ID: Cookbook: browseurl.jbs Time: 19:21:50 Date: 15/10/2017 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 19:21:50 Date: 15/10/2017 Version:"

Shanna Sherman
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 19:21:50 Date: 15/10/2017 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Phishing: Networking: Data Obfuscation: System Summary: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Table of Contents Copyright Joe Security LLC 2017 Page 2 of

3 Statistics Behavior System Behavior Analysis Process: iexplore.exe PID: 3052 Parent PID: 548 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3104 Parent PID: 3052 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3156 Parent PID: 3104 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 68

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 19:21:50 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 15s light browseurl.jbs 5a467e0bf432bc Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: SUS HCA enabled EGA enabled HDC enabled sus23.phis.win@5/46@8/4 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 85.2%) Quality average: 64.6% Quality standard deviation: 36.1% Cookbook Comments: Warnings: Browsing: tefapp.com/reset.php?id=tcoone y@deloitte.com&reset=8b88a 745f7d327ead85a467e0bf432bc Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2017 Page 4 of 68

Strategy Score Range Reporting Detection Threshold 23

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2017 Page 5 of 68

Ransomware Evader Spreading malicious malicious malicious suspicious suspicious

Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable

communication, use the 'Proxy HTTPS (port 443) to read its encrypted data'

Data Summary System Debugging Anti and other Techniques for Hiding and Protection

6 Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Phishing Networking Obfuscation Data Summary System Debugging Anti and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2017 Page 6 of 68

7 Click to jump to signature section Phishing: META author tag missing META copyright tag missing HTML title does not match URL HTML body contains low number of good links Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS Social media urls found in memory data Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) System Summary: Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Searches the installation path of Mozilla Firefox Anti Debugging: Copyright Joe Security LLC 2017 Page 7 of 68

Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls

8 Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Behavior Graph Behavior Graph ID: Sample: Startdate: 15/10/2017 Architecture: WINDOWS Score: 23 started iexplore.exe started iexplore.exe Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 41 Connected ips exeeded maximum capacity for this level. 5 connected ips have been hidden. ajax.googleapis.com , 443 GOOGLE-GoogleIncUS ocsp.starfieldtech.com , 80 AS GO-DADDY-COM-LLC-GoDaddycomLLCUS clients1.google.com , 80 GOOGLE-GoogleIncUS started United States Netherlands United States ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 19:22:20 API Interceptor 115x Sleep call for process: iexplore.exe modified from: 60000ms to: 500ms Copyright Joe Security LLC 2017 Page 8 of 68

9 Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Detection Cloud Link ajax.googleapis.com 0% virustotal Browse clients1.google.com 0% virustotal Browse ocsp.starfieldtech.com 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context PO exe 83df6619bcfec886eb238500d2 malicious Browse ocsp.starfieldtech.com//m 38dca c81eff3ec c2f56fd4c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D Copyright Joe Security LLC 2017 Page 9 of 68

10 Match Associated Sample Name / URL SHA 256 Detection Link Context SHIPPINGDOCUMENTS.exe SHIPPINGDOCUMENTS.exe SHIPPING- DOCUMENTS.DHL.989.exe SHIPPING- DOCUMENTS.DHL.989.exe SHIPPINGDOCUMENTS.exe SHIPPING- DOCUMENTS.DHL.989.exe edf28a9160fe8dfaf032161ff9d 88ce2bb5f0d4fe1c6d e f69b4cc2676 edf28a9160fe8dfaf032161ff9d 88ce2bb5f0d4fe1c6d e f69b4cc2676 malicious Browse ocsp.starfieldtech.com//m EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D malicious Browse ocsp.starfieldtech.com//m EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D edf28a9160fe8dfaf032161ff9d 88ce2bb5f0d4fe1c6d e f69b4cc2676 malicious Browse ocsp.starfieldtech.com//m EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D malicious Browse ocsp.godaddy.com//meow SDBGMEQwQjAJBgUrDg MCGgUABBS2CA1fbGt26 xpkokx4zguoujm0tgqu QMK9J47MNIMwojPX%2 B2yz8LQsgM4CCQDpgO yxbvskdw%3d%3d SHIPPINGDOCUMENTS.exe errrrrrrrrrrrr1..exe price_list.exe errrrrrrrrrrrr1..exe edf28a9160fe8dfaf032161ff9d 88ce2bb5f0d4fe1c6d e f69b4cc2676 malicious Browse ocsp.starfieldtech.com//m EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D b9356a64c4591a2f5324baf854 malicious Browse ocsp.starfieldtech.com//m cd93a16215e51a9008c65c fee EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 6f11c4bd4bef91e441b05ed7e3 malicious Browse ocsp.starfieldtech.com//m 062a7abc88e5185b3da54bfbe 022aa3ff4b24d EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D b9356a64c4591a2f5324baf854 malicious Browse ocsp.starfieldtech.com//m cd93a16215e51a9008c65c fee EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D Copyright Joe Security LLC 2017 Page 10 of 68

