ID: Cookbook: browseurl.jbs Time: 22:12:09 Date: 17/11/2017 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 22:12:09 Date: 17/11/2017 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Data Obfuscation: System Summary: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTPS Packets Code Manipulations Statistics Behavior Copyright Joe Security LLC 2017 Page 2 of 49

3 System Behavior Analysis Process: iexplore.exe PID: 3060 Parent PID: 548 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3112 Parent PID: 3060 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3164 Parent PID: 3112 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 49

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 22:12:09 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 37s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean3.win@5/55@4/3 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 85.2%) Quality average: 64.6% Quality standard deviation: 36.1% Cookbook Comments: Browsing: LinkId= Browsing link: LinkId= Browsing link: Browsing link: Browsing link: Browsing link: Browsing link: Browsing link: Browsing link: Browsing link: Browsing link: Browsing link: Copyright Joe Security LLC 2017 Page 4 of 49

5 Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2017 Page 5 of 49

6 Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Networking Obfuscation Data Summary System Debugging Anti and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2017 Page 6 of 49

7 Click to jump to signature section Networking: Downloads files Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS Social media urls found in memory data Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) System Summary: Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Searches the installation path of Mozilla Firefox Anti Debugging: Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Copyright Joe Security LLC 2017 Page 7 of 49

8 Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Behavior Graph Behavior Graph ID: Sample: Startdate: 17/11/2017 Architecture: WINDOWS Score: 3 started iexplore.exe Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi iexplore.exe started Java.Net C# or VB.NET C, C++ or other language Is malicious 53 Connected ips exeeded maximum capacity for this level. 4 connected ips have been hidden. mem.gfx.ms , 443 AKAMAI-ASN1US assets.onestore.ms , 443 AKAMAI-AS-AkamaiTechnologiesIncUS statics-uhf-eus.akamaized.net , 443 AKAMAI-ASN1US started United States United States European Union ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 22:12:16 API Interceptor 154x Sleep call for process: iexplore.exe modified from: 60000ms to: 500ms Antivirus Detection Initial Sample No Antivirus matches Copyright Joe Security LLC 2017 Page 8 of 49

9 No Antivirus matches Dropped Files No Antivirus matches Domains Detection Cloud Link assets.onestore.ms 0% virustotal Browse statics-uhf-eus.akamaized.net 0% virustotal Browse ajax.aspnetcdn.com 0% virustotal Browse mem.gfx.ms 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2017 Page 9 of 49

10 Startup System is w7 cleanup iexplore.exe (PID: 3060 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3112 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3060 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3164 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab5E96.tmp Microsoft Cabinet archive data, bytes, 1 file 03F9E1F45C0D5FE8E08AF7449BA1FA2F DA545C3133A914434CCE940BAE78D8AD180A529A 677FFB54BD3CC0E2E66ECCAF2F6E6C8E E4F2EF984A3A3673CCC311 12B7B857EEF3EE3672A57B FDD560340DE34627E09DCF81B910E502DCF1C4E6D42C4A2D9B47A82D061CE71213A985 DB4DFEBA04497DE3C91B6688CF02 C:\Users\HERBBL~1\AppData\Local\Temp\Cab5F4C.tmp Microsoft Cabinet archive data, bytes, 1 file 03F9E1F45C0D5FE8E08AF7449BA1FA2F DA545C3133A914434CCE940BAE78D8AD180A529A Copyright Joe Security LLC 2017 Page 10 of 49

