DB8612B D831CB71E901B48DD6D0D24BACA855564FE21E7E5BD1E3711A91AB04F296B1194F199 DC71FF87CC4C52A05D7CA49D02F8B6F4C6D43 low C:\jar\META-INF\maven\org.mdkt.compiler\JavaStager\pom.properties Process: File Type: Size (bytes): 123 C:\Windows\System32\7za.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: D5D76FE6E1B0D2E08951E7B08F5C6D00 1BAAA36842D5BC661BEFFC31C2DA2F68DF12127A 38A61E083A70E854B0ACA945C080BAE1F57EEFB7683BA2EB A581572D AA662FEB508D0D62BE737755AAA6BE2F4BCDCDD53FA74FDA F2B51D5A11C387C9E92AB BD03853FA DF2F2464E947BE529FE24 low C:\jar\META-INF\maven\org.mdkt.compiler\JavaStager\pom.xml Process: File Type: Size (bytes): 8761 C:\Windows\System32\7za.exe exported SGML document, ASCII text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: BFAEAE77BBAD6F15E2C75B76EF405B24 1F8C3C5D816EB0945B1327BDD5C17680F5DF868F DF FDFEBF720F88A5B393BD0A6E25576EA71031A349AAA69C249C640F 2FD45404EA20B6CE2C39AF6CA278A7C6497D6DB5F92F143D21A5FF4A7447DB58568D1C8892A5A EE01DE A9D12C6DE49E28BB9B03BAB93FA7A53A175F25 low C:\jar\St.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 52.0 Size (bytes): 2575 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: BE4E440E3799D4EDF3EF15BCE0 5E5EDA66249DCC6E826C1A796E5AB760DBF848AD 11C288E5A81EEBF6E BE8D1932D9287ACC540CF378B85285B66A9BA6F7 EE382490F35BD52124B496D2ADC01CFA7D66AE9F247978D5D4A08DC6C9AFAC7C2B8FDA34B92DF0B2231EEB4D B0CD0F603FDD20E14C932C82BF6A980A1F2537BF low C:\jar\org.codehaus.commons.compiler.properties Process: C:\Windows\System32\7za.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 53 Copyright Joe Security LLC 2018 Page 11 of 293

12 C:\jar\org.codehaus.commons.compiler.properties Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 380AAA4BC06EBC535BD8BB15EB09B97A 927A6724E2FB69B99D03A598016B4B9F51FB15DE 9C53E91F843AFFDFC2B FD7F0BE4391EBE51142A4424D5AF2C99E23AF 08014ADB8C07F66FAA04A44EEDFFA1A79B6FC7EE12BC B77A1D8D639A FCCED82F5B406999B4F C74E101A3B1FC426674D9689C918D72DDDC147 low C:\jar\org\codehaus\commons\compiler\AbstractCompilerFactory.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1950 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: DD7A5EFC79D5B3E736E9CC759DA3D A008D25021C02A0593E1203BFC60FE320C3BB BD1FAC9673D5E5E198FA6E E27ACBF EA CB3AF4D631 7F1A0576F0852E18F C3771E528B9291A51445B447B107EBA7B4723F5992D26B60FD4CEB312EDB52ED28C6 51F1FC1A6DC5EF9A54B9F31238ADBA5B5557 low C:\jar\org\codehaus\commons\compiler\AbstractJavaClassLoader$ProtectionDomainFactory.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 400 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: EC33CE675E42A966FABC4FE1CFB415A1 9F5D8AE3A5F61F4CD9B60B18E27AC66757D87D3B D8EF3A1784AB10AE51716B26321A05F2AE8D D4E731A23D4F4F C DACED66CCE2F03709E4EA9A46BB11CDE7E9F3A506E4A7CB806ADD93036A1E6547F546B93AF87CDD DBB43B8F8787B8906E8E EF961BEC0B0 low C:\jar\org\codehaus\commons\compiler\AbstractJavaClassLoader.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 5691 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 0B9BDC733A ACC5514F381 DB476DBC3E2C092664CFC D2BEBD29 354BA153A73210D62533C77D63EA0A334C0774AFBCEFA4246F22E3415B98D592 39D25E9524F85CF146103B97A06253D21A271A EBA15EA715AF701073C B062F5359D590D2A88E 52AFBD0907A3B7DC2B253B5FAEBA462E7C2 low C:\jar\org\codehaus\commons\compiler\CompileException.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 883 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: A883007C1B4EB58D725DEF16E1 5F28DB67AC948831F15A7A9B97566BF8059DE767 D86FB5BED B71E1173BCC25242B8EE1CA252458A051898D4A3D6060D74 2A40017C36AFDE93C55E6BA681F665BB3311CF D032D3020C DEB4A30135E34C658EFB718A4D3 9BDAD9B5FE2CDD41331CB0EB0661FFA3FB5C5 low Copyright Joe Security LLC 2018 Page 12 of 293