11 Match Associated Sample Name / URL SHA 256 Detection Link Context SHIPPING- DOCUMENTS.DHL.989.exe SHIPPING- DOCUMENTS.DHL.989.exe SHIPPING- DOCUMENTS.DHL.989.exe SHIPPING- DOCUMENTS.DHL.989.exe 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D 7bb12d910328c52da8d3f235f2 malicious Browse ocsp.starfieldtech.com//m 481d99e8c0be6675e9f3d c EgwRjBEMEIwQDAJBgUr DgMCGgUABBSTwrUmjB rz0iqzg2kyfsaec3n2dg QUSUtSJ9EbvPKhIWpie1 FCeorX1VYCBwRDDlMpa %2FE%3D Domains Match ocsp.starfieldtech.com Associated Sample Name / URL SHA 256 Detection Link Context aggielandpropertymanagement.o rg malicious Browse ASN Match AS GO-DADDY-COM-LLC- GoDaddycomLLCUS Associated Sample Name / URL SHA 256 Detection Link Context aggielandpropertymanagement. org invoice /qme- CYMLT/ Sep-17/ Dated-25-Sep /PLTQ- KFUJ/2017/ malicious Browse malicious Browse malicious Browse malicious Browse keyserimpactseries.com malicious Browse php?opposite=p283rzsw7g7x device_list.doc 1Purchase Order.exe 59doc_NTnsJnnJddO.js 9Swift.exe malicious Browse d69bbfbe3a5ebf8b007a0b15 malicious Browse bd7df0d903d4042d3e7e8cc ccc91f5d6dc4 265fa a0a66c7a4 malicious Browse c124e54be1a0dfe5dec2592de eb29958dfd79 3f a6e49e1f711ad malicious Browse cd192afe33e932c81a0aaf c e0736aff8df bd67378c malicious Browse f30d0a37301ccb43df4b8486 6d6aaa9fb4b Consulta_Malha_Fina2017.exe 3ad23b68a68461dd4478d0f4b5 malicious Browse e6d97fb36e1a237880b18a db96fb28b1ef virus.doc INV vbs 85Payment.exe 75eb fd9b6f2d533d3 malicious Browse c12724cf1de2adbb925d7abfd7 44e6ff73633d a3be47abef9e4c14d52161c1fb malicious Browse f055a1b0a00e26ee539f93 65d33bb7f7c2 b b8db62ecbba49dfd83 malicious Browse ca5e34aad21cb7a7d6202ef 711b57e82d52 Copyright Joe Security LLC 2017 Page 11 of 68

Match Associated Sample Name / URL SHA 256 Detection Link Context http://royeagle.com/ssfm/gesca nntes-dokument- 28029962227/ Emotet.doc 3invoice_copy_MGUxgop6I2V.j s d62c.