11 C:\Users\HERBBL~1\AppData\Local\Temp\Cab5F4C.tmp 677FFB54BD3CC0E2E66ECCAF2F6E6C8E E4F2EF984A3A3673CCC311 12B7B857EEF3EE3672A57B FDD560340DE34627E09DCF81B910E502DCF1C4E6D42C4A2D9B47A82D061CE71213A985 DB4DFEBA04497DE3C91B6688CF02 C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log ASCII text, with CRLF line terminators 244AFFA2EC69DF23D62F1238BB92716B BA18B4A39137BC72F4F0BF4D56DC0F36AA4BC9D A85704B57484D955356CEB978FDA4932A3C35CAFC586970CFBE3AC052A6 E6C51D59DFE8B7C3B539776D983CE8FB2A47C52938B5039E5648AFBF50D79C94B0F93E0FBA929A29F8B98BBD5BA88B662C5 B405B009BC318BBA94756B5C403AB C:\Users\HERBBL~1\AppData\Local\Temp\Tar5E97.tmp data 4479A52B31B6BDE89384FB63854EC E4081BEFB501A266CCC4C984030E0 8C0F5D09CF41E38CF161B6CDD1C3A76CEC845B7C11DB267AB800EDABF1A23FB2 6CB248D315B0A27A88CBA9E73352F0627C5C7D94E9B5C0A934D5A1DD7BCB4239B8070FEDCCE9E7D84B2469D6CFB3BC29DB 2A14B65FD9CBE52DBFE093CF6E6F30 C:\Users\HERBBL~1\AppData\Local\Temp\Tar5F4D.tmp data 4479A52B31B6BDE89384FB63854EC E4081BEFB501A266CCC4C984030E0 8C0F5D09CF41E38CF161B6CDD1C3A76CEC845B7C11DB267AB800EDABF1A23FB2 6CB248D315B0A27A88CBA9E73352F0627C5C7D94E9B5C0A934D5A1DD7BCB4239B8070FEDCCE9E7D84B2469D6CFB3BC29DB 2A14B65FD9CBE52DBFE093CF6E6F30 C:\Users\HERBBL~1\AppData\Local\Temp\~DF840C90300FA2C421.TMP FoxPro FPT, blocks size 258, next free block index F2ECB639A47FBD5D39CF81A087B6373C 70BB10809CC69F6D14A881EA32436D60903B653C F52DD299379DC19CFB2802F05EB63588AC9F156AB6152ECEFC20D2E D8AFD3573C4CBF6BFF805F8FF4C79F71EE566E72D25C09AA4BBDCC2AB5AE2B2B281812D64C50659FA29593FF8EA7C7D7D5 B6C951DF351217FB5DA5EC0B08769 C:\Users\HERBBL~1\AppData\Local\Temp\~DF840E4044B69878F5.TMP FoxPro FPT, blocks size 258, next free block index CE FEDB0BFD28608D7CF6E D E900D8922FA4EC89E06B9B2B50 D7033FEF0BD8C87295DF619E9BC8BCD4A7588C2C999262D0CD962EC76E3F7B06 FC6429A17B55A6076E7134D83B80A60DA952BB032F1E38BAEAF7B95A FF3A9C B74CA423042EDBB9 941B48505BA0CA66F195998F3CE C:\Users\HERBBL~1\AppData\Local\Temp\~DFB682F74A4BF1FA7E.TMP data 1E838EBEA4A47E6E3D5C8AC2E41B6CD3 233EF7E21E4EFEC1209FA1CADD25DFE2DC19F794 5C88898C4EB76F46F4BC7BB88C1EFB2C920F D798BF10B3EC80BCF 48005DEDC63B1AD E3D34ADC02AE BF47ABEA518BEB1BFAFF9DC9C9BFA1BC1242B4BA94AE7FD7CC7ED8 17BB1443EACD646190BC53E8EC9D7AB C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9 911FE760A9B data F0D589A5E2E388744F7C35AF BDF38AB8786BABD6683F87240F299DCB834B525F CF0EECCADC51C0BC63AF9750EDAC9D65441D63C9E704B843DB00ED45B 51A48C56C6F8240C3A3C F29314CE5ECABB42D1BF1787CCCE6AC0EDEF3CA04DC20D20E80B4FD78EC28978D7FA E6C4653BFB3B07EB69E82883F33C88 Copyright Joe Security LLC 2017 Page 11 of 49