13 C:\jar\org\codehaus\commons\compiler\CompilerFactoryFactory.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3840 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: A548A27D460FF028BDA0A0E A 01BAA6A4EF318EE29EC471D7A189A5F3624ED0ED A6427E CDAB8AEF7A C1583FC6BDFC E32F55268F B17AB10D7AA A CE471D9DE52532B5A637753BEAC845AE9C70C890F8DEF60A19A24F50065BB A1981E393499E01CE3A3536D92333C low C:\jar\org\codehaus\commons\compiler\Cookable.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3655 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: F2A54D6DBB02DB7565F7552DC E0ED03F84142EE3BC580C45355B5E5205DCE2107 C020EAC48C97D71D3081C432D8035C36AD337D516C558F04292FB91E5103CF35 5CE58359BED2918E7D599F F7ED5F409C504A434FC93F8B4E649DD457E8AE8F479BC7E2D15DC8D4AEA EA686D74F5626D706642AA89AD07E8686 low C:\jar\org\codehaus\commons\compiler\ErrorHandler.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 397 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 8F182C910BAC72BF20298D1E8A993E5E 675EC5980C1B2D5FB4B5C19FBF127663C9DBD2AA 8D824788CC3066C0D273FDE494130D9650BF10123CD7337AF39A53892D6A06CE 222E5FA2D1557F8ED75B0B946D60AF5FFE3CE0D3B499E717CA1E3A47860B38C78774AEEE46A0876C2ED6D24C7 37DD709737BA6C72CFCE65C2DA6B1FD92EC2576 low C:\jar\org\codehaus\commons\compiler\IClassBodyEvaluator.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1113 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 135F9D3009B FCA6D E42C803C7CD21316D3B6E4D9D95FFBD2A7F3F7F 44B5426A1EB EC989DBB4CE2051D8B6041E9C4E9AFD3BA2F70DE4B D67A7A9E0975DB380EDA9EF52F A1D3FF400D1D8E075DB4954B952A96CEA AB3AAA3 6742DDE6256D5356A427E67A4C7E8D72EF962 low C:\jar\org\codehaus\commons\compiler\ICompilerFactory.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 774 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: 0FA2B56D192462F9F797F DE7D C5A070C1CD434E272BEF24F36FCFAD DA D DC784530C384FE8E2F841D233FA3C4044AC7459D0C0DAFD A85876CEBD76A5EDD05DC685ADBB0F4D9ED593C6C90C6711D55E327DD5BAC2E88306A1E7124EB7FD 582CDCA2B42512F3C D CB4251A Copyright Joe Security LLC 2018 Page 13 of 293

14 C:\jar\org\codehaus\commons\compiler\ICompilerFactory.class Malicious: Reputation: low C:\jar\org\codehaus\commons\compiler\ICookable.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1850 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: B5CEC74EE78C0792CFE6D383E219B025 6FE2776F5E213F4147E2E1B1D A0E 6F95E30E4BF7E5FF B869146C0ECB237BC334AC3095D24BA110D0A B6A1DE0D E9FE51FA18CB4826CCADBC4AC6BEF7013D1E5EC34CDE20D1AB35F3C5909C785FD5D1 31CF B2EFBF6E0E70841B4E4E6586 low C:\jar\org\codehaus\commons\compiler\IExpressionEvaluator.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1526 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 97C1931D A8027E3F9DCF2B E8AB15DE3DB BBA72F480591C13 B F B56EFC96ACA29BAD0F9F5F70CCE8562FB278D3BDD 90944FAF95031A6D43DF5105A77D41018CD5BB5E1C BAAA1161F5148E798E1F21C0D3ECEDCB11CDA 3FFBD B5E9860AE4A9EDFAF35D4F2 low C:\jar\org\codehaus\commons\compiler\IScriptEvaluator.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2083 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: AD7AEBB435A00473F6E46B05C92A335D C9A50C051B96859F80011C11C086679F93DF1FF4 3C1F1B02B47612C28DD4848F693D93668CFCEADBB5805BE5C9F8CAD97FFABDB2 06EE416EDE88596BA2835C73A23F8C A8A A0C65579F4C1631C5DC5B108A2B304CF7CCB0A927B9 8A7AB027ADC5EDEF6119EFCD8E0B4CCD73718 low C:\jar\org\codehaus\commons\compiler\ISimpleCompiler.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 332 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: ECB365C4B9D09A663DF9D34E51D2A B72DE28838BCE EA253656E5 D1C051FEDE1A E3A8B0F2DC5C97FE16BE83E023666CCDB EE8B 468A56C746E3C0799D7E14D528F677B997F5ECB3B7F804AE466716B FDDD093B0F66BF542F3B3CAC 97934D2A76684A91B75AB07649C0DD13679DA low C:\jar\org\codehaus\commons\compiler\LocatedException.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1543 Entropy (8bit): Encrypted: MD5: 023E2B590022DAC20EB66611E Copyright Joe Security LLC 2018 Page 14 of 293