12 Match Associated Sample Name / URL SHA 256 Detection Link Context nntes-dokument / Emotet.doc 3invoice_copy_MGUxgop6I2V.j s d62c.exe b63af7ccb a0904f97c7 640db8e cdecb2ca04b dc36108b4cc37 malicious Browse malicious Browse bc88bfbb4a50dae7652eb28fa malicious Browse b45ad23cd594b27d5c9705 b2f2c9a91db32 b76923b75a b033ba malicious Browse aacafc3d51fa78e82990f0f68b6 681ec70fc844 malicious Browse malicious Browse Dropped Files No context Screenshot Startup Copyright Joe Security LLC 2017 Page 12 of 68

13 System is w7 cleanup iexplore.exe (PID: 3052 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3104 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3052 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3156 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab44C4.tmp Microsoft Cabinet archive data, bytes, 1 file 03F9E1F45C0D5FE8E08AF7449BA1FA2F DA545C3133A914434CCE940BAE78D8AD180A529A 677FFB54BD3CC0E2E66ECCAF2F6E6C8E E4F2EF984A3A3673CCC311 12B7B857EEF3EE3672A57B FDD560340DE34627E09DCF81B910E502DCF1C4E6D42C4A2D9B47A82D061CE71213A985 DB4DFEBA04497DE3C91B6688CF02 C:\Users\HERBBL~1\AppData\Local\Temp\Cab4520.tmp Microsoft Cabinet archive data, bytes, 1 file 03F9E1F45C0D5FE8E08AF7449BA1FA2F DA545C3133A914434CCE940BAE78D8AD180A529A 677FFB54BD3CC0E2E66ECCAF2F6E6C8E E4F2EF984A3A3673CCC311 12B7B857EEF3EE3672A57B FDD560340DE34627E09DCF81B910E502DCF1C4E6D42C4A2D9B47A82D061CE71213A985 DB4DFEBA04497DE3C91B6688CF02 C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log ASCII text, with CRLF line terminators C8CA229688FBD635215DEBC17332B4C7 506D1C3767F88D17EA1CAA25C26D4020BCBCC8CB 3D336F6324C73B E170FC463F37DE1F16012BD1A36B264800CA4148EEC F0A07EADEF52DBA8AC83EA1BEABAAE64A0B556699F03A917F4A6BDDD833C39AFBDFD274ED7A45D6A239CB923B5239F194 4ABC5A813BDB74C8C3391E0A09F9A06 C:\Users\HERBBL~1\AppData\Local\Temp\Tar44C5.tmp data 4479A52B31B6BDE89384FB63854EC E4081BEFB501A266CCC4C984030E0 8C0F5D09CF41E38CF161B6CDD1C3A76CEC845B7C11DB267AB800EDABF1A23FB2 6CB248D315B0A27A88CBA9E73352F0627C5C7D94E9B5C0A934D5A1DD7BCB4239B8070FEDCCE9E7D84B2469D6CFB3BC29DB 2A14B65FD9CBE52DBFE093CF6E6F30 C:\Users\HERBBL~1\AppData\Local\Temp\Tar4521.tmp data 4479A52B31B6BDE89384FB63854EC E4081BEFB501A266CCC4C984030E0 8C0F5D09CF41E38CF161B6CDD1C3A76CEC845B7C11DB267AB800EDABF1A23FB2 6CB248D315B0A27A88CBA9E73352F0627C5C7D94E9B5C0A934D5A1DD7BCB4239B8070FEDCCE9E7D84B2469D6CFB3BC29DB 2A14B65FD9CBE52DBFE093CF6E6F30 C:\Users\HERBBL~1\AppData\Local\Temp\~DFB4EC1F73C8DD3513.TMP FoxPro FPT, blocks size 258, next free block index ED6EE1F F FB CEA112E416A9FA2E8B31B7CA84C5ACDED75F7948 D7ED23A92C4769E39E0175F55F42DEF F6F3135A382B7E38BEEFE04C C15F9829CC7AE2989CB494CFA01D91EB7A0B7F7DD0F114989A1D867F6BD281D7C85AD84A466ABFC087872B6A293ECF10CCC 97BD5936A81BC BC57EA C:\Users\HERBBL~1\AppData\Local\Temp\~DFBBEEA1287FA0298A.TMP data F72068BE7D2758C5CAE25DCBB4A3F31A Copyright Joe Security LLC 2017 Page 13 of 68