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data B556CDA9CB7DD3505EFF20407FE6AFAA 9FF906CBEB2C5BFD8CC9C18DFF827536E438C A2993EDF894DAA4D7206B8DAADDD1A4BF61EF5E5E65CEB0B0212BA8D81 6AD756739D92B8490E20D4916BA6FB9C E07DDDFD948873EAFF788AC5635A7D D1EEE6CE1077CD1AC CE3F92F01D700F8775CDB5EEDB9E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Microsoft Cabinet archive data, bytes, 1 file 7FD39BEDBDAF714E4994F95D05FE64AA 63EE2B8B800206E92D6902E7EE90FDE87CEA95F1 4964CD37D5F264DF97A8B7D3F7E96A9F5D91E18A342AB6D7DEF48235F09CB62C 90C3D36BB8DB8269FCB3748D FE6EE69EE5CE4170AC F75EF832CCC01A1507B2FEDBE0A98F ED13 4E18F90B2D12A36916B3BED1E08C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_8C550960E440B9C3B93A6A0AA915C9B E data 44E6581B69BEEDE74D1AB8A451696BAD 2F6FD642EBB1F2CF3A8E9DCF24B35BC02014B202 CFBFF582431C52FB56A056EE8E8BBEE881CD8F3AD9AC0BFDC034E29A21AC9F93 AFA76D7EE7FC9E42DFD0BC6C8C7F7F2DAA6E0B5F93D44CDA E38254A760659FF259E F4B F97F12EA6 85DC6DE90A81BB409C2A16BD8EEA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D _D9B9F37ECE595B0B7B6AA12451D392C F data FCD8208E C1C1897D21 BB679788BCA988FECE8C76571D6EF47865B7266A 647AFC083B991710C60CBF2A39974B3F942AB8D9077A7A0C69F221EEE3C90FAB 46520DD89FAC5DB9359DB82A5BCE55452FE4EFF5E F5A58ACD37663AF296B8FF94AE2D5CFC93B D F32678CBB15FE9C1E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86D E data 3436EF5B8CBDC297E00EC3836E47704E B0B884A03E D0C38F2EA4BBFA C7 53A0F041D63597C190496CDDE7A08D AE38FA0B817A7AA1960D7CDDD7D FDFD1FC1017C DECE846431F3026A03F61E0A1871DA9072EE A9E4EAAC8B3B3F69D30B7FBF3C024D4CEC9 57CFB164E9DAD4DDC59D526A4C7D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA 9911FE760A9B data F C4550FE6FC1584A ECD396CCEB7F4FEB7DE7F4E98C 37E857CCCB003CED9936E946565B259777B965307B94AA75881B6CEFFD8CB060 9A162C786D1622D48C50170A18FFF2E81AAB301384C8AD9387AA66898AA88597D029320B771F00C0186D41EA003F3E D8F A60C032957AE903 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data 807F78830A45FED2D4CB1888BA60B0C1 E904E52DF52801ABC28901CEB60C9487AA65F8AF EEFC46E2D31D898C6FD49E36EA9223AD1B14B A6BB0B077107B56A C978551C1C06AC314E03C3BFEA9EB869330D3AC3FE0ACBE1AEDF0681A59B90A3FE25523B1607C5642D988EB4EA04EC85 9F7A9BAE298A4984F90AC1F29B10F Copyright Joe Security LLC 2017 Page 12 of 49