15 C:\jar\org\codehaus\commons\compiler\LocatedException.class SHA1: SHA-256: SHA-512: Malicious: Reputation: FE443AFED946D4665D3CC25DF9C536AA 901CC292000F A0AE E20926F7205F05E70B90067BC61F3C23D D752E39E8122DB742D786A3CE12EF028F74EA3332D3A2A9ACF41C8F10B052921B95DB80885B D4B D68170B0E4BB9009FD77CF93BF62F43 low C:\jar\org\codehaus\commons\compiler\Location.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1546 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: F8F1AF2249C4AC C6A9 DC731040C065DBFA4109CB2A57A B6A62A 775D2DA2EDFA4B17E6D8CEC984A2821C5FC06E8F43F08F22647B12B8B5F10C3F 32B738282CE9A4504A1EC77E4F24F1108B6529A9B1F31A9A3B DEB9E2E73822F D7144F764FAF A30369DF673F3EB7A46CC F4D6 low C:\jar\org\codehaus\commons\compiler\Sandbox$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1834 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 49534C042607AA385F0786E41B69D83E F89A0803D A3318ACE43D8E F1F2685DD1F640F2F1260D54684BF1AF90C C8F9623FD61DCBA5AC 0E5F6EC8EA7AFAC21A18C299249ABBA29E4631D12C4F0739B8AD756759D1BE894A124B8AE62BDFB9AC1E4BD7 0321DA14D628B0B6ED2662BC138AAE38490F8B98 low C:\jar\org\codehaus\commons\compiler\Sandbox.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2485 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 9F314D36F69CD3DCC417A3ED227F10BB 06493C564537DB36AC7C61926D2AC080C7D AFFAF1EE07713D0F972CDD2F29BF36476C656FB497A4C34FE1BE26C80BA5 1B0A99F9E67B2BD6169EDE2D D02F77F775C46CBA95E331D96DC2B2693E4F5A4CD830E C72 9C073F C93A8A8C9C14BD97800 low C:\jar\org\codehaus\commons\compiler\WarningHandler.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 427 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: CE7B13D4EFEB8F4A7DF2A54C7CF1AC3B 8C9C9A D33C EB9C705B0514E3 FABEC64110CFFA1A8D8C62A1B7D15FCEB91A647A3835FF9CDEAA60FCF12F891D BDD8D3D7B18AE8354F5B70B410F2FCB14A03AE41AE0B025128CDA6BCDCFDD36E0DA1A29A9F676FFC0BE9D79E CDC8E0585EC5B67C8F3E3F78D64104FD62C5B9AB low C:\jar\org\codehaus\commons\compiler\package-info.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Copyright Joe Security LLC 2018 Page 15 of 293

16 C:\jar\org\codehaus\commons\compiler\package-info.class Size (bytes): 232 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 44BD222CE0EF273AA1C34D46BF2DEEC8 A5F8C59CB6B82BE532C20CD41D078EECBBB64486 DD7629B43C EFADDFB90B3CD429DB24164D26B794AFFAED6FF2F0D B18D5C ADFF7D0578FF5AFF32E032C38083DFBB700500E DEE0C04A006E11A68E8A5A585CC 96C38F6DEC0097CD6F80579AFC8FA210FDC78 low C:\jar\org\codehaus\commons\compiler\samples\ClassBodyDemo.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3748 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 25CE3825B02B66DB94B4CD36E2CCC5EC D561D5A822E9F5C939E2C14B CDE4EBD CC5624FB68340E59CDF3027C6502D6A20F8825F67E72AFB353B96FA77BA7DC5B 7894A8B1D5459F5296C11C80A538C167275B2F121439FEA739536AC9E6260AE66D716F424A73D731A3C12942E19C 9E193ABAE744FD7676F3A217F A14 low C:\jar\org\codehaus\commons\compiler\samples\DemoBase.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 4075 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: EBE7E091FB8A52A07C1A94F2EF8B2FB4 D190F F16F3EF10594F7636B76D57F94F 6602ED31B70C4F2EF ADC2F9B5898F29DC3F85BAE6A81F7F41CBC4A311 DB081E6EF00C4A2CF7AAA7F949C C3FCC53D450D50C CFB9968F953414B3FE57A1F3E DF9B67A1C474A2C6CCA4C892C4F7232AF low C:\jar\org\codehaus\commons\compiler\samples\ExpressionDemo.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 4602 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: DE42A0123C29B1D059B8ACE858E2D4A5 1E3059B727D502A67083A526D1AAE949D847C323 9E1D37CFB AB91F75F23C825BDDA1FA0E868ADFC6B917FA3124CF BA5E760D826C6C969DDD122FEB9D142723B2CEF6EE967E18AF570AC7FD80A0DDB62F79DB1F4EFDE0EE6178E4 C873242BA05DC50711AAD2BF82066A177BF0F170 low C:\jar\org\codehaus\commons\compiler\samples\ScriptDemo.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 4409 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: E3DFAE18A E8160D E8F 45A6FEA8A69699EE71C56615ABCDA5D80F8118D3 9230EB5B7D F9845A7C9B049B583CB2E5036C4E18F A13 A8CA0BD C499DF557FD969313C AAC619D4A7033E5C798E3382E2A0DAF6B C8C3405 1CDCD99D6C904DB8EBF4A7B011BF2D49840F low Copyright Joe Security LLC 2018 Page 16 of 293

17 C:\jar\org\codehaus\commons\compiler\samples\ShippingCost.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2132 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 85324FAC17C29F3C97C0789A63ADB7E1 42EC0A13959BFD4B4BC1A078062A7C0DEC39B5AF 7FC140E4BC5DC07A26439DE16D7E4A1D50EAD3A1656A8DFF37A36103A840A49F A74ABDCBCCB13061A416C56B979158EAB3DDD5DF16A646A59301E43C8AA94E1AE6684F2125CE580A07F4E74CA 6F D6C088C2B D D10 low C:\jar\org\codehaus\commons\compiler\samples\package-info.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 240 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: A35CC71DCBC93DDC2F09F4395BCEBB7A 5FCE8EAABB0218FC8ED0075C817E3DD549DB6CB6 2BD81A378BC2C0F6420F440F692BF19B054AB128D0FDD3EB1F9E16E424CC30F9 8CA427541A1A40C69A664CD5B1FF A372AFF387604DA1D75C3FBACDAB7961DF115F867C23B30CF952E 3450CEA0A98ED35684C65DF8B2BD7E29FA8532 low C:\jar\org\codehaus\commons\nullanalysis\NotNull.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 491 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 06E508481BB4A01685DE65DBA13E5BD3 DB66A3CDF2AE584A3B7CD5DBC701F8FF3F891B EEBFFEC76FF612F8D791D9853CD A415BA3011A723EF2BB1A756C E8366ACD352425DCC40AE3DF75EB5A0F9873C2EB3BFE1C68C0C9AD C32D69B4D B32F7931 FF63082A9B78CA005D697801E87619EA46628 C:\jar\org\codehaus\commons\nullanalysis\NotNullByDefault.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 511 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: FBE57B E664238A1 D F9B91FA838F11E485F7D26B23ABF3F64 2B606EA0976DA6A73F8D5B2ADF3C7E4A1B1237FE444718F FE1FB15DE5 541BCBC B B507C9030A1D2CC88926E57FD0EA6597C7CF8EDA0C78EAA52D E981B8C 5D5CBC4B7A5BFA4C70E9A3B9DC0A15D011DC6 C:\jar\org\codehaus\commons\nullanalysis\Nullable.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 493 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 92247CF4C124CA3CEC826580A89F1E1F D2E531D5567BE8CF6CEBDC1CDBC63E7DF212FE D3974DBE893A1C5B94152BD1E16B9381B67EC00E7DD09B60AC3124DEA3E CB84BF7365FB8DEE80928DA0DE725D04DCBFD1FF25E22FCF733D120E5A7E89BD7F847B9E57EE07D653EB AB28E933FB424B2BE7ABC5DD1986F596656C Copyright Joe Security LLC 2018 Page 17 of 293

18 C:\jar\org\codehaus\janino\Access.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1554 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C B5A3B3F866D0E04B309C3A55 6C23D72FA04139CFF2A938B079A72F34E13D207F DDBBDD40821FF83B9883CE D49D2351E9A2DFD2607EAEAC7DB CA193CD650344A B0236D31E99F6754B57F D893EE3015C8FD6585C7F5E05C B7 875AA71D84FA42E8238BD2CE052F42BD5D C:\jar\org\codehaus\janino\AntCompilerAdapter.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3685 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 2E31D8B7DBA5CF CD85B6BE7B0 D9F29A7E2DF1CFC E441FD1FE9D3BC58 D826A2E894AA216C6BE5D1D7FCBB56FFF0DA FF2B539844E663E2E57E1 826EC9845A92E19A4CB9E5F0C2BF96B538E9C51FB6BE60A887AEE0434D42C640EFB96FB66680E38FE84609B2C6 042AF662E A6B025C16A694F20C4D5E9 C:\jar\org\codehaus\janino\ByteArrayClassLoader.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1931 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: E4A58F295277A588FB444CA 1E166D88CBF4FB004BEAB03BE2D8A049ACC89EC2 7DE82D3E47628A30CEE3F88FC5B8294BD07F15D162295BEA107C1DC2FF9F89D D8A9B87CB2EC AA272CAF4ADC2677EFF86F1922EFCE C0BC0CFC67121ACE3FC F33E1BFF3C7AD0B4DBC5E2BD77CE36C401D C:\jar\org\codehaus\janino\CachingJavaClassLoader.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 5741 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 5D8851D41291F1F20A B CC DFADBCC248EFD0CA9FDE37E 84D8F86C0D85399DC3295D7E8773F32BBA3480BA196A448700F5F24F84D201D1 DA949A07B3A31BDA109911F9B04CA3CECE5774A F35C7CA5EDC85047DEB34DC73D61A24CA1D559A E18A6CEE805A6D D6F600D2338 C:\jar\org\codehaus\janino\ClassBodyEvaluator.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 56647AECAA C7A32D130F9 4ACEC36FDF E C04544C591EF8B 93F2B73BF4EBE8C0066C8F9F5DC21A2CF908D918E466C199EC B74 ECE60A22FB8E058D8E4A96D81A91A95ACDE82BF2A8242B63524E D3963B3CFE2ED567281CF4901 AD4656EB866051EA85352E2E4BEC937C73F8A C:\jar\org\codehaus\janino\ClassFileIClass$1.class Process: C:\Windows\System32\7za.exe Copyright Joe Security LLC 2018 Page 18 of 293

19 C:\jar\org\codehaus\janino\ClassFileIClass$1.class File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 8644 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: D9A4F1DAAD831FA947475C3B85D16F DF066B3F1EE258BFB375A637E23B3D683EC ED0A81B7C F579B93C320E2DDB7C6083FE0CF C490F D6E9108EAC56376F3721D4F055E4D65BEC76060ACC539DF16A724D1CDA02FCC9F1D4B3393BCB5DA6D1CA26C ECDB100F02D82B839988E51713CD6990DAA7E6C C:\jar\org\codehaus\janino\ClassFileIClass$2.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3482 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 4286C3B A1927F50A DD481CBB9577D49B41ED80084F91150DCF7E4 2C92153D9AAE8D91017E2D1864C0B98A80E429CD D11CF F DA9F52AB7C3146ADDA4E1E56153C4470AE9DA267A972857F7C1934C20E36E0EB5EEC F3C4A699FFDEBB B2A6954F181C155E7FCDF8D3872E8497FE00178 C:\jar\org\codehaus\janino\ClassFileIClass$3.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3056 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C E2842D53249FCBED14C6906F 5F47007E103FCE69E01F3EA7E07B BF95C 4DDA073A4A8528F1E1BE2D8F21BB83D1DEFC58990D65249CFCC9E0AB97E0868A 3C3331F97494DDE5AC E23EBCF C73C63065F6A92A6F52555A857876D91F1F8062F15B1D4DBF A1B7B383494AAAD3E52342E7D0B0EB C:\jar\org\codehaus\janino\ClassFileIClass$4.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2682 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: CA77D493429A411E27C7D2E0A15D2799 0C827BDC653FFDFE6EB8DC38B B50E5C1F7E33AAD2E6087C7D34CFDC3A19D56EE6BA68059CC5B93E2EFE0CD112 3E764D6B3B2324C3BF46B5CB E6E51FE493E9AB9F22001F52B4C5B7D7F4E9BF73848FA71AFEDC6C B3ADF996E63581AF39E3F5FA5E A57B C:\jar\org\codehaus\janino\ClassFileIClass$5.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2226 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 2BA40328DE0BA9DD9D1FAD3F1EDE587D 78C95B47CBE6A7098AFA7F4A0FBD0E66D0CA53C0 27E FC89AED0421B5B67644B60F0CD21B64AC28238DEEE0C9F3A9 8A23EE7CCF68CB4BA8AA2A791F2CDAE156683FB52D42FF0F5784CACF7E7A69386E62098C930D01DF83E84BC9A 889E8D A1F06A1D31A6C12B5D91B C:\jar\org\codehaus\janino\ClassFileIClass.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Copyright Joe Security LLC 2018 Page 19 of 293

20 C:\jar\org\codehaus\janino\ClassFileIClass.class Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: F1DD D5ABC3D1B6B7998DC58 DF308374CE48D2F6687AE24B05C57F52CCBEA645 22F14F12D939982E14F41A8B7D1A3DFD9A307B00407C6CC321DA452815A051F7 87A8D45D2A88093C09B58547CA778D409E4F59CEA3C1E4013D3D06491F0B6E8C7738A99DB485ED750F946F225FF B76B A682ED78E5213F1EE86FBC2B C:\jar\org\codehaus\janino\ClassLoaderIClassLoader.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2501 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 984A02C41629AEBA62928B954AD81241 DBB0EE97B15D8EB F4BB0BADAFF A19FE202F94F07CA4C64847B1285C5611DC331A7C6A3F78F020BE71D346006CB 9C907FD3E05D BF33421E38BC9C527B4204B5FCA70DB1C53E39FB21D8E79738C5B8A BDD95E 6FF7CA4561CE4A11BECFACE8EA8FF68528FCA C:\jar\org\codehaus\janino\CodeContext$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 221 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 2E0AE1D5F6EE8310E5B F8D5E27A03C256CBA6269FAB245B1AFBF54 335F9F5043DDE8DFD7F0B15EC67106BFB00909C8E619A550A158C1F50E8524CB 2DA8E186A34BA9CB6B E24A02E54E2320EF4946CF7D0E11CB21DC72DE9A40110A194B3798C F AABBA3DCC37DC854A2B7DF5D68E2CED83 C:\jar\org\codehaus\janino\CodeContext$Branch.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2726 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: F4260A26B2D0C14300F29E24FF87BF91 2CFFB8544ACE2CE58E8CBB4DF2B40B5DA73B89C BB840398FA292909B94AA71A19B8A544874B29CD943618F7FFF6059F9E 5C4FC5B106013C90AC8552D921FDF5C02AB73BCE661F7C33D8467CC299B0ACB529E97BE9769F F9448BA 8CAD99C251CEEF48EB0B2661FD4FC5A048D3A7 C:\jar\org\codehaus\janino\CodeContext$ExceptionTableEntry.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 888 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 23601D0B201D4958C129DC3FA07BBB96 033E78A3AFBADD5903EBA30E58231E1E4CD3576B 49ABD8E4116A90782EAE3C4C47D3B994D49E36217B42C5CE05CB8CC07F67016D 10FB0BAB063ED E0C945D5AC087E451E1EE9D89F669F05CC4CE A0929E45F67702F6B9DF7B81 EDC3FD1A4604B110DEDF71A DAB3E1A C:\jar\org\codehaus\janino\CodeContext$FixUp.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 227 Copyright Joe Security LLC 2018 Page 20 of 293

21 C:\jar\org\codehaus\janino\CodeContext$FixUp.class Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 9F CDA3AD928FF405D0BD126CD 8E9DF D86E43B6DA1F076C5403F06F51BE DCD7F3A1FD7A8DCB08F524D212ED827F9C30286EC1C9E1A899EB60647 EEFF1757CEA5D328F14C42C8F8D31071F738D16C24DD05E86D87FE D A59D EF3E8 83B65CB9FCB00FE6E3E514B38DBE3C8319B9 C:\jar\org\codehaus\janino\CodeContext$Inserter.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1058 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 601DF9C2781BDB9FC94FDFC27878F8B1 577B408E4964F5590C2C8824E8AFB6BBFA690A55 F4B28AC747A65C5574AC5EF725C12EF32A7FC980759BE8703D2F25EF842DF22E 9A542E43CD A137FBCAB88B5D3E FAD72E08A4DEF27E3DAB06B653B3B E13AE524BC2 3DCB07509F09B6332CD989B3D145A4264C94F3 C:\jar\org\codehaus\janino\CodeContext$LineNumberOffset.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 846 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 3713DA85E06F76F42ECD6F3EF622A3BC F CD33A5D13E D91B98CA998BB 46AA3464B3A5B594407B43E929B9E8B54290B39A0AE EEA0B5B6B 448B2BCB20684CD02D D209198B45A0F1B5C90293F952F2B53D0ED12FBEC19F9F5F73B16785AB5FA310BB F50FB300177B51E747D810C38754 C:\jar\org\codehaus\janino\CodeContext$Offset.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2129 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: D2A0E7D3214E4A62BC82EB2A7EFE7F B955A0EF10953B8F4F E209359C75 76BFF40FE53625B977A2851C2A9CD3A13B2819B89FF7992C FEED3F D6C32B22238C93FDB667AE240C9D71B039BF9F0687D87DC38D9D2DC9DDE89901C0C146920DA03B74CF0AA 1FE3C73D AA8A8D840994F986A C:\jar\org\codehaus\janino\CodeContext$OffsetBranch.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1871 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 881E92993DFDF856E01DBB45118EF4A1 A BA89DEEB9A8D01A50490F CE686F071850A62FB47F2290D7D3C27E6056D1C1A8C82F00954DD57F3234D45 5CACCBD8A9EC9F17C13DBA511EDF16FD604FACDABB61A24A8734C5BE253A1BDF40607A0EB6FDA2F344551B9 D186BD8CB20AD F62B411A0A256EE00A609 C:\jar\org\codehaus\janino\CodeContext$Relocatable.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 797 Entropy (8bit): Copyright Joe Security LLC 2018 Page 21 of 293

22 C:\jar\org\codehaus\janino\CodeContext$Relocatable.class Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: CD ED76E1DB01D2C2CCC957 B0D3A2FC4C30E18C832C057E9D34CD83577BF9BE F83EA066065DF6EE44EB2335B7D05380E5BEAEF1B1A1F15C45C69FC211E62B8D 62BD324D644A8DD5406F4895AA636D0CB83A64EDA2A DD7F3BB6CE99734EF3EC4CCDA627A23E05403 CF BD50B18B8929FBFBCB6F0325A60D09 C:\jar\org\codehaus\janino\CodeContext.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: CDA8AD11F06DE72328E FC460C4A2CEBD0C8E924837C1CAA37DD8E4F8139 A125E36CA565FEA F0ECEC43577BC791594FD76EFF23D0599D366A246C DDDDA F3943DEFF41B68B7CE89DF76E990C1B6487B677688CF035967D48ED55C5F404F1F81F1CB93BAC7 D9FEC805F4E9E58BC45845C6EA9FE21CC07B61 C:\jar\org\codehaus\janino\Compiler$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1415 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 6335DDAF2F14842D73EF C C97F2F7DA964F1D472CD87797B3C DBEE62131BAEEA97893B6CD959388BEC8C51101CA2D14CB99D31C19C111A8BFF 9F211A735800F5A0DE0586A2BF12E4D4B9FFB5022E5B75D8F DBBDA85A4FED74BF4977CE78AEA84721BD 3BC00B2E3F34E7F10630A873E4DA405067A4D0 C:\jar\org\codehaus\janino\Compiler$2.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1077 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: FAD54C5979F351D9EF1A8A2A7D88030F 4FE195A F A3B A5B0 065AD6FF1E61FC94B8B6248FB9389E80FD6E5A6A2D F83310D821 9B9439B7421E3C5AB385AF6926F2000AC0BB7737A6AFAB2A47205D7BF823F2CA8D182F3EDD56B72AF5373DBAD CBE83E146A9E9C1D59C EC190D5E256E7 C:\jar\org\codehaus\janino\Compiler$CompilerIClassLoader.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 7243 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 185BBD2CCBB332C8BDDA E1A6 8EE9C51E D2F7AEDBB983691E A873E7DA C013927A8E4D4FA369FD863965C0ACF86F4F3FC 43D6E1D43C77373B65C80F0F144A92E15CFF28AF AB0742C67B50ADD322F7AE17932F4B35BB B 3C162FCFA0127D8172EA75723B888FDAB147 C:\jar\org\codehaus\janino\Compiler$SimpleWarningHandler.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1417 Entropy (8bit): Encrypted: Copyright Joe Security LLC 2018 Page 22 of 293

23 C:\jar\org\codehaus\janino\Compiler$SimpleWarningHandler.class MD5: SHA1: SHA-256: SHA-512: Malicious: 31BA4A6BC53C1F48EA02BF997FF0EFC5 D2AA54F875FADE7F8D3DDEF8164B0D6AF1CD5799 4E79CA D5924F43731D56794E104C B680E C 1B0A1923D557AB4A829BF86E E48D371B193F8718FA49CB512C7626E3E20BF85674EA9C6F9B5C41268F18 85DF731B35823F56490CBBBF2A2010B4125F7 C:\jar\org\codehaus\janino\Compiler.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 8B1DA44E56CE80D2B9E293D43D7DD60C C00393DDD5E46C2FFB8BC44027D14AFC4CB691FA FAE0E BFACF57D7A402D36452E900E788E3EBDA DA57C48FE90D428678C2A2A8F488428B68AABDF32873E3B3E D585D6E1A1468A7E270C04820BB71D 6BD66E20A42C4F0D1B204F4867ACF0BFD9D6A C:\jar\org\codehaus\janino\CompilerFactory$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1027 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 16956B6C1E065ECD57BB708D845F1CA1 AFA B8B3C87A4330DF373B5AEFE6 6B99A997CBE2AB1F4C7840D7BD89B75D07A664A3A EBAE3E3BAA0D044 E31B217018B9D8C A10FDC5265BA8A089450B ED4DDE12CBCC0A3DDC5F523DB7E45903CAB8D 52C6E C02E599BEFDBD4D0ED3F44E C:\jar\org\codehaus\janino\CompilerFactory$2.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1250 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 9DF3B4EBC2D0A367272D27E AEE5D4F9AE05C59B9415E D96 E0EBAA6C66FDCD46E7BFEA84A6E90252E0D DE7BDCB DECD45 7E25AD13649B5173E1661ACFB B3E4B4A27B31FF75AA66D44BF AB617E346B C6AEB98C 814BABA892CA39FAD1171E3A97F351E63D5C7 C:\jar\org\codehaus\janino\CompilerFactory.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2307 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 422F43911C03AA466E883E797FC6A AF E2758A82CA962C72F88015 C8D3F56A77408E A DEB3C1897E333B6595F625928ED755A7A5 0141C668DCC99E543347BCEB4EED706421C24CCF9069E12C50A38B55E9B4E57FD78D3A C8FDDC87093B0 1A391FD80B6BB7578A616277AF2B1E233ABED2 C:\jar\org\codehaus\janino\Descriptor.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 8947 Entropy (8bit): Encrypted: MD5: 2458E966CFDC52614B431F91F43E07B4 Copyright Joe Security LLC 2018 Page 23 of 293

24 C:\jar\org\codehaus\janino\Descriptor.class SHA1: SHA-256: SHA-512: Malicious: 37AFDDFBF25D46E89AD812BD88DC9A0C0DDA262E 28B4A9B4670CE148F0C4A5A0A6B2BDE5DDF7CEECE69EBC87D0D3238C25D91442 B6D874C97569D21FAED1F7B8F7FDFDE4A0717D0E49AE58DF67477E274A2A2C8E86180E5AA9F9D815742BE F213DA537E8ADC59BAD44F460EC6C5BDFC05 C:\jar\org\codehaus\janino\ExpressionEvaluator$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1349 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 3287B5311E8EB83682BD72AD8B159F25 4B D8CEA0CCACB4F1FD296D8AF4167C6B3 D15DD0DB6D9C94F3E4C1E0BACAA182F3DD25DA6E6FB4874FA16D3E CB4 A47A40D A5A79BCE734329BDFC4CF6ECDFCA25F9C7CF746A87D0E9D63DFF36A48055F8E E91 A658A2EF7BC6968D1C2AD8F7F872F4A903389D C:\jar\org\codehaus\janino\ExpressionEvaluator.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 53958BA4EF0DA84FEC7E37F8F4A06B B88A8F CB44D6A3D6E463ECADFB838 A3A4FF9D726DBCDC03F4C2C8165EB393DC6ACA638519BEF087A16E069EDB6B05 B4104D880EF14400A184EA8D20FCCD1AF8C79C2CCB854E4630BFE4BB14AB8124F8CC118D57B69C811DA5F6C49 A1A4C0C BED1B0FBFF96B92DACF2BAF1A C:\jar\org\codehaus\janino\FilterWarningHandler.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1338 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 00E6B39CDD E10C B2D3194B0E452419D82D8C4ADD7C13FAB348 99A684EE7D6E2E0FA1BC7165B3F DAF6EC2C81BCE409B55D871F76FF3 E1726C1D63FF265946A6C F7EDE4619ECC96273BCF1E2E2D E48B45B74F1FE4C53F8E842B11BCF D354B91CA5BAF4EFB7BE4764FDEE0EA1A2F48 C:\jar\org\codehaus\janino\IClass$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 489 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: B1EA380D1BB02AC31ACA580D8C826E74 D67EB41F2622B5B45A0D803ACCB68692AB270BD6 0AC87B6A51002F160B1BDC61EE9C50A24B4BEC43FB235943E5971F57781D380D 83ABE199B333FE0CB7194BB474DA58DECDA69C93FEC6A C3BBF2BF5F324C8249AA2AA3832D42C702E7 8C9AA03B5B667C25E09022AD516FF572A7509B0 C:\jar\org\codehaus\janino\IClass$2$1.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1737 Entropy (8bit): Encrypted: MD5: 73739ED10BC99FD59A2AF4458B52D55F SHA1: 9D5E8D38FDC04292A6E85D7F6A67A5FECD418B6A Copyright Joe Security LLC 2018 Page 24 of 293

25 C:\jar\org\codehaus\janino\IClass$2$1.class SHA-256: SHA-512: Malicious: 7F349D8F46FC33CF4BC0A1687EFC1294AB6C8A22D4A0A9E09E32CD1A21B92B29 C0FF0BC66AAE1DC80C4BFD9492B37EAEBA81CA5A280DB8C8DC B7B800926E3BF6CF6E7677E8BBECD6 D12215FEEE8C7263D4CCFC42C3EA3406B5674CDA C:\jar\org\codehaus\janino\IClass$2.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 3028 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 34322A9D97DCABD881FB8DC4D6C923F4 5AC F915403F26847FA62D33E9149DF A706E68DD7AD EE2D4E46806C710F4D14E61F5EF1333A005783CE 6E749CC7DB3E0BC6B EDF43FB6FE6D84C02C4C7A5425B9D800D9C9E50FF0B3F427292BB246CE87B1B C3ACAC600EC24F75B7E0AE2E567932F37AE45A6 C:\jar\org\codehaus\janino\IClass$IAnnotation.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 415 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 6185EAC1EB877CF31A3C6A860C64EEAB 4B42BF0DF28E926D48A0D4CDA8C467E787B28D97 961F01168A508805C8D9B98951AC2520A50F42CE3EDE71D6407E843130EA84A2 88A36C650571AFFF0C4D68ADAF76EA4239FF7E6C2599A8BF69EBB00964A CA3EF02200CEB29C9F7A205 0D77C9694CED478D A39B43D51E2C87 C:\jar\org\codehaus\janino\IClass$IConstructor.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 2184 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 1525A763A67AE55DD4A68C8452F6C9CB 72A17009C1E0E D410746F9AB56B4E21F3 2AE01B1EF6FE67430DD5DEB269107E8741D32E623BB8756E75799EE475600D1F 74D0E14C614518CB9331DF E91717D7933FBB01AC7B63CD7B8516D5861FB3E6D951C984D3CB63287FF72 AD39479F64C54F23F10D6163FCBCAB5541E45 C:\jar\org\codehaus\janino\IClass$IField.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 1365 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: F5EFECF48F78E2AD DA1E83C9 61DD7C280A13F9089DEE94D AB3FC14 B5A6C279B946A058E56DE372A5C113451C4CB74E6BA04F2EFF2F FEF3 4D02229E28533F574AC46DC563FD67CD E703F98E68EE7828BE3DEF366F751D3927A5F81FBBF29F8D7 8ACE72985CAF9DB08ECC9A9F D3CE8 C:\jar\org\codehaus\janino\IClass$IInvocable.class Process: C:\Windows\System32\7za.exe File Type: compiled Java class data, version 50.0 (Java 1.6) Size (bytes): 4164 Entropy (8bit): Encrypted: MD5: 626DECB4DC94CC2B39B8020CEAB7C6AF SHA1: 4AFA27D17B75161E96E116602C145AC67BF46356 SHA-256: D050E6F384913A01EF562B48C0B06E6A91752A972C5623E66F AB63AB0 Copyright Joe Security LLC 2018 Page 25 of 293