14 C:\Users\HERBBL~1\AppData\Local\Temp\~DFBBEEA1287FA0298A.TMP 827ADDB0B40F09E BDA9CEAF D1EAC01EF228FC54271B7300E5C4996A1A7F5352EF12341E5DBFD6EB307C C90824B0AB8A51217C6276D604C A302A36E34F F1BA046B114209C A6D934A3039D872C9F6D3 0528D300577B6321AD68D0C02 C:\Users\HERBBL~1\AppData\Local\Temp\~DFC0BDD56239B1C546.TMP FoxPro FPT, blocks size 258, next free block index EE4FEE65F8DC7EE7C8842D93D6876 9C42FC64DC7D30C398E50499CD9180B E 51F5665A81D3B0743CE760401FB0752E302FAEB0D9525C92AC998E2EE9E8E868 E8780FED66DFDC BBC3AF9E565905E98928A902EEAAA3A7FA926C41CE48604C5544F37011E CCC49C3B6A6 0BA93C3A51B3511D55D40BC2C2F9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D data DE4B966388CA619EE0D F AB3C47A78AB51B4513DF6C57A878265E95AFEE98 5B569B9F3C7DE02D9F2A1F166D173F81F883AC3B9E87D23B5CB4ABBCA27FA2C1 1DEAEE69431B8FF9DE E1E3AD02BF09042DAC80A13A3E1A25C5729BF A CAFC6BD570CF57B46F42E7 D0A66B5C7D4AA3ED111CB222B258 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\58DB3B3C4BD5B0E117DD333280A0AB3D_72DDA2430C024D82FCCC8 9DE979D1B0D data 767E BC663A784E6794A9CEAC4 5DC4B283E480311E4A0DA74D EFBCB5B2 0A4CE994AB067E52C47605F71AE8828F A5F4EC5330A9DEFD29F5A2A5A 281D987415ED49AAE24DD6621FE022D62A A925A1CB557EE1478DCF9ED177B17B CE5154D5725B5B54CF 3EB554A9AD D2EC22AA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A 7E1FE18FCE4 data C5A DAFF0EF6D1CE C19E0C6FE01CB5A67C95BED6E7426AB17 BF2729E37AF5612DB8BFB E54866AC45DB5F4460FEED003CD4F8D8C7D4 C29DCD4BC51FB12609B816E9B57045B9D8F93C C0CFDC6CB21F2997F32E2F7A6DD33179A088552D041EB730E5358BB EC50986EFFE55F94BBA11FAB53D2 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data B556CDA9CB7DD3505EFF20407FE6AFAA 9FF906CBEB2C5BFD8CC9C18DFF827536E438C A2993EDF894DAA4D7206B8DAADDD1A4BF61EF5E5E65CEB0B0212BA8D81 6AD756739D92B8490E20D4916BA6FB9C E07DDDFD948873EAFF788AC5635A7D D1EEE6CE1077CD1AC CE3F92F01D700F8775CDB5EEDB9E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Microsoft Cabinet archive data, bytes, 1 file 746F85543C3DB6091BC48A9E81E7CE50 7E764C5A3CE940D02D919109FBBE9EA0B8D17EA6 42E801DE2A E2ED86EE5C1138C4DD40F83B83BB3ED81DD72EEBF1C029 D00E8E20B863A5CD53B4E8B E455985ECD7C9A97C972B0CD6BADB52554AF D198BBB0BF680A4DF741DB 0A46A83AB5AEEAC920AC88A6D960 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_18672AE07B8CD29A708DCF95C7E5D21 0 data 85D CA73896C50007C28CF94C A7F4C1AEC42171FBAA7D949B10E276B9A9251F73 Copyright Joe Security LLC 2017 Page 14 of 68