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data 96179FC CEFB0C9421BB1FFD70 0A84725DEC9B9998A906ABD459362CDBBC8ED92E 1A8130AEEAB66FEEF6307EF92F0BB703A253471A DD969FBA04855C9 F91D5596A32F8369C1CFA9EB79D837689C9A189F2954A754E1D276FAB7F9C6DAD5629D1733BC3B4D62C61B DAD630B 0D287230D7EAB0BDBC90AE765E9F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data 2CF6F2412F40C17ED0FF0921D24D3DD0 01EDA19F09B5BB07ECB14A6293BBCCD13564C E41DAFED6A02B C8736F79CDDAB14C0C8A9AA10270CDE7C61FF 67046BA05333F38BA074F78650F126D E60A206CD3B83798A86DEB81C96C0FEEA4FD396EFA3035E7152BFA52E59210 ED6ACFFAC854A A4260 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_8C550960E440B9C3B93A6A0AA915C9 BE data DB9129D95BD49D BDF3848B215 C9E EA3DE7306AB20FFEC808B8453BFF39 FE44B3F179B520F1D8D92D0903BAACB4C31FA15F5F658E00857E12A6BC3A672E F983FA9F2C0774E69CF374D2AFFD5E3ABE59E29352A552AFC96E279AE71085C7FDD8AA1E5859B24D597C819C18E55D1C3F7 D55975FA34637D0E12AD5E076F221 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D _D9B9F37ECE595B0B7B6AA12451D392 CF data B8C2E799548D703E64D3C6AE637FA96B F8576F5D762ED28FF4B65FF6370D 3DE51A9534A09B7EB74777C1540E AA18BFBC010AC17C5E0257B33 ED16A50A8C42BC8DDE6B7C8ECD4CAF2D703DCA4B42088BB8B2D09B885DB9DA9EBB2994C63DD21DD8B273B20DCB7BD806 7F5CAC37F63E5C60D938827D745AA6B1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86 DE data BD29D588107E4E1B5C39E022B61147A4 A0361ACA78AD4FEB0ECA4C344FCA685A545128BD D314FE4D26C7353EDE8F F8C960BC5AD14E1F9995AF01D89778E7A62C6 2C937E8E4EE63C9948D722C3D718D440DFAFB8268B3987BAC EEE178B9E7D9813C023E3505B E60E CFC406009A1190CD278C51549DB C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF2891 6F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators FD0571C58C9AA61FE90C1736A05DD A3986C91D32D113B6D0CECD189E AB 0A69A5007EAACA135D20024A97B9622B0B59422A6782F DC54DE6 C EA35E692EEFE6597E4F2889FD9B6A9F5EB2AFA9B8979A705E0C3C8E8E48BCCFF5A9D21C8D90EBA9A8F0952A E E5DBCA8B5FAE6F07164CB C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC7B0701-CBDB-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document Copyright Joe Security LLC 2017 Page 13 of 49

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC7B0701-CBDB-11E7-B7AC-B2C276BF9C88}.dat D726DE2FFAABC7B1D7EDA56319A439EF B6BDFDF0D9BB644B3B431FBD4794F77A709F6AE9 F E0363BE7F6DB232605CD5D82A5F775672E89C43AF7645CC468CBF5C A7BCAB3A86F4E7AF A57EE418574F74E2AE35EC662C494F68EEB2AACC5AC4F6AB508BE8640DB58C9C0C1F C2285AFA3F9E4B3748BDF78AF1E0E C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{060C8890-CBDC-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document F99DE7CB4D09ACFC7EC6FC21DF1CB41A EA37F30DF E3DF38EEF D 148F4E889ED502A552EFE21A877F8CA9D53302F11AB27E74013E59836AF C0B C30E845D7AF7CFC58B270AA06938B8E2DB D88BCAD9BCEE4B1393F6C67E4A3783A4E9E172894A1 2561D5C3DA732B1D A5DA C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FC7B0703-CBDB-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 20B9C2A36FB472A452444E C53 63F62D5B441A8D9DFFB358FB5B45EA46B509ACBB D2B6AF C DB4BFC9D78C676F0093FC8D59EA027E6E96 146BC87349FE42B663BFE1E6F84B09ECF BE6195D7A69377B72CD9B4C7EA84E A0AEBE2EDB806A6351 AFC40D9A0D02D6957C1A C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9F86.tmp XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E19AB74E16EFE96F142EB4 66B9CE117BACE5088B09B4AB506C CD 2B25A9DD5C47DA010258E1BC93D512B8E484359AF1003FE1B85390E93519C60A E01570FA713BAB17D4941A1D46605D5C0FB89635C E286F608A256F40D260B662CDAF2ED064D52CC57400DAD9BDB4 FE1677D18559FBBF7B64068D2C75 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat data 6053CEFACB6A911E999187F37AF3FDB5 D9B29D409D0CDB2F1615AB9342B653D D5 2C08B1A0AE70168FCEE380A6DFA66DF9CAF7C7A033C77A457449E8D4A3C0406F F69ED43F4986D97BE91EE95C09549AFA B4D341257E E0B43E9E12BE A5C6E C4181F D7E CCC0AF2A1D7123 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\8c-9ddf90[1].js UTF-8 Unicode text, with very long lines F508E9BB517E7AE4E9C64A4758A372A6 6B47698ADD1CFF39F375757D6CC D6A33D CFE89162DC0EAF54A711232A E1AA8EB7BA81696D987C48C B13FB CB55B D047B351E60DA217CA C04D4FD4BC2D7F8D4529E5239E262B01DFF5EF115 A8F0C2431E5E8D93B4A5FEAF9B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF2891 6F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\latest[1].eot Embedded OpenType (EOT) 17DFE73CB9C64527F7248B0A24DB317D B9239FCDAF038FB2D3A919E DBAA AD75FB92B2EBCE6C37640F03E1AB96A752F388BCE60C877ADE4780B13839E8C4 421B56D93E9BD5E4B4449DD0FCDEE8D531087FD484C91530AAF0A67EDEA33D5AC2F14A7F4966C528C0F130F17F26629FCAB 9F8AB47E950CEB5B9F1A827EA0728 Copyright Joe Security LLC 2017 Page 14 of 49

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\latest[1].eot C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\latest[2].eot Embedded OpenType (EOT) CAD76E4816AF6890C9BFD02A6D1EA899 9EDC91541C31034FCE0D83AABBAAD4C314CD3D33 D D1A062E5DBE6C34C1994C8CE3792B24AFD5218D0644CB1F53DA4BE A5856C2B4D8CBE2A4BD233A93B266A03D E1D1733B33B65AB7A504AF0AC31DE2F1E69F6FF8CCD7A169CD D34FFF8DE4CB8C98DB2DB2C863 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\microsoft-gray[1].png PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced 9F14C20150A003D7CE4DE57C298F0FBA DAA53CF17CC45878A1B153F3C3BF47DC9669D78F 112FEC798B78AA02E102A724B5CB1990C0F909BC1D8B7B1FA256EAB41BBC0960 D4F6E49C854E15FE48D6A1F1A03FDA93218AB8FCDB2C443668E7DF ACC2B41DAEFC25ED38FCC8D96C FED35C36A5017A11E63C8DAE5C487 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\privacystatement[1].htm HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators 11A8819BDACB378410D210004E04AC0B D5ECBCBF AF65419D F79A93CA 762EF9109B2E1BEF8D27ED80F45F0B231DA55D208C7E46303CAA139A6383B95C 748ECDF3B862CEA118DE3B9C5801FE8E2573CCB29EF6C3D045025D57DDE401C115635D2356B7181B7AEFD5CD9DD13E875F 38EC9024AF8FB3C37E657053B772B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[1].ico MS Windows icon resource - 6 icons, 16-colors 12E3DAC858061D088023B2BD48E2FA96 E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5 90CDAF E C605D D348116D198F355A98B8C6CD21 C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB 4912EE169D C719CD01 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\icons[1].eot Embedded OpenType (EOT) 77E1987DF3A0274C5A51E3C55CEE7C98 9B0FE96AF141AB09183F386F65BC627B8C EF04649D4D068673CF0FA47EF4C45C8BE291E703F4EC5FC0E507F AA2 B1E0CFB515FF BA D27B1FC043F66CC4E9591C504F88273B98697B99ED25955DB84986B39ED9F D C88064B14C29ADC020FBF6E295 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\iecompatviewlist[1].xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators FD0571C58C9AA61FE90C1736A05DD A3986C91D32D113B6D0CECD189E AB 0A69A5007EAACA135D20024A97B9622B0B59422A6782F DC54DE6 C EA35E692EEFE6597E4F2889FD9B6A9F5EB2AFA9B8979A705E0C3C8E8E48BCCFF5A9D21C8D90EBA9A8F0952A E E5DBCA8B5FAE6F07164CB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\jquery min[1].js ASCII text, with very long lines 5790EAD7AD3BA27397AEDFA3D263B C215FE5D1EC081D83461BF4A711E ECD295D295BEC062CEDEBE177E54B9D6B19FC0A841DC5C178C654C9CCFF09C0 781ACEDC99DE4CE8D53D9B43A158C645EAB1B23DFDFD6B57B3C442B11ACC4A344E0D5B0067D4B78BB173ABBDED75FB91C 410F2B5A58F71D438AA6266D048D98A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\script[1].js ASCII text, with very long lines, with no line terminators 02AF9D2AE8A03B15E BDEAD Copyright Joe Security LLC 2017 Page 15 of 49

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\script[1].js 05C1C0A C38FAD35EB9AE04D8F563C5A 6A55DDD3BCECA43EC43502D77BC45C8185AB003F853F120E8C F99C88B C8B241C4F60690C4143BC5D7BCC8F0C83562C31F84A87F8F9ECFCF9C5FFE0E30935AB98E4B8E FD3638E9AFFA FAFA B15EAF106FB0C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\app[1].css ASCII text, with very long lines 7C593B06759DB6D D206738D6 0D4F76D B8DDECFFE A77A3C F7D9FB0479DE843CF3FB0B78FC56BBB9E30BF0A238C6F79D9209FA8B22EFB574 EF91B610CF17A17AAFB48984B4403EF175EB86096E3F12E23AE8D4C7C96EF60ED14DA3F69721E095CD2ACE3F0A D BB906F7FB3576C2C1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\epb[1].css ASCII text, with very long lines, with no line terminators 00B B6A0D8B6ABE4F5F8272FFA 220B1755B72A83B870B23AE6DE A BC592B79DFC7296A870FB26CDFB D252AAC0B2A365BFF4B E60 A3BA7816C14E5C59C0985F24DFB4C4C0FDCC1A0B63E3F1B4B2D9267F4A0DFC85DE4CF9878CC57618BD18F3A20EB975C52F ED4A996B268FD0E549EF188626B8E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\print-icon[1].png PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced 023F5AC6E0114AF1F781BE5D3C C166284B8541F1DE32DC5C4DEC635C296BF85C98 75D637BF6B6DFF D0BE7E0C90F012BB118C2EF19099AFDCBC630ADFC79 DAFA49056E3D3014DB CC05773C09938E2E EDCFF8EA2D7C769D377539C52DA70321B94F4E8F045F56 EC51BC2B701D95BB3213CC2203 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\shell.min[1].css UTF-8 Unicode text, with very long lines, with no line terminators 1F9995AB937AC429A73364B4390FF6E DCC6407CEB5CEF236AD52B9F2A3A9528D3B 49E5166F40D F86E08AB76A977199DF A0E81980A804151C2A 6669AE352FF46DB734BB8F973D1C0527C3A5EC4119D534AAE4C33F29EFF970168ED5FE200A05D4E1B6A2EC0E090E B D489DC7664B0D9C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\9c-3df1cf[1].css UTF-8 Unicode text, with very long lines A DD991B9A2F0166B C737A7F3EFA898D2ADC96EB5CB ED5B67E D0E947F742A278A87709E19B55AAF31E61C815E98BB0292F B55A181A6 59FD6171E93704F88AC446FF8D6C6FB3BD6B3F86C43A483ED600F31F0827D1D785D076BBFD7088A99C73D64CA584475A1011F F5BACB515B7BAA5E934D5ED1253 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Updates[1].htm HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators 86851AB61E3B289A2244BE0CB23E678D 3F9C01CE65383E018C79DC1B09C648906D66E2C7 DEDCD97EA2E13C4B2472C9FF791D78DAC2A0A8A6C0B5A34F027ED0523B08E918 F7E7D DB B876EB07A4A1CB BF50DD1A613C1A3A69D0A431F2F0498AB1827C08FF F86FE0689C E6144EFDADC921DB5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\latest[1].eot Embedded OpenType (EOT) E812BA8B7E2A657F2B70CFACE93C7682 2F02CDDBB483F9B11BBBE74C3CA917A4C345FBAD 3330C1DEAC DD0C6BF902179A8731EDA8A208C7D01DAC0AB1EAE1BC9 354B2DB12BC1D67F26F94352B0B663DAD64C46C107454FC19CFEA01C54BB09340BC26C06DE1B96FF826F5287CE246A BAE41B72B63BA86FDAF844BA94E Copyright Joe Security LLC 2017 Page 16 of 49

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\latest[1].eot C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\meversion[1].js ASCII text, with very long lines, with no line terminators 35B4E0B42F840A86432E58CF64F1C C1C2118B2215B4B24C88E374EDF0F3923CAB AD AF8041E4A A1374AD4C5D4DD6A4CD7F62070A80ACA C1B EA794E F7BCAF6793F464F2037DB F2D57E B10A08BD6103B8D6549E4575A92094CB8CF2C 1B6DE5C2E0B59FC100C2934CC0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\privacystatement[1].htm HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators 11A8819BDACB378410D210004E04AC0B D5ECBCBF AF65419D F79A93CA 762EF9109B2E1BEF8D27ED80F45F0B231DA55D208C7E46303CAA139A6383B95C 748ECDF3B862CEA118DE3B9C5801FE8E2573CCB29EF6C3D045025D57DDE401C115635D2356B7181B7AEFD5CD9DD13E875F4 38EC9024AF8FB3C37E657053B772B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\style[1].css ASCII text, with very long lines, with no line terminators E2DFF36BABBF100CDBF9B A44FDEBD15A39083CD6D0923E31626CAE881016A D4F CA28EA C0CE750A53D12FD394658DDB43325AEA A8F159D136346C D1E38DC7F500B4747DD258E704714B9412CB5E57A80D2AA4BEDC218EC48D5165DE5AE6E8CBB5 D3A7ABDD05D402C51D1927C5BDCC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69 49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\BCMG2Z9Q.txt ASCII text FD70CF907DAF4AF4EEA44AD4752BA5E3 A5936D393997ADDD051B701C07C730C4B9780B72 DD749B10D3AEE773F933D2BC90E CD5B1EA53EEA D5A673D4 95AB6418B DCFF6CA7D7760EB4EE4785F389BDB93DD0C5AB3779D12189C7B845657B7EA0DDB0C387D62A897BCE728 24D1A093C3C936556F D7D C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\JKLCO36U.txt ASCII text 2BC7E5D53C82E A7C9F AE CBFEEC24D57FB275B81AB3E669C 5112B742ABA755CB4BC6D940535B5CB5B5F60EDF69CF0CF6FE6DB6FD0AAB F0792F A92F6E65F69A005D8484C957067D8FC10B7941B132E3EB3CC9C163C99AD890D03EF3C749BEC555473A 0349AB93E77EE669AEA1A3E055 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OU8MXZVB.txt ASCII text A041F2F008B27C431B805745DFC75CF6 E08F2B95660C94D0279CD106CA2A E6A7605AB1A A8A1778FC263B2E15B206B1FC4963EB6762A C EE26343F47CD9E45A97801D0504F8FF0F74E5FF57C82B936681F561BED5F6BB11B29EA B3F841C3A04253DFC ADC940999DAE3DAD C87 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\XBIOOEBU.txt ASCII text 473A314531EFB9D251FCBA90F453102F Copyright Joe Security LLC 2017 Page 17 of 49

18 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\XBIOOEBU.txt B9BA87D3FD EE44F3D70701AA8131D22A 7BBE54A4E7F8BF4E3FBEEB12E6DA7C123C72A6CECB6F0BDA3733B3F7CAA6DE34 681F64D9133C5AD607D47EB24B4D716BD891F55869F5014B9273BC21D3DBB292F92AC502797D60A8676B EBBD15F5A 4DC1FA246962AF3C53CBFC85B09 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection assets.onestore.ms true 0%, virustotal, Browse statics-uhf-eus.akamaized.net true 0%, virustotal, Browse ajax.aspnetcdn.com true 0%, virustotal, Browse mem.gfx.ms true 0%, virustotal, Browse Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States AKAMAI-ASN1US United States AKAMAI-AS- AkamaiTechnologiesIncUS European Union AKAMAI-ASN1US Static File Info No static file info Network Behavior Copyright Joe Security LLC 2017 Page 18 of 49

19 Network Port Distribution Total Packets: (HTTPS) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Copyright Joe Security LLC 2017 Page 19 of 49

20 Timestamp Port Dest Port IP Dest IP Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Copyright Joe Security LLC 2017 Page 20 of 49

21 Timestamp Port Dest Port IP Dest IP Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :12: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Copyright Joe Security LLC 2017 Page 21 of 49

22 Timestamp Port Dest Port IP Dest IP Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Copyright Joe Security LLC 2017 Page 22 of 49

23 Timestamp Port Dest Port IP Dest IP Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Nov 17, :13: Copyright Joe Security LLC 2017 Page 23 of 49