ID: Cookbook: browseurl.jbs Time: 20:07:43 Date: 27/09/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 20:07:43 Date: 27/09/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Phishing: Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains Contacted URLs URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Copyright Joe Security LLC 2018 Page 2 of

3 HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3920 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3968 Parent PID: 3920 General File Activities Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 80

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start date: Start time: 20:07:43 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 4m 58s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Timeout CLEAN EGA enabled clean2.win@3/250@9/5 Adjust boot time Browsing link: Browsing link: Browsing link: oadvisorshelp.com/index Browsing link: oadvisorshelp.com/dataconversion Browsing link: oadvisorshelp.com/consulting Browsing link: oadvisorshelp.com/qbservices Browsing link: oadvisorshelp.com/taxation Browsing link: oadvisorshelp.com/accountingbookkeeping Browsing link: oadvisorshelp.com/quickbooks-payroll-supportphone-number Browsing link: oadvisorshelp.com/intuit-quickbooks-supportphone-number Browsing link: oadvisorshelp.com/contactus Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe HTTP Packets have been reduced TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Detection Copyright Joe Security LLC 2018 Page 4 of 80

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 80

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Phishing Networking System Summary Copyright Joe Security LLC 2018 Page 6 of 80

7 Click to jump to signature section Phishing: Found iframes HTML body contains number of good links None HTTPS page querying sensitive user data (password, username or ) Suspicious form URL found META author tag missing META copyright tag missing Networking: Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 80

8 Hide Legend Behavior Graph ID: URL: Startdate: 27/09/2018 Architecture: WINDOWS Score: 2 started iexplore.exe Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java 8 44.Net C# or VB.NET C, C++ or other language started Is malicious iexplore.exe cds.s5x3j6q5.hwcdn.net , 49203, 49204, 80 HIGHWINDS3-HighwindsNetworkGroupIncUS United States stats.l.doubleclick.net , 443, 49190, GOOGLE-GoogleIncUS United States 9 other IPs or domains Simulations Behavior and APIs Time Type Description 20:08:25 API Interceptor 47x Sleep call for process: iexplore.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link 0% virustotal Browse Copyright Joe Security LLC 2018 Page 8 of 80

9 URLs Source Detection Scanner Label Link fireworks.abeall.com) 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe pt_br.statcounter.com/ 0% virustotal Browse pt_br.statcounter.com/ 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe statcounter.comrshelp.com/d 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Copyright Joe Security LLC 2018 Page 9 of 80

10 Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2018 Page 10 of 80

11 Startup System is w7 iexplore.exe (PID: 3920 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3968 cmdline: '' SCODEF:3920 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\Cab1AE.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true C80707FEAA56B9F5F9F299A70A89A675 2DD4AA8EB8E0AD265AFA6FDEF00FCC1625CA959C 8573C2B9348FD9364D6DF901D44C5BD80E33278D4D4AD705D22C9757FA2B52B3 4E955F122EFDB59443FD78DD5F599AA7C3E03A0014A B382AE85E40304D2DA68EE402E007424F596682E7 86C7E53E2A1D224342ABFB06F545EBC1A3B1F Copyright Joe Security LLC 2018 Page 11 of 80

12 C:\Users\SAMTAR~1\AppData\Local\Temp\Cab43B.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true C80707FEAA56B9F5F9F299A70A89A675 2DD4AA8EB8E0AD265AFA6FDEF00FCC1625CA959C 8573C2B9348FD9364D6DF901D44C5BD80E33278D4D4AD705D22C9757FA2B52B3 4E955F122EFDB59443FD78DD5F599AA7C3E03A0014A B382AE85E40304D2DA68EE402E007424F596682E78 6C7E53E2A1D224342ABFB06F545EBC1A3B1F C:\Users\SAMTAR~1\AppData\Local\Temp\CabED.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true C80707FEAA56B9F5F9F299A70A89A675 2DD4AA8EB8E0AD265AFA6FDEF00FCC1625CA959C 8573C2B9348FD9364D6DF901D44C5BD80E33278D4D4AD705D22C9757FA2B52B3 4E955F122EFDB59443FD78DD5F599AA7C3E03A0014A B382AE85E40304D2DA68EE402E007424F596682E7 86C7E53E2A1D224342ABFB06F545EBC1A3B1F C:\Users\SAMTAR~1\AppData\Local\Temp\Tar135.tmp data Size (bytes): Entropy (8bit): CD81F6A51AEC72583E68BF A6C906D3953E7B92BD5CC12DAE27C772E3 540CB7459D0FD892B5C540F293E04AA3A049E65C0FB17F3B2E6245B37530C1D0 33FA38041F42317B1E36F673A7E BA691ECA127EDC0A191D9B4F6F663AD44E8AF84948B77A13FD64D4DF C0CB7A178AF64CA16D5A714F41B E2E C:\Users\SAMTAR~1\AppData\Local\Temp\Tar3CC.tmp data Size (bytes): Entropy (8bit): CD81F6A51AEC72583E68BF A6C906D3953E7B92BD5CC12DAE27C772E3 540CB7459D0FD892B5C540F293E04AA3A049E65C0FB17F3B2E6245B37530C1D0 33FA38041F42317B1E36F673A7E BA691ECA127EDC0A191D9B4F6F663AD44E8AF84948B77A13FD64D4DF C0CB7A178AF64CA16D5A714F41B E2E C:\Users\SAMTAR~1\AppData\Local\Temp\Tar43C.tmp data Size (bytes): Entropy (8bit): CD81F6A51AEC72583E68BF A6C906D3953E7B92BD5CC12DAE27C772E3 540CB7459D0FD892B5C540F293E04AA3A049E65C0FB17F3B2E6245B37530C1D0 33FA38041F42317B1E36F673A7E BA691ECA127EDC0A191D9B4F6F663AD44E8AF84948B77A13FD64D4DF C0CB7A178AF64CA16D5A714F41B E2E Copyright Joe Security LLC 2018 Page 12 of 80