15 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_18672AE07B8CD29A708DCF95C7E5D21 0 B C6BF0EA90BA3EA3FAD1FECA651DE1EBAB196E3A80D494985E779E0D8 415C63DFE6B F0C1BF7FBE369FCDB05B41BC001287AC366B7EFF9A1A4A637A41C1A976E36E1AC22F635CEE E0CA93CECEFDBE87707CBEC8B6E1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ EA C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 data DF996A75BF8BC1FAC903D9C242FB0AB CD9EAE9808BFF16284ED63CBD895BE5976F 1563BA4124E2C93A2F6CEA42D53083FAC0B22854A7A8B68B317E4E90A60DF9C8 D9BCBFE6E43AD EFCEF1B F BF59E8189BD3777E6B41BF A096BF720B9083E F5F 79B81CE012FE7BECA6FC8A4E39 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D356 2 data 6DEEC49811A57A6F FF84 B F6A192C8543C0A33DA40B3FC FF16CD3A57AF578101B0C502F4C60505E6D4CAAF19D9B53D231B49A C59C894C8B7E52AC64096C7BD6D005128C84D51467E9EE8C5C2DB3F8B D417C9A6217CCD4C69ACEDBCB31065FB24 63D17C5E4A77B44068DCC368385E6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D data 7F16B B3E56A79D17A5F1301D2 3684A2FBF87B3E14D75E59616CBA039D86ED726F 5603CB3DB16C566D6EC53BBA918097F473446CFCEF036AEAC B C2661E520CA77D4B8C3D632EDD023989C048921A10122ED5C C79D267670AA20AB960CE5D4BA32E8CA56A1F017 26F2FFBD95E3E875C FE5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data A4B337BE6857E5CA6702E7FB474E21BC D91AF50A15DB12EDCD94E4D135E13DE9FFAAB2C6 CEE ADABEAB359E265B01DA103D9E9AB336AF711E304C69C2C6C23 BDF20A4E9F9C62DC8C5E4C615DB81A3FF54006CF86D6A8CAFFBC481BA6507F4CAE769A066045E7AD15A4F7FC5D44C1B430 E71B6C1DDB0630E2E7EBB47E81D8E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\58DB3B3C4BD5B0E117DD333280A0AB3D_72DDA2430C024D82FCCC 89DE979D1B0D data 1BBC4C837AF404994DECB5EEAC5C2FA3 4C4161CB838879D B70AE2EF2690E54AFE 608D789775D90CA5F9A24AFE95DF50AF46853EEB24824F36A4B87EE6F80CD067 7E2EC2B349CEAB2A57FD27C E0E37235DAADB332AD03A57B BF781C0999DDE79CFC643AC9CE27DB7E4CB0 8C50019E7C6F78B266C5EFE4244ED7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8 A7E1FE18FCE4 data D5E114A420756ACC303CE29EBA567B2B AC960C2F79417ADDBC51258B529762B99D5D9B30 B344852BC C731DC7EA A07747EAF3B55A4D4CDA6F6F773C7 0E618197D8CDE9E4546FDD5035ED33D74A4D7AE5DB2F2A CEFC35EF5D2CB6DC734983E797928EAB28B9EDE5C333 57F814402ED56CB2304B1CE1CD9B5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data 8A9B156636BFDF BF9A0E151 B1DD9689F5A2C6ABA34F6E2960FA BB3 99E94CF9114B6A400F0E AA8C26E5DDD7AF9903ADA7D03DD3E951F5E1 Copyright Joe Security LLC 2017 Page 15 of 68

16 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 4D76623FEF92C3A69CFC05DBCCDCE5D A8D729EB7310A34D85A00CF284B7DD63AC559055CFF00FC0C26EC57350B 4A7F DF2D9D8BD36E35E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data B60E2A57BF79EB2CB6B A FDFD65BED95C9867F332CA7E3BD524EBBE40C EF05CE50FAC64FE734845D088EF8B82BDB9B9673DD5CB4BB855AD4121B402CF7 C24A78EB7B6D0DE21B1C24486EB7E633C7F2C8FBDD2D57B223B49986E67639EA7BF21566C7DCE1B7F1CD79EF7A16CF7CFF F6C971A533E8AC0FCA8C1328AE36F5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_18672AE07B8CD29A708DCF95C7E5D2 10 data 54EDDF469BF12F78B0CD F4C44 981B76F19EE2BD5FC35AE106D6A F07FC F8066F850838EA92B8EF67E83DCAD EFBBB155F DEDAD3395D34 B920D6371F13EA53EE1058B5B0300F7957A74D5A1A943F4CCFB6829EF649B4DB45AF23CA896E61B087CBE5CCBC68DCC666F 8FFAF59DBCCAE46C2BDFF5941F896 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ EA C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D 56 data EF4CA2D9DFE5C7F7EFAFBD2 2C1EF189B3D81CBB91A BCEC0C0C1A148C 6A B8D7037D9A00662D5FE1DE94BC5F922AE26F1BFB26F1BD41D560CB0 9932AC778633D8E4E2E1B471F63887AA3D6A873C40FB58E3198ADB6041B83FC F783B731DB607D3ED487E6B9B4F1AC B00876D9F7C2D08E7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C 15521D5D3562 data C03A27260DDBCF18C56D2ACE9E2BC7C0 EE222E95EB8BE2F8D230F F DD0C7E9CB8D38F2F18CE C17085CD189F6D6DB706F B 88A7A8385B635B8B4E0EC40D69DD28AC69E238ABF19F1D0995FEA4F2C2BFE45242EDF009DDFE3DBA9C4C CAF2F0 061C228A80013A3B514CC39BAD238 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF2891 6F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 84D41B8DB74721E7123C19A3071CA FDFD209C DE0F3BAE31F48A16AA 69B49DEA5F2EE4C88C078A174ABDAE726C4172A5C0B54C62DF0ADEE99BE8D93D 85F2E39EB0AFFA6EDD34C244A366BB2E76BAF02BD75EDAA926BF88C99DD36D80D2F9088C2CFEC3C43C247445BA9238D EE6150C4BFF13D91467DBCD041 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66197B51-B1CD-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document ADA19E91D7D1B18454FAC8FBBEE58EEC BA1758C1C9D3A B0C1A8A0186CCD27A78 F7D63153E2F4BECE389C FD7BB07F20EC4C0D17A3AD08B409B17 Copyright Joe Security LLC 2017 Page 16 of 68

17 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66197B51-B1CD-11E7-B7AC-B2C276BF9C88}.dat ACE014299E413DE55DCAD58E1C1C16FA C748355E21210EBE2C06140EEFF8182E5C273C9AC3D81D740F8B6F3BA5 B9188E8D1B9E ACFFA C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{66197B53-B1CD-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 1CE3B78B30D94024AEAA89A39A11EDBD D50D1C3D997E469B491511A50B8ADED78 AC41DE F9888F3E192025A0F3F5CB7F8A1EA83C2648D50DA3C35B7E207 9B0EF67773DDFB6C57CB0AA01D1A1188E8ED74231A22CC91BACB3F62916DBD0BF A DF2D4AFE3D4983C3A6 C3B767FA8583B25BECCA0C259D2D6 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6FA975B0-B1CD-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document C0A3BE1898C26626B90D53E08C D95403AEE4648F5AFE0C9DAC8C6EB33F03513AC6 7C867964D886541D2627C13E26F6BDF23B28E07A6DA437B66FBD955EC6DE4040 C7C1D77657F85D1578D181AF7790CA2A86FD30DFDD312DC411AFB5CEE3545E28A459B600C5D FDBCF2D20B1AE3F7 82ABB5483F95DC4A3F398BCFC25C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verAE31.tmp XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E19AB74E16EFE96F142EB4 66B9CE117BACE5088B09B4AB506C CD 2B25A9DD5C47DA010258E1BC93D512B8E484359AF1003FE1B85390E93519C60A E01570FA713BAB17D4941A1D46605D5C0FB89635C E286F608A256F40D260B662CDAF2ED064D52CC57400DAD9BDB4 FE1677D18559FBBF7B64068D2C75 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bootstrap-select.min[1].css ASCII text, with very long lines, with CRLF line terminators ED10B6A8521EC59FDFE33E6FFD7386CF DAE E7E9B869BA FB6D D FCB081F1E863C28269D02017E179ECFD94FF6E54ADF916A73BE602A1 ACFF72E03EE2ABDF431DCBB289B4EC4962C79371FF8043F4793A33B932AB0AAB5E8F41509CF491E68E09B4EC9682D9AF7C7 39D20C38E3E65C1D1558F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bootstrap.min[1].js ASCII text, with very long lines C5B5B2FA19BD66FF23211D9F844E AA054A026BDDC0DE92BAD6CF7A1C6E73713D5 2979F9A6E32FC42C3E EE9FE76B31D1B A02B4A7FA6A4FD280A D9EF2AAB411371F C C8593AB5B3721BEA F25BD5DFDEC5991CDFE5C5EF5F4E1D54E390E93D FD3BCA3F782AC5071D67B8624D4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF2891 6F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\glyphicons-halflings-regular[1].eot Embedded OpenType (EOT) F4769F9BDB7466BE C12046D1 86B6F62B7853E67D3E635F6512A5A5EFC58EA3C DA87D9E23F8C3ED9108CE1724D183A39AD072E73E1B3D8CBF646D2D0407 EFC910C96B9F5C58EA11A84577CF60AE995503B1EE670BB7E7D4A413B F82600B581F1BD4EE03D71C76C15255F09 72ED66AD969487B5A4043F472C4 Copyright Joe Security LLC 2017 Page 17 of 68