13 C:\Users\SAMTAR~1\AppData\Local\Temp\Tar43C.tmp C:\Users\SAMTAR~1\AppData\Local\Temp\~DF0E5D EB00.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): C F057DD9A2395EA0C46 72F3B CA900F045DC55B3E0D8B40E79F4 EA76F8E9EEFF68C1AC7DBA61AA63D84C638A381C969F427D4DC45CE2C722D0DD 223D55D33953A BC690179B4332C80C10104C2993A6C02BBA6D3606D5F617D7CFE4B B3FCD7 BA8C654B339A7653CECF808BFDE0D7072FBE C:\Users\SAMTAR~1\AppData\Local\Temp\~DF8BFA01F64B1A6E85.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): B8DB8F7EEEDCAD E5C E F F5000B1E8671E89E6A 7B82C5D4476C2F92A90B73DE82F0A843D69C4A58F42CF14A7A69CB078CE849CF 46093F39DE704F9411DF4C943F5C9F3D1FE3CDD3D2412A303E209046FAF36884C6DFFA1DC4D3092FF D2B C41F0371DD036E86C35990A3A441BA65E9F0A C:\Users\SAMTAR~1\AppData\Local\Temp\~DFF76E0B D3.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): ECC5ECC0EAD71A16570B BEEC6FF7F84060BE70B54D443C818B EE02E22DBDB090BD8DC76765FCE967FA74567BBAEF7D46E91F91EBE0177C0C A2DCA4CACEA08ABB235A87EB6EA D9BF4062AD F B02AD3E2EDED B352D8FBE0CB3A3E79EBF6C75BDE1B3F16CE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true EC0CC2544B8321C25FF91C4B71C7E17C A9B7B2895C8D2E51D5B16FF64A D67A4F8 41B1FBC2E189C9C3FF138132C84B815FD75DDAE61C7E6D1E5B3B6B0E6E660F65 E00CB9D55EB0D0ECAD A3CBD2E1A699E25E0D05959EE7C7AFD4D5C6831A96FFE2DB AA8A 81C58F0DD5758EEFF0881B4C50E1B1F209A8A06 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 2624 Entropy (8bit): D1CCBBDBC1CE3A016C9D4B5A008D4 Copyright Joe Security LLC 2018 Page 13 of 80

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F DCB78FBBBA36673BD40BACE75858DE083854B2DD 69D85D94595C00FCB02667ED9C45C90EAF5CDB27840F4FC8E8603D344C43D434 F59D3DDB09888F33339C08B82D51E9BE99569F2CB62AA41BD3BF B0ECFA546F6E3BB632B3A6C6CFFA87 5E343700F376BF0F253FED42AB761E C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\A10LDZJD\ Size (bytes): 1164 Entropy (8bit): ASCII text, with very long lines, with no line terminators DFAE040D7B653B7E2107A AA F70A123BFF3DFFBF6FD DF49B D1FD843D920D6BBB75F42FF19B F50769CBC0311F04C456365D6EC8 AE259547D5C38C663A8F4C9F374209A9076F79787D73DF8938B B74ACACF334732C5ECC1EFC076BE7CB3 03CEF06A FF DCD2AE7E7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\U0JRHRKW\statcounter[1].xml Size (bytes): 243 ASCII text, with no line terminators Entropy (8bit): B3FC05BE248266FCEC011F44690C9A32 81FB969662DEA1E221112CEAECEB02EA114D70CD 1DD70551D D33F6DE347F98FC4FF1FDC723BFFF3EA0CA351A1C397 CFE737C328F9909BA75A2E064FD C73608F6027BF E42C35992A0A79EE174645F18DC6E5ADDBA9A DF0AC76116BD627DF2367D0BA9F492395D297 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{52AB9A31-C280-11E8-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (8bit): B5BBAB2DEABE9B9E F00AF8C 3E941406E13B07E97078DEBFD5E25453F9E8B783 86BCB960FA56975DC0AEF C172455DE99AAE4ED5D B66AE95 771CAA4E06BD4A5F67E96355A95087C915D171E32DDB9C6D70B4929F277E019BCAEC FBCF47C559 56F73F8A2CA992E0E422EF367B52CA2EFAB39 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{52AB9A33-C280-11E8-B3E3-CCDA62336E41}.dat Microsoft Word Document Copyright Joe Security LLC 2018 Page 14 of 80

15 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{52AB9A33-C280-11E8-B3E3-CCDA62336E41}.dat Size (bytes): Entropy (8bit): FA0EBB002399B23A06408D9937D3ABB6 A340D34D5535EF9A06853A928143F1C1DAC0B977 A0016E590CB177A B8C7370E90BFF5513C9BFB4A78990D42D371D62 A9DE00940ACE CB4F1D0E55EDACB9E637BD E E6799B923B91DB53C3FEDBAB70B C8F04FD90066A4E90C8BB9BD429D903B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5D36A6F0-C280-11E8-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (8bit): FC88D9F52A32E41EAF0A301F5D C E1C03D79F5CBF21E9DBF5845DF E3BC8BB228FA06F8F E19D1FC5F2F527E6AD C22EAF0 8E4B39BF6A787AEC1B27111B4E95BABC6DD6EA699E2791D6BBEA32D8E1B3AF B6770AFE5B7AA634 B0776EB625927E44D50387A916B234FF787AE82 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\cdqwwe7\imagestore.dat data Size (bytes): 2690 Entropy (8bit): A7A4A7AD7B1A523C177C B50 F3F6950C265F048A9180CA63850F9BDAF8B CF66209BDAE3612A760E2A53E0A18DAB5A010EAA34F BC7D09D45906B CD6355AF7E59BA2EDCFD61A237F8AD2EF5A347A9BFA7F584D368C6B8EA5CAA44517C93D8F77B4887F4FAB5D68 2DAA9D3305E28A C5A5F12ECD05CA80 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\B8BIV1US.htm Size (bytes): 300 HTML document, ASCII text Entropy (8bit): B08C4E0A886A81382ABF2F88647F9FB 4665D2B290E0EFB5CBB3DED371DBD08FB534900E 8D7AE48B5273EE6D90564B820119C2190E3D476E54B E64CFBBE7FDE31 A44D1277F93F9BE7E6AA230747DAD4903C4DBCE6271E C1D2880A2642D63A6E58E9A1A7FBC6704C1D9 6E8CB1AA662AF8CA8DCABE E796BABF0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\ContactUs[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines E7D6B650CE610BF8ACB62698B66BB68D 63F FC7EE228FB3E E58CC2C9C23 F73F1E7E73305C3BB09B9C9AD6E62719FBDD749F47F0C215F13A EF2 DF9F7677D6E29BE07306C8408F4E8E6FCCB2D57C895BB60D2A04D85B32C8CEACA0357ABBC0EA D2EF0E 8047E7476CA8CE67E BFCFF74 Copyright Joe Security LLC 2018 Page 15 of 80

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff Web Open Font Format, flavor 65536, length 19888, version 1.1 Size (bytes): Entropy (8bit): CF6613D1ADF490972C557A8E318E0868 B2198C3FC1C72646D372F63E135E70BA2C9FED8E 468E579FE1210FA55525B1C470ED2D A2DD4FB972CAC5CE0FF00B1F 1866D890987B1E56E1337EC1E975906EE8202FCC517620C30E9D3BE0A9E8EAF B178DEB81FA DFE 3FB79B3B20D5F2FF2912B66856C38A28C07EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\OpenSans-Bold-webfont[1].eot Size (bytes): Embedded OpenType (EOT) Entropy (8bit): D9C7945C7BC7DD BFBC191 88E07164ACFDB480C1CF6BE262CD5B6937B9CA FE4ED044CFB98144F0BD6F8DA560E00E485573EE038ACF26B26A849B2 97CD1D0AAFC749B255D34B16CD0C23315E2097A62F8E1F F026C3224FA1E1ECF65791A08C59D593F23CA 4FD99F15B20ADDB F3AF6D9D12E44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\OpenSans-Light-webfont[1].eot Size (bytes): Embedded OpenType (EOT) Entropy (8bit): E00AA7622ECE30A0F1E06B55F66C2A 3B118F81AC22A995F7CE5FAF B5D217ADB 83A5C3512B7E56BEF9B0D5451ADF664B070EB3CF6278E69E2CF4FA0B2D2EF379 B8D560E6750BFD D160DF695DE5FE63CFE67A472E885462D357AFF6FEB9FDC53FCD3ECD2F5845EAC3A0 0B8D4C6B1AA922C01E9009D3DD878D53E6B9174 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\QuotaService[1].js Size (bytes): 59 ASCII text, with no line terminators Entropy (8bit): E936CEFBB0275AA5C9670D4E0CAD 577A456E8930E99F0CAB56F2960F1B067A4CE34A 079BAB B7752FF43AFED EF622A4A286A197E B859028B63BDD633215B65B7C7EA3F B9BC6609D50B8F5A2C6DE635032CD77D3E1FADE BF18AED95D412DCF1EDB1AACA2F8BE0A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\analytics[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): E6B905ECEBEAA42A4104A25FAA2EBDF FAE0C CC0301EAAB40813FDFB4C29E0EBB ED17A6E7532CC3065F9FBD8F607DFD30E09B4531ADA9F7CB5732A2BF6CF6744C 735B106A0FC9FB5EE50DC43C34952C4DB7C4EDBB20A4EE1CD6727F35B1DF64610D64A29D42D77A26C2A FB60716DCB6427A91D071DB D Copyright Joe Security LLC 2018 Page 16 of 80

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\analytics[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\bootstrap[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): C96CC8F19086AEE625D670D741F9 430A443D74830FE9BE26EFCA431F448C1B3740F A7C634E8DAD34ECC303DD8048D00DCE DE1BACF67F663486EF 8B3B64A1BB2F9E329F02D4CD EBAED942EE61A9FF9E1CE34C28C0EECB CF3704A86 97FA8A5D096D2761F032B74B70D51DA3E37F45 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\contactus[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): Entropy (8bit): B1E5953BBF10BA9978F45DD4F0D3F F7795E32C D12DBF1A000B32B6B52FE020 A93725BDA140EE352F18812CD64136A00DB819C9C2E9E41246B8F2FE6B4946FA 42450B80DE6FCC6DDB309B3A8D9401DD35454E6E2D30D2E7ACBB5416A5C587D2FCB447FA5C318AC05DDF2FAA A34F5927C346A553B405B71120C2939DDD5B6C39 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\counter_test[1].js Size (bytes): Entropy (8bit): exported SGML document, ASCII text, with very long lines, with no line terminators 235BEE1F498A6DDA583346D0F7D6137D 381F49701B6525CCC37D9BCA39A032161C7DD110 03DA92F035C699A414E7379FC4E431B20D29E4901ED6B1172EB30F2D7308C2CA FCD B2FCABF9B748E2BD05A94A4D360DD5FE C76DA8AEF59DF97A726FB C3D1E07 D62457CC66D49ECA6BE0092BC6CEEC24AF34A7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\css[1].css Size (bytes): 1659 ASCII text Entropy (8bit): BB8265B6B798C4C8C391ECC37FE2C52A 9B481CB5C138DC5A7875B20B182FD4BD121499FB F2AC8F1105BD30AA828B32F418A D8F1DA800EDF57E363695E738E8AB1 D17AD1D64C445C9A735D5DAF28C4FDD81EA D34B6D06826E9AEC7CC77494AB6CB3ACF60A0591E16B15 DC5D583F2BBC94F870A476AB44D28370EB3768B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\css[2].css ASCII text Size (bytes): 892 Entropy (8bit): D7A2B803B391190BB130B80BF112BD0C Copyright Joe Security LLC 2018 Page 17 of 80

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\css[2].css EDC DEA2A704C292FCA2A BD623ECCA69C79CD5351B9BFCAA E59C4A8FF800C6E D882DA2D50A516F543E0385EA6BBB5E954105F676A3E6E09BFD588A7FA038DA889C0AD9B65FABC168F6A DE00C FCD B43FF3C4D4B1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\custom[1].css ASCII text Size (bytes): Entropy (8bit): B358ED43918FCA78A21A4BEEB564D D041DF2D945D53F06F4B0F2EF12233EFA4B032A5 6F81F24781CB90F C62B164E5C82D84DC18D00AD6E8338EB40327F11A 2B77B4BD231515F2A043A96C40EBC5CEC6285F6E7CC9F87C9BAD2E94B0D79C52C0D741843F A44B7E7 EF462773D06BEDE7495CCB DEEE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\embed[1].htm Size (bytes): 2426 Entropy (8bit): HTML document, ASCII text, with very long lines 6CD4183C7F63B2197F429FACB9E2F03C 4A20F73D3D71DD16FA129B6B81823BC3ED1FCFF9 96CD19DA8DF2606B329093A3BCF5B5E2A8F91E8530A6695ECA9EC10B58F4C B499C2F3A2A198CC984CA7C5E25AAA5795E9D94E C90F2634FBE74246FEB3773C509283A18E851E 7188E35EA169AE4D8B22FC146DFC0D8B1DFEB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\f[1].txt Size (bytes): 4574 Entropy (8bit): ASCII text, with very long lines, with no line terminators 552A75FDA141953DD E4FCE1 6ED1E20B6014E6F14A3449FF8086FBEBFC8CCB8F 8E6386A7AB6A5390F9F8BF695A969140AD5C0DF8394EC E BAFCD1AA8F9A19621B76C5FC3A20A09FBC8A3D52DE CB0F6CC F334C ADFFD2 BF81B47FF96A4F0EE9F237B1FD FF116 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\favicon[2].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\favicon[2].png PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced Copyright Joe Security LLC 2018 Page 18 of 80

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\favicon[2].png Size (bytes): 1264 Entropy (8bit): AF2405C E5FD925C36BE52A D72BFA55078C75BFC193F532B4E1D78944B3ABC9 02DB20140A3FE46BAE E6CF418648E6315F7DEDF9727EAA47E464E0352 4A46D8E41C59BC2BE244157C1320D B1DDCE969220EFB8246E4F5B1FED1A4FEFFFD FBFFCEC2 317E1C347B345A12E27F32B8D50A0510AC0A0D8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\google4[1].png Size (bytes): 2073 Entropy (8bit): PNG image data, 66 x 26, 8-bit/color RGBA, non-interlaced 1AE05AD3B3C8E112E4734B2C0228E3CE 30C2CB03A841178FFEE8AA65B1000A556F22638B 721FB AE4AC2169B208A651F09A7D5E5A370323FCF ACC94A4EA C EA6517ACC53958FC3496CC ED6DD0C82C2981E903DCA43E9A4D57D98D77BAAD30FD9E 248A9097F4EAECC3E8B24BB07DEA26D190A483 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\green_shield[1] Size (bytes): 810 Entropy (8bit): PNG image data, 14 x 16, 8-bit colormap, non-interlaced C6452B941907E0F0865CA7CF9E59B97D F9A2C03D1BE04B53F2301D3D984D73BF BA122F4B39A33339FA9935BF656BB0B4B45CDDED78AFB16AAFD73717D BEB58C06C2C1016A7C7C8289D967EB7FFE D9205A37C6D97BD51B153F4A053E661AD4145F23F56CE0AEB DA101932B8ED64B1CD4178D127C9E2A20A1F58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\icon_lock-13d06aa4a9[1].svg Size (bytes): 908 SVG Scalable Vector Graphics image Entropy (8bit): C E6D675DEBCF ECC56FE FF23C7A510EF2BA108A47C B39FF4A2AE447CCDE3E7A11BD561E E0BF9346EAE9BF15D4F 7DA538E85208F22A083A2A95C6E7F2732C2172E892A64B76F2D9835A11FC9E B145823B11CD D63D181419DB4B051B38E948B3B65EB1EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\icon_twitter-0efe5092fd[1].svg Size (bytes): 1570 SVG Scalable Vector Graphics image Entropy (8bit): BC4A2B9B85994EDDBEB35D C68CB6E1C8569E72E1D171CB786D3E D323A336BB36F05D352ED782AD15EBD4723AFB4466F D135E744BC7 32F25481AC520AFFFAFFDA5CC A006510C112E887B20D8D8CFAF8E9EF81DD39636B8C C58E36C D79E1B414F8C27D5C6601E4192B746ECC111D7 Copyright Joe Security LLC 2018 Page 19 of 80

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\index[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines 8A4CF31586A6E3AE50B2E94458CC3AE4 2CE023C FDE6FD09F1C061FEFD52D0E21F 8A3C649A34BBDEA25ED27AC40E90FAA7793AEFB3F437D7B BCA531 78A3F C04A7E72806EED62A3959EDF9312FB523EDBCD5BF24F381CA262EB0A7BC95EF45BDCB8FE379C 00AA80755C206C F941D0D4D5F2B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\jquery min[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): F9C7AFD05729F10F55B689F36BB DC554608DF885A59DDEECE1598C6ACE434D747 F16AB224BB C82F58C10C3ED20F153DDFAA199029F141B5B0255C 3DCAE1FF6E98C64E3586BE3EB14DD486C51F7D4E9FA1B8F9A628BE4FBB6A9AB562F31F9B50E16D2E0C72B942 BDBE84EEE8E0EF87FA730DB1428B199A59D88232 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\left[1].png Size (bytes): 473 Entropy (8bit): PNG image data, 35 x 35, 8-bit/color RGBA, non-interlaced 8823EDC C96F340B72ACBFC 0B7FD1C33D40FB9DAEF7DB5C585C89FE8A1146C1 15D52F6FCAAFE063EDCA F6028C6C1BAC52B B97F140A3D470C F748A6622E0C60B943476D1395A47C33A8E A38D0E3930BC66C2E6B60F951CB1ED3008A5C5F984FBF9B A4BD F8291AE9DF AC5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\logo_happyhealthy[1].png Size (bytes): 8824 Entropy (8bit): PNG image data, 225 x 39, 8-bit/color RGBA, non-interlaced E90D99C149412B6D0BD CD7AF0F3DC2B C9F5EBB70A22B41602 BBFD6CCEE828FCC6EF5B0B367CA64FE419D90FA7CA2F403F165502D950955C8C 12EA38FB82BC3352D4EC76D6CB477F22F00FF BCABEC E07C02EEA5B6F40C9D7165CAF69DB72 F E24F6DDE7AFCC3756C5D8DCC8D41 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\logo_squarespace[1].svg Size (bytes): 2120 SVG Scalable Vector Graphics image Entropy (8bit): BE6717D6055EE79CB6D3D22CA0A79F9B 83DCA06BC363F1F02694EB7997A957D19FBD6EB1 E86B9C33D19A1DE2DB35CBBC21E37BBBE47E0C4D8F7E4FD165F66C759FEFE8E0 4C203E8FE1B530C8E80D55730B60BF7D41E8A5E5A40A30C51BA6E7CD2491B86D9ED11BEC2F2796F171E723FF26 1A9A7B0F1B6A15FC4C66B6187D266155A041B4 Copyright Joe Security LLC 2018 Page 20 of 80

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\logo_squarespace[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\logo_storyberries[1].png Size (bytes): Entropy (8bit): PNG image data, 197 x 35, 8-bit/color RGBA, non-interlaced CA6550E1FEC0E9C06A3993A75E6EF79C 67F0AB7A2B9BC21366D01FDCF5AA2554AA4D2D A5D1B78F492DCBEC286D140026D25CF58B72123AB72CF58416E5AF6B AA C132951E11BCE8E4F950E58E28866F06D40E37A B12DE0EB97B909B39BEA0B32C B683779DD93ABFD46A79D6C29ED336 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\logo_weebly[1].svg Size (bytes): 2060 SVG Scalable Vector Graphics image Entropy (8bit): BFC ACA4B33286DDAEEAC5EA 44BD62F7AB3BDC8BD00C044F62C672361C9B918E 8632A988326FD5EAC CB091BCE1638FF63B32931BCCCEA4382A8134 5AB9900F13B07C92B487F1034A6A72E383B9D3FD9E9A6B6A311DD9A3F816CE93D331147CE8DF34ABBDFD1A34C D765375E31F39B970C A B51 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\logo_wordpress[1].svg Size (bytes): 2568 SVG Scalable Vector Graphics image Entropy (8bit): F2FBB970AF05E431A819895C79FD657 7A53A9D6A6BFFA8C7C756FE6ED1F18E54323F122 9B52C FB1F8C674865A02BB01CD52518DE FABE A3F6 C95243C471CFD2A41A31C7BAE0989EB1B2A9423E507F5CD54B6F93F07FC42BA9A7877DD C B8A 2C228B E F7196A2F1892F732 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\map[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): BCA D7CDB40CED904B D5822B85195C2A150BBAA426C6AAF1CF52AA4FB D2131FD7D45DC49CBC094BF0406DFB18DF4B6A1206A2ABCC020DD8F1B3 BF168AF9D6096C56C984B4A740929BF66685C3309D D31F588C575A7590D6DF5B5C7F98D F45 A0B4DF605F7A2537FD FB93986D15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\navicon-94abcdee36[1].svg SVG Scalable Vector Graphics image Size (bytes): 714 Entropy (8bit): E8F5D5CDB1A2F98E255709B59864E223 Copyright Joe Security LLC 2018 Page 21 of 80

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\navicon-94abcdee36[1].svg B28E4806CF4E21F86EC06DB5FE32F9CEAD85FD0B 0FD536ABDCD1BB3B8AAA53C24F6EDE14B7A0FCD9BC4960CA2B01AFDFD0B6A9B0 DF910511EBD00F D1F994C2BF1CEA0A BE3F325B42DC41F284A099F187A0B330DDB93B72BC888 20F A119E61C0DEAEEAEDD7AC3795F7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\overlay[1].js Size (bytes): 3388 ASCII text, with very long lines Entropy (8bit): F25C8F5C00D44B44213D9C3BCFD 7E66A21472DE0D0ADCFDABB82AE09285F2D75705 C7E2390C31D95E63807F64F58F70F3CB1A2EFA009C68887BFB0D04DB753C1290 CDA6DB361A3F99148C354B0ACE24CACCC263F8D6A5076B774AEA29E3A3E07AFDABDA472EC7989B67AA89779A B249CF9F7B076C42A3ED66EA7DC3D2BC5496D5A7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\product1[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): CEEF0BE11DC092B6B84EEEFFE08A0 BB24BBBF06AA1F559A0E58B68CF310631E8B205A EC1DCFAF45E7819C8497DB41835E3C03EEE3CE4ED1313A F DA3BD4D5CB A ADF CDD97E BB524CD9338D6D239616C5037A6 FA0A77C09B AB5D1414A3523C07788 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\product3[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): E F699EEBBC89ECF BD740AA7E145A317F5BF685DFEA66BB F44F41468BB81FA8F00BD9E16504FF91CE315986D3827EFCC176FC00FF0EA7D BD2B2CE2A31C2C45FBE1B4664EA237593C8F93812E5F0A063BEA2C1C64F2D3AA5751FB4EBD579F79672C1A78C FDC13A25E7CB19C2CAE CD42D838F1A5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\product4[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): D8E3960DEF3F6D892D8CCD4B36 FBE88E C701E57AC08FA1A1F4D483A E6FB22E2BA081E5DF718C15AF4A7C4955C4EF AD5B87A542867D4DED8 D F234B3F057395EF3B0A D44D70883CA1B54D5B9F3DC27C880B245A88051DFDC6B977CC2BA3E 6030BF121354AF80B40AE3F2F958C70373DD2 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\product5[1].jpg JPEG image data, EXIF standard Copyright Joe Security LLC 2018 Page 22 of 80

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\product5[1].jpg Size (bytes): Entropy (8bit): B59B0D23CCDFDFDB19089A94BDCD9778 9A66F5E0777C1B00E8A53F26630C3E F B21B02D51CCDE36544A0FED71BB443CA6C688AC099A CA5C B5C3A998DB2A2BCACBB33328DC7EF8A67A7E190D9BC BFFE6D488DAB01F88CD98232CEE330F DD5D903859EE135DD55B6D511499C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\product6[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): B833D9D7C1D12BC C23FE0AA63 8EBF0F39E89CF8499CA803FE95CE2B3952B14FF1 569E6107ADEBAF6E58738F6369D7AAF94860DFB1C8360E59C651A08E1E875C99 FD23E26E2C B296C9A4F106A09011E831B5FB99670D35418E0C42538D6C261E40760AA7CFC8FB7A11E C0FA E1AB9EDFBB29 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\style[1].css Size (bytes): ASCII text, with very long lines Entropy (8bit): CBBCD31FE81A93A6FD20D1708F13B C07DB B77A F49032BB8 95C36FBF46F4A88A2FD5926D6A8CDD87607E95A88563D648D7797D1EE4EB1FFA E3BE84FF6E92F131E286CEF852DE03324BAE3BB9E8AEB0D26CCD86C7F9561DF224B0B653C11A1EAC2C7F8ECB 04EC311A07BB F8ACA23FB9C10F87E67 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\t[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 49 Entropy (8bit): E76BE6355AD5999B262208A17C9 A1FDEE122B95748D81CEE426D717C05B5174FE96 2F561B02A49376E3679ACD5975E3790ABDFF09ECBADFA1E1858C7BA26E3FFCEF FD8B021F0236E487BFEE13BF8F0AE98760ABC492F7CA3023E E135CB4CCB0C89B B060AD72C0 CA4474CBB5092C6C7A3255D81A54A36277B486 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\t[1].png Size (bytes): 146 Entropy (8bit): PNG image data, 60 x 14, 1-bit colormap, non-interlaced 146A411E2562ECF96C97877D65FDBA3B F0F935F25003BA942FE81F62AA946173BD BC6EF2D70ED8CBE27C05441FCEE9ABBCBC0DD9BF54FAE9C56EC19F94CEF BCEB6867D19B7664D74E83202FCAA0A07E0B2569E9B5104B6269BB328B6DC00B44D1377E A8593F7FC41 537A7858B720A67904D5F0B8D14B B3 Copyright Joe Security LLC 2018 Page 23 of 80

24 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\t[2].png Size (bytes): 144 Entropy (8bit): PNG image data, 60 x 14, 1-bit colormap, non-interlaced 3A5F833FE5A3F55C9E3321CB11CC8284 C5B12250E45E533D440DF3B87AD4CC7648A247EA B1FCE672A32E218F08FBFEA8E080A124EC75EC235037D21B4D1F1024EEF15E68 04BB6D3BBC25A873DFF0F1C4F44FE56F2BB BBCEBFCD0E08B0ECE C91E9F39C3F6C69E8902 C25532F6C7CD00F9F6654B6B30911BBC9F546F7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\t[3].png Size (bytes): 145 Entropy (8bit): PNG image data, 60 x 14, 1-bit colormap, non-interlaced 0EED1493A0D9F5713BB006BBEC7ED7AD B7210C45FBACF03CE741D87F4F45DC605 9CD111FC918A0DF1D8C038112CC933622BCA31F7B43533F8E5B7BCE81B82A475 CFE69E209C7E1DCD82D2DC4F4BBCDA3F43F73105AEDB3302CA11B2543FABC86F E41EF2FB747D6EC3A 9D4BA468ABCDAEC6B550C6EF58DE06135ADD182C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\urlblockindex[2].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\1[1].jpg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): true A19E00937D25DE37DCDA43C5691A9568 0EED208EC6CD1CFC1164A5E653689AF596F55D89 49B4B153C52C91CC1E D3FAC70626CFD733F7B2F7D28B5DB9E B37246FAC61A0D C236C C64BBD741C C013D654F64CDBE C65967E442C30C 10E77D175BBFF9A17BBAE19D EFD31 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\AuthenticationService[1].js Size (bytes): 62 ASCII text, with no line terminators Entropy (8bit): DA297FDB3085F6521EC81675C8D2F47D 7D4E89F0D69AF74CA7A5EC04FB82D61B0D8FB649 F34ED44A8E5279B48A16ADDD6C2F9BCD9DD17BFB2603E1B9B20C9C8820D4A8B5 A59A3193A29900B5B0F8D7CA10CCB72B1F4616FEF169B B022218B499FF99FF1C2814F630079F CA B0E9A2AFF16BB638E16BD3B232 Copyright Joe Security LLC 2018 Page 24 of 80

25 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\AuthenticationService[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\BS9K6WS5.htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines 8A4CF31586A6E3AE50B2E94458CC3AE4 2CE023C FDE6FD09F1C061FEFD52D0E21F 8A3C649A34BBDEA25ED27AC40E90FAA7793AEFB3F437D7B BCA531 78A3F C04A7E72806EED62A3959EDF9312FB523EDBCD5BF24F381CA262EB0A7BC95EF45BDCB8FE379C 00AA80755C206C F941D0D4D5F2B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\OpenSans-Italic-webfont[1].eot Size (bytes): Embedded OpenType (EOT) Entropy (8bit): D F3607BD61A8239E98B B1C2E259609A3EC41B D9D4C37 99E6E0467BB C6BB641144F3DAC0FAF ADC073E71ABBDD73B92F 9F2786D50C64171E427FA3E D94349B64C8D8803F5486A6044EFADB ADDB459E0D67AE9D 81E7498E2A9321F60CA8EA485297BBC4E2B1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\OpenSans-Semibold-webfont[1].eot Size (bytes): Embedded OpenType (EOT) Entropy (8bit): F28EB362FB6AFE946D822EE5451C2146 1B6DFBCD3D634E2EF7EE7D0EE2ABB8B940D7C32D EFE97650F3270ACA9BA594789CA75BA7B1FC1A22D8189B3439E6DFB57A16E853 84DA9EB2403ACAC85F1C39F56FE9AA28844A393C668F41A E2AD402263B20B F9BA9DDA1C82E937 1A94A9FD7E6DAE4D1A32937B15F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\StaticMapService[1].png Size (bytes): Entropy (8bit): PNG image data, 344 x 203, 8-bit colormap, non-interlaced A6D0F B0F781329CD4F501E2 884D27563BE0A0E1C079F44BBD A571F52 7D08F81935D5D3D185A10A7DFB22B8FC44DF439A103DEA2380E4C45F33E8EDC1 3C6A8170C868E32C89B521AEB5711BB90083F1013CA5FCD5609C449BB28BC230AEC19C754CDF977A17D59244AF 16B B6634FC9D CB1FFB60C5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\background_gradient_red[1] JPEG image data, JFIF standard 1.01 Size (bytes): 868 Entropy (8bit): E78CF3C521402FC7352BDD5EA6 Copyright Joe Security LLC 2018 Page 25 of 80

26 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\background_gradient_red[1] 017EAF48983C31AE36B5DE5DE4DB36BF953B3136 FBC23311FB5EB53C73A7CA6BFC93E8FA3530B07100A128B4905F8FB7CB145B D382338F467D0374CCE3FF3C392833FE13AC595943E7C5F2AEE4DDB3AF DD5DDC716DD17AEF ED4C2A1AB7FE6E E36EE98A7D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\banner-1[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): B522FE64FA49A912104A210B32B CD04E07E7E621DD6DCEB3F4A66EBC2005DD711B 1217A329D8B DCBD1373CE C70C1A2F50AFCC77B FD D C4DC432081A5E C02466DC168E95DA B7A0241B666C86A303E0C246648E5DDF6E2EF098 C C499AFD36B86CCAB7DBDB8E43B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\banner-2[1].jpg Size (bytes): JPEG image data, EXIF standard Entropy (8bit): ABB1677F89F2429AE2DF7AC256CEAB 7135BEDEDAEE1FBCE045A4DE9CAA973E2DBE6717 4AB0D71B1B04D9F49E086DB178D9AD395F66AEF2E23BC510A37B4C AA91DF861595EB1106B0B6A28CA9F6A201E2188A301A312D99C309673DB130D9507C14C70B2B35F99E0EB2B1D8 26BF33F52A31D691914CC490F328B2E0015B1D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\bg112[1].jpg JPEG image data, JFIF standard 1.02 Size (bytes): Entropy (8bit): D2E9C5A5B656200BCEE601719F75BE02 13E21A FFE940F20EF6F F A6373B624958BF DF1B63F65C9AC7A78F988BC8E FF220EC307F72317F0B63AAE D5B54F01B85CAF5FF4D89802A82010CD62142B415F7ED52D13C1C8FB ABBFEDE7F2CB39D71CBE1F7727BF749 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\bootstrap.min[1].css Size (bytes): ASCII text, with very long lines Entropy (8bit): EC3BB52A00E176A7181D454DFFAEA D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68 F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F B7DA88E4E002C7B0BE3B72154EBF7 CBF01A795C8342CE2DAD368BD6351E956195F8B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\controls[1].js ASCII text, with very long lines Copyright Joe Security LLC 2018 Page 26 of 80

27 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\controls[1].js Size (bytes): Entropy (8bit): A5548CF2A5D011D4529E283D790AA401 A35C05DACFBB838708A1CF41831E42B6D8C AE52546DED1514F080DCEB6EAF9BD1AFA090D2B5DEBD27A D0B4279 FFF835F0AD1942BBA17825D1CB63A88A72FE616783DEE3BB0A17BE40C73C4D5E2163F6C4A6C86754FF3D1C1DB 6BB058E4F499F0912EDAB2CD9BC79E43812A1F0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\detect_click_fraud[1].svg Size (bytes): ASCII text, with very long lines Entropy (8bit): EA23E1BEA8E5E36C49285E5AFBDD522 E474B D552D1CDF0519B E67B4F6 304FA639D079C4570CA2F7D482D7A1DD3462B20EB0A50717D766F B84 45CB22EAFEEA6CF686337E5B7D4434A9A054661AC70266FC6A2B6F D7B6AB4DFD3A17A3B7E2C861D5940 DE1BD29F1B9783C193AFCE18BA05CD25AF6744 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\entity11[1].png Size (bytes): 4765 Entropy (8bit): PNG image data, 70 x 210, 8-bit/color RGBA, non-interlaced 9A942045EC3F115DAE872C3BE6B3A047 AF88E5C73E9D34C671A7ED099C0628C249DFD9E2 EA80D10D991B201E42309C3FC535F9ABE17F5F37E4128A69E41E05B233DFB223 7F5FA48CEE78FE5C887A8EB9C69076D03D6DD9B2B05E29CA4A0F7C D4F94E9B CBE6929B99121 E99C2B309F2EEB564BDAE2F7E29259ABD66CDA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\executive-img[1].png Size (bytes): 5751 Entropy (8bit): PNG image data, 171 x 94, 8-bit/color RGBA, non-interlaced 4BD1A2B8ED79E72BFB073DAFE0A9BE EFB2B7CA21C953B2CCA2C58931B5A B317648F67AAC5797FDCB894EACDD2ADC153CD4C9302A31B731369F920D59A BD2D82EA6D8E3DB943264E946BFA1D AEF635657CA39218C4F3271B8A5218C489B76965F28541A C2D EFF6DC8524DA0C0998EF09EF71 Copyright Joe Security LLC 2018 Page 27 of 80

28 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\font-awesome.min[1].css Size (bytes): ASCII text, with very long lines Entropy (8bit): BB53AD7BFFECC0014D64553E96501DCE 7CD5A F95C3D37D9488AD82CD6C4B BC15C522A05CE0E56B8CB3FFF83BC6E770130AFDD840D469869DB69663D78FE 2F4963BB9C E294BE78392DB EFA5CE74BA4C CCA5222F433AF5C6F2E6314DDF8058E91E F0D4096F827957C67516FE21418D6E17084CD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\icon_android_app-ada50011a4[1].svg Size (bytes): 2096 SVG Scalable Vector Graphics image Entropy (8bit): FAD7BB2B012196D09E25CF4B4D A05BB55BEED1E189F00CD2BE6F27CEB9 969B3B9AB40049E98E6751A5F880FE007B ADC9962D1DA D33D 48D86A2D6333CD6EFD0CEAFAE1545A3A512E12AA839D00BFEE5D82D8204F692B48371C7A590CFF7DC84F9F366 0A71A00DAE005A4D225B9AB843A28A88C8846D1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\icon_ios_app-1153c5a938[1].svg Size (bytes): 2045 SVG Scalable Vector Graphics image Entropy (8bit): B081B5EDEADDEFE33B2253DB23C1F37A FE9A4BD160B9B587607A0BD2E32B7BB6ABF2BA38 16C644C52738A4CBFA59A6B4D17A9F5D6BE69097BE243E0A4C76D6119AAAE95D EBC5947A4E3713CE6D92F542CA7126B0FF99E9562C9F7A E7F0EFC2BF08DA EF DBDF FCAB3D2E45BC08EA03EBA82F52A27097D9BF4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\intuit-logo[1].png Size (bytes): 1056 Entropy (8bit): PNG image data, 119 x 35, 8-bit/color RGBA, non-interlaced 73BAC5C661B73F7A0BE4282D6F54707F F ED2DDF8CCB7F03CE06B37B58C79645B5 8DB1DC1DF1D625B41AE392778EE2A3DD E32346A112760B497A5D135A 58F7BDA856BD549F9663E3E8E7226A8E69E2DE1D5E8478B2DA054BDF7CB02FC78D049F322370F7624F1BABC323 AD2127E7AF1DB3CA AF19222EFB4495 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\intuit-quickbooks-support-phone-number[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines D16E4AC0F004424EF8CA6459CB91F7CC DC82002F4F814A1433BAC1CC4E7B1BB431B11AB2 DB92F6314F41B8951A23220DB893B35C722757B5BD073247C792D4E2650A694C 7D5D3E708E6B07CF0ACB5BCB9B156E757651FA4E0A59E894313F78DD634C083EF314676E44D65DE586ADB778F9 A318E40DB31EFC274B544924DCF8B D Copyright Joe Security LLC 2018 Page 28 of 80

29 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\intuit-quickbooks-support-phone-number[1].htm C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\logo[1].png Size (bytes): 7152 Entropy (8bit): PNG image data, 336 x 74, 8-bit/color RGBA, non-interlaced 58234E751E6D5E22A5844B46B8EAEC7D C8A E34D813DF F A8034BE9B3303E95E3DBB1548F4D0B3DA8F7D5FD1D21A6309E6244A3C46911E F6A541AB9D340105CA2734E3A21698FF9B6E72BD9BC88199DCEA515E79B7D077136B21A8511FBA7650DD96D5D4 A00BCBCB5EE94E7987C3CB153562EC32FF4AC7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\logo_blogger[1].svg Size (bytes): 1284 SVG Scalable Vector Graphics image Entropy (8bit): B8409CC98AAEDE11AD9E6BEE 46E399753BC67CA126C4D396D A2E1 B CB75381E80E81F1C09BD324C23EE1C504EF374D18DB470CAD53 8EDEAE45D32131B97D6EB7E8AB2CEA94EA618471B77216F82BEB2CCF768A33F16C44E0FAE0402E39D6FBBC0E A503451D0E46EC204A684F9840B0CBD257A80E74 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\logo_drupal[1].svg Size (bytes): 4586 SVG Scalable Vector Graphics image Entropy (8bit): C43B48FC7478BC81E3EEB81EA268CBE 0F4590F0D41B3787BD1D2AF34D555B9F21AF775A 0DF9858BFD493C4C20D80BA4118E4DA9F58D247AF1F6FB63092A9D9C29EF1E1B 71EB7424BEAD7F93C01468CDAAD3D700B9E8EF33FC13F0EA3F6FF5D57D37D4F4E9549C746B7A2D6D79D963C80 D03C22CB3E8B2758D382C7FB6F9DCDAFF1AD957 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\logo_hoowla[1].png Size (bytes): 4983 Entropy (8bit): PNG image data, 135 x 37, 8-bit/color RGBA, non-interlaced 3B2B8D754A5A233DC393B18DA3BC6F29 58F4E2AB6FCD4B0B0C104F9FA B5BA50A C94805A40760D49AF9F9C EA8265B97C832BD015CE9025F16CCC0590 A558C204FC644439F3E467DE87A0C496B276400FEF3B77A42C84B0531F6FBC2AD2D9CC212883A404A54DA39614E DA3A131F6E5CF742674F7A4C176776FDEA509 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\logo_shopify[1].svg SVG Scalable Vector Graphics image Size (bytes): 2746 Entropy (8bit): DBBE48E FFC3B31AA530 Copyright Joe Security LLC 2018 Page 29 of 80