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\style[1].css ASCII text, with very long lines B2810FEE516891A4EE623B F2D3F20476D028BCA54AC216C089E4E79A3A D6A41CA3E9DA3CFEE0D5534A9FD031920EC8F71C7C11D6BE12EF429DFC C C09A0DCCCBCD0109F724BFB28B11ED591CBF1FE130DF5925C3F3B73F FA0CC4C231CA29B501E42FE 21B F69E30BEF0B2E5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\validator.min[1].js ASCII text, with very long lines 38C28AECFD6653E2ACAFE74E93E8A99A 6D7748B0C2C5C524CDB1F409647B47ECC160EC E3A4EF8154ADCC E1D FB640C270BF8AFA3F3901B E85DC B184E8DDBE488B3905C FEB7189ABBF10CBB13328C2EAADBA4EDC5B25654CFDB441CCA29 F B9877BDD684C2FB64F570 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\bootstrap-select.min[1].js ASCII text, with very long lines, with CRLF, LF line terminators CA17EAAD3B606E2AFDD2D506AA AE2F693851AC43326B8E03BA65079E56003A FBF136E904714B0DD85FEB0134C3A9E6E0ED5F3B35F11E5AA3CF273E69E352A1 ECD33C1C89B9B58E0FD8FB0624DF413C F0E68BC75BB AC7B40F706F5504E1690AA631CF8CEAA D BD2C8CD8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\bootstrap.min[1].css ASCII text, with very long lines 2F624089C65F12185E79925BC5A7FC42 8EB176C70B9CFA6871B76D6DC98FB526E7E9B3DE EECE6E0C65B7007AB0EB1B4998D36DAFE EFC3F86F4C91C 9CDA3EC821C4CA7D2C98CC52B309DFFCE9D7EBF2B026E65394D6418DAB8A8532B473ECD3FAAE49382C AAC947 D8E0E84B3C80FB83DAE65C6032EA4B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\font-awesome.min[1].css ASCII text, with very long lines C092C9582A9FF5EA4C43FA622B 03BF1AC337DFE6F50FB25FD3E254A2BBFAB26CC6 B5675B0D1EE88DB374B1E60E301FDA9F0C1D3585F FC4E529C2 0D0F CEF35A6E5DA6E9F72312D5EA853ECBA16E0DB26605DF5A9469ABD31497C51C0B3CCC5B82A713B05A69FCAEA AD7A403550D982F8CEF5B9C098B0F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\reset[1].htm HTML document, ASCII text, with very long lines 47CB E52C07F1A930A27CCA00 A79F1A305FE74220C44212D2D8FB0220ECAEF2EA 9EB37BCEFA8FCE4F8639A308DB7F2C12DF825AB05CF F803ACCA51D973 1C C4B727C0D04D7A716EBB5031FF88FE3F650C41007B30724CD8D35294DF18037A2641F02547E6D0F630196C051B FD1D9B254D2C3EA0FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\deloitteLogo[1].png PNG image data, 215 x 40, 8-bit/color RGBA, non-interlaced 668B15E56CD60059F D6B9ED2 341D9018DDE22BB35A0F7B53E B30681B5 D1052F4FEBBB614E114CDF38C1FC2E359D12C83D8E5A15B124566B1EA13E8E56 DD54F9CD797C9B465B EDB1FA FB2E098C85D775B6CE2E82938AA258479A7B127460B69B3F43C17F21DA81F0C 1582A0F42BFCDA03F540E4D2737 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\iecompatviewlist[1].xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 84D41B8DB74721E7123C19A3071CA FDFD209C DE0F3BAE31F48A16AA 69B49DEA5F2EE4C88C078A174ABDAE726C4172A5C0B54C62DF0ADEE99BE8D93D Copyright Joe Security LLC 2017 Page 18 of 68

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\iecompatviewlist[1].xml 85F2E39EB0AFFA6EDD34C244A366BB2E76BAF02BD75EDAA926BF88C99DD36D80D2F9088C2CFEC3C43C247445BA9238D EE6150C4BFF13D91467DBCD041 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\jquery.min[1].js ASCII text, with very long lines F03E5A3BF534F4A738BC350631FD05BD 37B1DB88B57438F1072A8EBC7559C909C9D3A682 AEC3D419D50F05781A96F223E18289AEB52598B5DB39BE82A7B71DC67D6A7947 8EEEAEFB86CF5F9D F7B60E1805E644CAC3F5AB382C4D393DD0B7AB272C1909A31A57E6D38D5ACF207555F097A64 A6DD62F60A97093E97BB184126D2A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\login[1].css ASCII text 4E34F04B4739A32EE6677C884C C9B154359D AF76E31ACB7C3FCE88D 560B83807D00C1415A79441A4D56B169AC1A9C0ACCDC411C C0E30E1B B5455FFFA0F41A1B8DEFBC BAE B6FB1E7D334A4C F52AF9F8339B225B49E1390C23B50DCFD914C8 C451E2B3194F6FAC1DA84BE41550 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69 49A6A2FE2FDD AA645C07 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection ajax.googleapis.com true 0%, virustotal, Browse clients1.google.com true 0%, virustotal, Browse ocsp.starfieldtech.com true 0%, virustotal, Browse true Contacted IPs Copyright Joe Security LLC 2017 Page 19 of 68

20 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States GOOGLE-GoogleIncUS Netherlands AS GO-DADDY-COM-LLC- GoDaddycomLLCUS United States GOOGLE-GoogleIncUS United States MEDIATEMPLE- MediaTempleIncUS Static File Info No static file info Network Behavior Network Distribution Total Packets: (HTTP) 443 (HTTPS) 53 (DNS) Copyright Joe Security LLC 2017 Page 20 of 68

21 TCP Packets Timestamp IP IP Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Copyright Joe Security LLC 2017 Page 21 of 68

22 Timestamp IP IP Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Copyright Joe Security LLC 2017 Page 22 of 68

23 Timestamp IP IP Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Copyright Joe Security LLC 2017 Page 23 of 68

24 Timestamp IP IP Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Oct 15, :22: Copyright Joe Security LLC 2017 Page 24 of 68

ID: Cookbook: browseurl.jbs Time: 22:12:09 Date: 17/11/2017 Version:

ID: Cookbook: browseurl.jbs Time: 22:12:09 Date: 17/11/2017 Version: ID: 37366 Cookbook: browseurl.jbs Time: 22:12:09 Date: 17/11/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis