ID: Sample Name: scan00.html Cookbook: default.jbs Time: 22:21:27 Date: 16/12/2017 Version:

Transcription

1 ID: Sample Name: scan00.html Cookbook: default.jbs Time: 22:21:27 Date: 16/12/2017 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: Data Obfuscation: System Summary: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Network Behavior Network Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Copyright Joe Security LLC 2017 Page 2 of 168

3 Code Manipulations Statistics Behavior System Behavior Analysis Process: iexplore.exe PID: 3220 Parent PID: 548 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3272 Parent PID: 3220 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3320 Parent PID: 3272 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 168

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 22:21:27 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 5m 34s light scan00.html default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal48.winhtml@5/116@31/9 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 85.2%) Quality average: 64.6% Quality standard deviation: 36.2% Cookbook Comments: Warnings: Browsing link: le.com.ng/intl/en/options/ Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 2017 Page 4 of 168

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2017 Page 5 of 168

6 Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview AV Detection Networking Data Obfuscation System Summary Anti Debugging Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for submitted file Networking: Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Urls found in memory or binary data Uses HTTPS Social media urls found in memory data Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) System Summary: Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Copyright Joe Security LLC 2017 Page 6 of 168

7 Spawns processes Uses an in-process (OLE) Automation server Searches the installation path of Mozilla Firefox Anti Debugging: Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Behavior Graph Behavior Graph ID: Sample: scan00.html Startdate: 16/12/2017 Architecture: WINDOWS Score: 48 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe Number of created Files Visual Basic iexplore.exe started Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 142 Connected ips exeeded maximum capacity for this level. 21 connected ips have been hidden. ssl.gstatic.com , 443 GOOGLE-GoogleIncUS , 80 GOOGLE-GoogleIncUS adservice.google.com , 443 GOOGLE-GoogleIncUS started United States United States United States ssvagent.exe 6 Copyright Joe Security LLC 2017 Page 7 of 168

8 Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Detection Cloud Link scan00.html 5% virustotal Browse Dropped Files No Antivirus matches Domains Detection Cloud Link lh3.googleusercontent.com 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse 2% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Copyright Joe Security LLC 2017 Page 8 of 168

9 Domains Match Associated Sample Name / URL SHA 256 Detection Link Context ocsp.pki.goog keyserimpactseries.com malicious Browse anova.com/ malicious Browse malicious Browse e3dc76vhbo.exe YXOpwUgugb.exe DBPis ing.cool/ m/free/accessportal/ webmail-upgrade-acco unt nxxos6gzuk.exe a.com/?spm=a scGlobalHomeHea der.356.wlqbkw&trace log=hd_signin g.co/c/d?i=3czqe1akz et.cz/pay/incoming-wire- payment-from-cz-in- USD-accepted-methoddirect-deposit/ sco.com CD.pdf dc14cbd66e9ffc458c4a23a6463b efaa1181ad956ffffc00f890a1c8e 06e3842 malicious Browse b61ce3d5d75fe4a cdfa malicious Browse c47ba6543fc568ab3293ed339 83ff717d8 malicious Browse malicious Browse malicious Browse a851394da032944abbc5a malicious Browse bb5d1caf8885ac7d2b60ed8 a45f428cdd malicious Browse malicious Browse malicious Browse malicious Browse aed568624a ae9 malicious Browse d5631fac304cc8bdbd3cb54f5 fe22d842b brentsmusic.com malicious Browse rc=system- -outl ookplugin-new&utm_me dium=system- &ut m_source=outlookplug in-new /_ct/0410a7c7bd4352c 59b2dc94375f4011e71b 763c1/view_invitation_bt et.cz/loading/payment- transfer-english-from- CZ-rbcaccess-transfer- IB / TuKu6 t.com/default.aspx?a bbrev=tasc&l=j&issue ID=2OJk malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2017 Page 9 of 168

10 Startup System is w7 iexplore.exe (PID: 3220 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3272 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3220 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3320 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) cleanup Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab8F5E.tmp Microsoft Cabinet archive data, bytes, 1 file 7D75707BCEDE1005E6791BA62D373C38 E33DF37548FC6595DBA6BF1593A12E9058F1FEC E5BE196FD70B7BF91EAF319CC125DB98105C9DA7A1B0CBCFDA A3E45C10422FF6660AD753A1E4BE45D3225C0E1584E4785BCAD10A00850FD915BE9B3F5FC8C17133AA582C6F B10DE757DCA445D390B BADE moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\Cab97DD.tmp Microsoft Cabinet archive data, bytes, 1 file 7D75707BCEDE1005E6791BA62D373C38 E33DF37548FC6595DBA6BF1593A12E9058F1FEC0 Copyright Joe Security LLC 2017 Page 10 of 168

11 C:\Users\HERBBL~1\AppData\Local\Temp\Cab97DD.tmp E5BE196FD70B7BF91EAF319CC125DB98105C9DA7A1B0CBCFDA A3E45C10422FF6660AD753A1E4BE45D3225C0E1584E4785BCAD10A00850FD915BE9B3F5FC8C17133AA582C6F B10DE757DCA445D390B BADE moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log ASCII text, with CRLF line terminators EAD025E2F99CB4EEF0CE2FA6B358F250 9ACE876E23EF C6C5B07B3C5D19AE4 027CD331490DD41B6B23C8B1B06DBE4FD443AF B29C5FF D1860E5B44A C71AD8246C87ECFB880AA26AAA7C5ECEEB9B40F19F05F DCBD7B1D9C2A 1FB38C299C85F4C23E868AC9A32DA90 low C:\Users\HERBBL~1\AppData\Local\Temp\Tar8F69.tmp data 2921CDB BFB2FCBF0D3F86B11F 3C556A91995A3FFC55C8FCD71D687EF4560A1AB A4580B1B1601BC E6E299FD70008CFEAF0FE3AB DE6B3 DC7B3BD3A36D8B02C9D9E475B93E3A4FF3A4D5751A762B40AA5A0C8543D18B047B19DB31F18D1FF314275E3A16E2E6B3 437E3AC825A63AE895F13B82C7273E8B moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\Tar97DE.tmp data 2921CDB BFB2FCBF0D3F86B11F 3C556A91995A3FFC55C8FCD71D687EF4560A1AB A4580B1B1601BC E6E299FD70008CFEAF0FE3AB DE6B3 DC7B3BD3A36D8B02C9D9E475B93E3A4FF3A4D5751A762B40AA5A0C8543D18B047B19DB31F18D1FF314275E3A16E2E6B3 437E3AC825A63AE895F13B82C7273E8B moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\~DFBE19581FE998E1E8.TMP FoxPro FPT, blocks size 258, next free block index CE60CDF3E762D34C42B933EB66E8ECA E2EDC3239AB74E53854D672855E4DFB1C9E6EF51 C62DB9073AB128BB58458A9E23EECD3CE49993BB059294B23B5B75E3D107EE33 C65F67B0C5C EF7A81CBA02B9DA5BE411DC ACDE93B57F30FA4E891D022F AA1B57192E10389 C187765A212CA9D8F236B DF low C:\Users\HERBBL~1\AppData\Local\Temp\~DFD56E40A6B98E356D.TMP FoxPro FPT, blocks size 258, next free block index CF10C5754CCD1333B215C79CA1CC6E23 D5974D57A7CD5347ADA825D0CB5FA78992BDA97E D4FC31E413E2B3F73E E0F80DACF E3F233F2BF59F80A DFDFD3EC0D055E1000E28EB20F9028C23FBEA7D2874D8705DC3231B2B60344D01D1D492C D5DA4A7CB29E1 BD242ADB4D1ED811F2BF79D8141B8307 low C:\Users\HERBBL~1\AppData\Local\Temp\~DFE6107B74E7D91542.TMP FoxPro FPT, blocks size 258, next free block index F84C2895B42ECA463879F1A84D3F6 6E954D89EE54F9C1DF2ED7A34C46D64DA7B1D442 41C17CB82B163C8D8F53391ABE39968E8AEB943CBA319DF53DB43256CCB515E7 FDC AFFD72782D1759B42467E71AD06E C2A6A2103CAFEFDB37DE6E1E C435F73A2A46240D9BB E19A54D64A4946DD68AF43C9DF28364 low Copyright Joe Security LLC 2017 Page 11 of 168

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D data CCB7255AFE2DF8FA092F033CE8BE491F 31E05FE3C9E47849A96E3EAF1ADEBD6A7A852DA2 C33B7D88D7DDB7E33408DFBD06C84C338DECB3BAA0F7848EFBE782DF9192EF4C F4F21EE17B7D867DE366995D2395F7DAF8A3693BFA800FD662E529796DFF6F9916F C9600ED566502D76EC83A96 C6D941C244B2C29D0ABA81FD0607F8 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data B556CDA9CB7DD3505EFF20407FE6AFAA 9FF906CBEB2C5BFD8CC9C18DFF827536E438C A2993EDF894DAA4D7206B8DAADDD1A4BF61EF5E5E65CEB0B0212BA8D81 6AD756739D92B8490E20D4916BA6FB9C E07DDDFD948873EAFF788AC5635A7D D1EEE6CE1077CD 1ACCE3F92F01D700F8775CDB5EEDB9E moderate, very likely benign file C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Microsoft Cabinet archive data, bytes, 1 file 1084F35C75317FBFBEFF D6 DCC3B FF247406F1B18D0D97D0AC0FF70 9CF311AD6888F D0F10CCE8543F3D2B69EE4417BC499BFC281AB3E 612BD67C1D211B885CF90DB2D B522B7A784444D15DF9EC17C05C47AB B97F DF6F8F68D56CD18C 2A BFFF A7708F04 moderate, very likely benign file C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_ DC47975B930A4746D53F7694 data 4E71596CF5B43176ECA8B14CDD54EDB3 F0CF5FA4F462346BC0DF6E04C5494E96259DB26C C901D3EB93323C454F6D2ADC4FE39EA4DB13B427B003BA38AC543C42E1CD7869 B570B023D925B9C CD81D1E7317BF9F D546ACFC9DE41223DB0E9A1DDC9AE7D47DD562D5276A94EAB02C 1C3932FB8F2A967AD9F83D6C4C2535E0 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_7504ED1B CB89CCC4ED data FEBFA6059D839125EEBBC02B6FF2E0FD 19EEAFF808A442D94E1A01CA75E F7A 295F60350E D0B931025FB99925B266C55AC39CDCAC22B85752B6 76D7CC22C23FD54E2976CC0EDF330E0C12B0B5C2E66137D C767A3461CFE2E6B09FC6A4FC1B3A E615C9 AFE4A5AB2385DECD0E2C3DF122BA1D94 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ EA C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 data DCE11BDD1D7929BD B ACE005D833A1266E974FE57E47E49BBC413A 708C870075BCDB965BEA11163AAE37F7B6F EEEF819ED3D6AA4A9747C6 DA6874B561B515130E19D223E9ECEBAC54CEFFBB4CFE98AE1BDEA685FA8C4E62115B3C8174F9823CFE EA38B C72A8BD193D15822E0E5558D7247 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F82 1 data 6BF50EC404FB4A8B4A94BE8390D CAAAB7704D6221ABC5E A4928CEE50B1C 63B592179B1E9A528344CE1D430B9479FC55F43420A468EC35AAEAA9DFF911CF Copyright Joe Security LLC 2017 Page 12 of 168

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F82 1 0A92BAB2CE F1245B2D240D2CFDC84E2D1C484F9C7E36FBFC E0236F3D68E4F20E09F B029 DF859F965E5E446F47390DC93CF815 moderate, very likely benign file C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D data CAC20F FE D D54B7217F1B7C265CCCE744EA2C0D2BBDF26B74 D5AA437C7F0CBD1532D04DEB717B AB26FA451A712DACA8774B335669C A479772B72B47BA3EE4CA24FFB8003D29EEAFDBB5D655DDE97207BDDD95C07C362834C4E2C7E12226A1266F7B0B2FA E0E550C5B95346DAC0D56B50E41 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data 6EB618D5BFDFD00E885BDC89FE A92DB37712E625637C532DC6C190E9C96475C44E B8B589843EC855C7B5E3DA0B0F5DAD B4573FE3189AB8D6D0DA FEECFDE615833D0878ADC9C3F73DF4D35A4F3F37DD63BA9EA142C934170F86ED65F47C699BE18D0C564AC5DCA875 5AF2B7DBFD4C7B782715DB41104D0577 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data 2D11D6D CBFED6D03FAEBAD96 1B7BA2D A D12F104BC088AB E49DF88E879DFE B0141E00EAFDC02F604846B5BFB127F87FBC78C CCEB8D244566B5F35F93CA67D6B59644EE6D8DDDFBF E669DC1A CEBF7DE352F7F57B6367B454C07 2E52001C61F1E F low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data 502AFA0260A3A398B7AF287727C FC278060B1E61114D0D90FBF007980B672584F9 CBDDEDB0BFE70AA6A0EA1DBAF387B00EB251B23A5264DAB392DFB82B387B7DBE 87573F6C517D2AD224809E73457BC4D12FBB4E985293BBB62DF C85A17DE96B4C827FC85D60A4D3A55B7CA654 23F4679A42616E8B9E76F11D1AF3E30 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_ DC47975B930A4746D53F76 94 data F31410EAF4DE13A1C8A A17A 46F F FBAB3E52FAA0237D A4999E2ABA15B6E8BA87D4C FFFFC948CFB15BDFACDF3CAD6E2C4B64CD 57643D33E5F247479C846E164BF828D76B C506E4C07B529CD7D2F908A4FC60FA85A723AA5875F53BECC6FE54B BCB33E8BC D7833CBF2DD78 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_7504ED1B CB89CCC4ED data 0C9D99F0F0D35CE09A9CE474E31DFBD0 1E79F482E8D49DCAA978715B2E7D944BCDEA89D6 17D6BEC66E58DA0A5BB8535BB3E6DEA6E6EF38D48C19AD C65 D957B563998B3C68165D F3C613DBD5A882B5CC522046BEE56C1A82E74832FADE379CF82504CDF19683F8A5EAC5 46ECBF381E0761E B32BFF537 Copyright Joe Security LLC 2017 Page 13 of 168

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ EA C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D 56 data 974ED929CE8FFF81989F5D23C84B9279 CED3BEA816AAD1C5DE050AF03EA85B88B04F613E 0B668F0C17B798D7F89C2BF2588E6CEF05E8D416A8E9217D77521BD491725C68 9E199CB2FE7D7160D6EDF608A6F18F DCC7041B059B6A884C5F3AC485FFCEC928247DFFB AB421F9DB E8D36E36CAD43BB67B618DB5A54F331 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB E72EDD3FB3D65568F8 21 data FD6ACAB591543FDC1B5E08D1B C138BE3D71932BF298B993E4140CCF3776F AD48D721C78A79A21684F95C9198A22609E9AF886A6108EE942DA291C9A73B 4E E97D54DBC890E0DC12546CEDCCFF081C9BA2C5B22A44B5AE603C511B954E495AD84DEF563C17EDE5506D0 37E114D855698AB4F09053B9E1C9964C6 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF 28916F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data 5A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A609B2590 C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E6306BB52BF6F6D5D891B9D0B1E36F14 3F409FAE3E27D64695D977FF7B92AF3EE06024C4 1E0968E9B5D61EF9203FEE7246B FE954DF36075FA0F2CE1B4677 0A913C7C1546F859CF1B1738D865FDEA38DBBFE4D5B EDA1AA27CB4BC80ABDD1BD9A4D496515D D3EA5 850BDA06AE981D95FD6854D87614C5CD8 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A57D171-E2A7-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 23C90D2B C224DB57C59D58DB9 3A4C4F8D16A16E9954C B5E67353B59EC9 0CBD536A82E260F4D61A01B896D786EE80CB769AC8307EC597C854C47E0297C6 629EDA129ACB5470DE29634D6F8F6ADEE8BF429289AEF6C53E9708F1A1974ACEB AA4B45D482E63FD6045C9F F399A1A6667C4326C6E23BE925D95DA9 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A57D173-E2A7-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 40C21E2BBA382E762E3C68BCDDCE797C D4ED8FBC936EF1AEE17648DF95771B2CC5E385DF CBDF94AF7D49208DE6455E878D E3EE3BA4BA0E8E0019B780DE62194C8 D81AB6171B6FE2F580DFBD7470B2942CACD9CA8FE0F6A137C4758F1B710899D977B8BD64D309361BBD01D95BF5D08D33 AC64FCCBD1576D14E46E2B2760D81FE5 Copyright Joe Security LLC 2017 Page 14 of 168

15 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A57D173-E2A7-11E7-B7AC-B2C276BF9C88}.dat C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{14003ED0-E2A7-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 5F6D90E3A67ECB6B F AD984D8AA9858FD9682F9A707E561342B7506E6 DB78E0A7514DE86BE10A7FAFE8D1AFAFC39B66C1C1C951B4930B3E3930B0CC14 FF4E42C9A411FBF55081A28FDF59F075F9D14F0734BF02A6EF0006F8145F11DFE80C3CA4D285361AC0D4B39757EBF2BB8 6DBBC54DE33630AFBCBE48C91DB4DBB C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB044.tmp XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators A37D5835A4A14C9BFAD7898C3B719F3C F21CF355B4515C09174F5D5E5BADBF3319DD70F0 F0B53707B CA2C39C782DD32BCB60DF970313A029D605B719AC1BF9 079F412666F02FE93F2AA4DEC7CBC22B91BE70B71037C B66EA5A680590C8E92DDEE64D2DD934858B44A4C97A8 CE53660F FD31047E4ED08A25C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB522.tmp XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators A37D5835A4A14C9BFAD7898C3B719F3C F21CF355B4515C09174F5D5E5BADBF3319DD70F0 F0B53707B CA2C39C782DD32BCB60DF970313A029D605B719AC1BF9 079F412666F02FE93F2AA4DEC7CBC22B91BE70B71037C B66EA5A680590C8E92DDEE64D2DD934858B44A4C97A8 CE53660F FD31047E4ED08A25C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\angular-ui-router.min[1].js ASCII text, with very long lines AD37823C1F4F8BD43E816F9B22F2CE0A FE566D7F75C8AE62D7AD1687A9E8255C79ACE C2163B4AB6D064FD3F07136AA6037B9BB42313BA1C14E8A5108D02BFCBC8 75A3DF0F07D743DF51109FDE4CDBD26F53AB38A4318A34D4715D125924A41BA8FE2D3C2C0327E9C1662E59C16D44A00D 21CC1A521F7B5FD7A6A599AF96F99912 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\css[1].css ASCII text 43883EC748327FF4091C126FA072EDF9 31F5A E6517FE4BD459B E850E 32A5EED06439EA600C2BB F5D678BBF1CE285171DF8FCC095EF78A8 4D108F1CED267DDE0BCBE87ACDE9F5C09F452AD30D66C8064C5DBFA46B9169EAD97D355CC5F325F5B0531BC8EE93195 F DABE27A4A8C2070C3B89DD18D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\keyboard-arrow-down-4285f4[1].svg ASCII text, with no line terminators 18D7E05F38A948D9FE5A378614D48F18 62A59F3BEEE058BD5E EBE09E0AD9356 1BCEF2FAFE72E2AC045F80159B952FA42E1AFD60111FFC0BA86F C4802 BE07729A679DA2EC5E C882A2FF AFB4867FC3B AC479DF03E36149BDA00F0438A90D2B FFD4ADF8C976F6AE51EC2AE5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\keyboard-arrow-up-999[1].svg ASCII text, with no line terminators 77D9337D1F4D178750B CDCC40 FEFAFD214CC8141D596B21D86686FD9F7D75E792 Copyright Joe Security LLC 2017 Page 15 of 168

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\keyboard-arrow-up-999[1].svg 40CFAADA BABAD9733AF622AB14409A0515E4F9F05B9FF6038CB7D68B8 7310CF0AF5A328BC67DE0F7DDDD8A988F00FE3E77CF F475FFF9FA08B42AF05B FE40B8BF17B2955C AE24D3C EA1B43442CC83 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\keyboard-arrow-up-999[2].svg ASCII text, with no line terminators 77D9337D1F4D178750B CDCC40 FEFAFD214CC8141D596B21D86686FD9F7D75E792 40CFAADA BABAD9733AF622AB14409A0515E4F9F05B9FF6038CB7D68B8 7310CF0AF5A328BC67DE0F7DDDD8A988F00FE3E77CF F475FFF9FA08B42AF05B FE40B8BF17B2955C AE24D3C EA1B43442CC83 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\main.min[1].js ASCII text, with very long lines 314FE50D4AFF2C773147D95AD4B6300B 97264C07F356EFEB54FB58FE64DC80407EF2C040 AE69F15891ED9ADE F5A49BA6A0ED67583B5D814E752960E856D EEBB778A37FF4E6D5A34B41B1FDB124D02E5BEB4F3655AEE082A6069AF888F6B792759A71FE850C713DDD E4CE 0E E2F7661B6895E3E808B46 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\products[1].htm HTML document, ASCII text, with very long lines 2E35E19B6B51C987984BDA45B98529E1 D7CAFD7D9638F6BFFBA5FD82E2E906A10ECFF B DA4314B66504E7FEB022B0BF6548AE9C2F206AFAC30C0EFD93 D4DE3C7764A52435A7FDCCFAA8596CC4FDA0F AA393D073A2B46C9198AD6369BC61A0F71A47B9A5DC483E68AD 64B30732EE2A42735D84D6B4F5ADA3E2 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\social-facebook[1].svg ASCII text, with very long lines, with no line terminators 1EB F685AE0C1C9D2F3492C FF12AD0B49DA A8C72B7E099B94BAF51EF EFD68BF A39F190AED46AE72AEDF78A E8935B139AA720E68C 8E49846C917DA8C8F460DFB01037B2F9F09A6986D27316ACD C7D5FBE574A914B4289DDE40FC728C32D983D0D9 E24384A6D14D27F8195B394D2B7F221 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[1].jpg JPEG image data, JFIF standard D35DC1C790FF EDB09C3 A E584A8520D01AA A F465AA46BD72839AE0BB CB7FDC39C898E81DD30C6EB45EE824D8E97DC 1618B7C3F1194B86C FD676D111418AD58235CA0EE85375B A71A7FFCE2805A065BA22A6A D1D C0DEA7F2B6178C1F002299AE1EEE72 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[1].png PNG image data, 120 x 120, 8-bit/color RGBA, non-interlaced 779A5F4F18888A5E7F114BAF9AFDD1AF DB0C3CD710627CE185AA62A EB699DE330 88F471CA7E12B598966FD875FD71B87E95F2173D3AB9FB35EFC DBF B B56565A BF64E79BBD65B7604E2D58C CC3680DF8DBBB F9F3D62D6 BCFEAEA51F0031F2DB4F693EF01DC Copyright Joe Security LLC 2017 Page 16 of 168

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[2].jpg JPEG image data, JFIF standard F5032D1CE35DC433EE515855F4A3 DA7DE349C236185A48CA61FAF99D5BC2A516B76C F CDED21331C687702A8A3EBE8E230CC34AA01F D39CFDCE3 F1692FA ED40AA8BC7A7FADA38EA6E789D16CA31BD0284E6D5294D851C3528E16CE3E8A CF24CC C860133CB006D834E17368AA26A6C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[2].png PNG image data, 58 x 58, 8-bit/color RGBA, non-interlaced 6E79FA388ECA E1B19714CB06D 67F1D1C01DC339EA0C07D2299B5BD5BC1D62F4FE F9991B7C4894AF087C50FDEF3F3BDDB DDA93840D0967C6895BD4B5 C227F81EB418CEB66D94E14CA6B44E1210A62DFF2FE5741E C526805C9DE60ED68C81E D4AD95F3EA349 EBA969050A5511C991AEC75AFDFF689 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[3].jpg JPEG image data, EXIF standard 2B2382AA1501FA0E53EA20262E73062F 6E6A FA5B96CD73CF C9979E1C E171752A5F9941C146C DA319C34AA7B55A2FAD7501CF3F CB91F9CCD44721B25153E519EF E421EAF4694A98DF965B0F8D0F2BE8C B10AEA F E8B61BF B87BABBA2BFEF4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[3].png PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced 167A8D64D846EDC2B009636D17582BDD 7ECCA BE5F51C3AF478F5D60F95E6E A0A869E77E5A405BA34854CA7D3F290D5FBD9973E58B11B9B548DE850E172 2C7A0C317ACCC779DA4F284E648746A2C2F41FF722DF0B7887D805404DAEB122A1446DA94BB1AE324EA37827FC3F16FD B EEAC4BDB0CAE772BCA768D3F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[4].jpg JPEG image data, EXIF standard BF61CCE94A2F78474A2BB0541D6B6E67 DD2C1BBFC F694E413FE2AFB8D B 395F2F1B54138AB1D2EC360BFF5BFB1A84DDAB6DE924D26FB840796D C44AA076FA7FAD66AAFFBF7094D09F0766DAC2417EFEF03EA618B568CDFD66A5358C6F34F24F96754C5ACB9B231A67D F544A7F3852C778CCA2F9B7D998 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[4].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 2C5F D2C2A8DDE326B8CBB53 4BE2FEAACDBC C8CC3642F6A2DC6EAF DF8CDF467D79CF12D9C05342AFD0AD9894FC59A B9F A3EFD1A8431E48093ADE C3247CF5C65BDFC73CBEF2C0142A091434C C0FDA620DC00CF11F1A3DE A1008DEFD746AB EFEC321 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[5].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 8296A7A1EA469243E4DDA6AE55FC5B30 F9C90664BEF5CE02B80F64114A9BAE96A161773D 02AC2ED96ACBB00F229601E84764CEAB9B2C1154DCFA25950D183D10C51999D3 6B9900E0BF DD67F16DDB B3DC094B525576CEA7C93C02E D1B85042E0D95BDA73B3C 49DBD45F5A3DAA54816F22481E4715 Copyright Joe Security LLC 2017 Page 17 of 168

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[5].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[6].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced C9DD8EF8CC8FA4A7262DDA2B11FD94AD 06B D28E392F4D859DDF6AC9EB7901A B18F57262A6A A FEAA4E0D59779BF0D5A9F9BF 3C20CF1DF36C16493F3C7DBF057F51B5AE57A4C686204AB1DB9B C BCB72719AB65B66919CF1F ED75EA6CEBF7D588D1E148EC0EFE19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\unnamed[7].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced CECAEF95E5023E0FA024BA4E268A40FE 8BC74C006CA3637AF77B5E7F45BCD8B7FE5FBA85 FB1E00E5A9F16EC102F2548EEFDE3A0C169E7B806B88CA1155B9E4D3E4C2166C DCD9B97D84C013B37C802E1A395D6E79E4F4CB71AB4853C62E33A158A3A5C5EF739AE000FAC9F65169A1C8ED 00575C EB8BC28BCFF518BA4BD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\1JFN_vP5J6DNkGl76g3kSXgQ-jaNqmhLI5rykd Ft24A[1].woff Web Open Font Format, flavor 65536, length 21628, version D B9FD5D21443F9BE5CBE8F 7D622AF238C077E4768D71CF36C5AA17C33A7234 3EDF29469E6EF9CBEAED9646C5949D366A852CCAD8F14EB6551DF903A05056ED F7D DF67A6B8BDCC1D5A56589F5547FFE2C4525F120FA932421E69E8759CFF4625B18F3A45EF2F2B65DD674101B F858B318F862C0DA00FB1633 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\2UX7WLTfW3W8TclTUvlFyQ[1].woff Web Open Font Format, flavor 65536, length 19824, version 1.1 BAFB105BAEB22D965C70FE52BA6B49D CC9BBE BE756B3146C05844B254F 1570F866BF6EAE82041E A86AD2B8B275E01908AE156914DC693A4ED 85A91773B0283E3B2400C CC1B9E8AD8EA62435D705E98702A40BEDF26CB5B0900DD8FECC79F802B8C E787D DBC73DFF22A64 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\angular-animate.min[1].js ASCII text, with very long lines AA4A36DDE07D5923B25E909CF1D2E F3431C9A695730E6465E459917D705210EF6 8E137A71F54C9DD712BFDCB40824F755BB4B9D5A6E723B0A95E2C49737F7343C A3DBDBFA4A79612FAF6FA4AAFB06A4213F4179F0DC18718CE DA0755CDCE920D4D61E7ECB9D06B14309EAD1 91F07AF67444FE2D40A C96738 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\angular-sanitize.min[1].js ASCII text, with very long lines CFE074EFF B46C02DBFAAA1192 7EC257CB73290B2944C0A4DD01E08BEBB80AD03A 8878C99802C23C4DCA135E409E3AED0D129BAC7882DCD5D8E9DB72D64DE E19C4BA2D94721D7942BE805AE83C9A FA9774AA9CE92AFEDF8AF3CC78311F817C C8C4BA1C77F7E 670A9DC6A5D36F81BAD4A81E32AEDB6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\css[1].css ASCII text DBE C96D87C08E0127BD47240 B657873F86D8F3EBD34907D68DC7A D3EB Copyright Joe Security LLC 2017 Page 18 of 168

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\css[1].css 59D4285B4EB89F7CD0C42B575DD09C0EF46CD241E649E217FAE4BB169F20D70C BC219C5B7DA4AFE28D502B5E3435A3C01F5D085BB3436B2779DEF09C17CBED4BA34C14B6BB932873BA985613B23A23A 8738ADB7BB8E85ACF79EE7CC4EB05018F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 5B188904E3BC E7AC4A4A 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF 28916F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\help[1].svg ASCII text, with very long lines, with no line terminators 8DE0938DEB2217C1A8636B1C4C68C EF7C49D7F361DED5FB8000B166BF8C08EDF7B B183DBCCB55858DF7AF9AEFAD81147E47ACE B96242D17D4A486CEC3FA F9D11872C7BF63663B5071DA2324BF005B8D00EE3AB5FB67C9AA8F9693F0B36AC9DF21F58FA6A789F25C08F984C DE06171BC4FF9896 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\iecompatviewlist[1].xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E6306BB52BF6F6D5D891B9D0B1E36F14 3F409FAE3E27D64695D977FF7B92AF3EE06024C4 1E0968E9B5D61EF9203FEE7246B FE954DF36075FA0F2CE1B4677 0A913C7C1546F859CF1B1738D865FDEA38DBBFE4D5B EDA1AA27CB4BC80ABDD1BD9A4D496515D D3EA5 850BDA06AE981D95FD6854D87614C5CD8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\jsapi[1].js HTML document, ASCII text, with very long lines 7C48FEFFEF1A9ED40A406A437C536F4E 5AF5EF70BEC94FBE75F4B0DCC252465DD19D6467 C4CB4D7C0B6C021BD588EBAB6372CAC56CCD A1C B222AC79 F4A06D5F853E DC9CCEF6A24E74E51A0F83BAE4C425E89D76D1EDB53F1C161666A4863C628F312F7F0F71A29 E6FB173B0E68D7BEBA7A356F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\menu[1].png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced B89018A9ABAD5E652C6563A79B8AAE8B 38C6AED7B680343CE4CB5219AA4477E CF21268D1BF62829F18FAD71CF7D17C8EAACC5B89889B98B11CD2950F3711C E7ACFDFCF277DEE6BFAB177CEB4C52B49D607DC553C72E324BD52420E9C29AF4C1FBFD94E1627F6412A80C0A5CE23F0 CAE006D35662D958860D36D9F4457BABF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\social-gplus[1].svg ASCII text, with very long lines, with no line terminators FF160CE9616DB6D337AC2D0EED8E D C3B080FD69DA724DD9A041AD 586E729D5B687A CC29A993EAF7F603D3BE21C3A9A2FCA07CEF2E CFC75EDEF3A071963CF609C024F43CD9C405AF7DA308FF19AA6F070E7EC26BE0DAF A12E3A11E706B27CCF4 85D6C1554BA577797F451B028383DC30 Copyright Joe Security LLC 2017 Page 19 of 168

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[1].jpg JPEG image data, JFIF standard E62DA9296E5FA957BD8CC9246E068 6C033D1B21C94BAFD3B1A70C1F117D97A5D855ED DAD7FB6060ACB61ECF9289F3C CBAE8E87A4A35F52E42D762B12978F D54ABC5E122ADEDA151C036009B873DF86522E070E10A537B61AE5869C197A9A0D81DB80DECBCCA6177F9C1070AA FD A1DEE133CEE2C220F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[1].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 2C5F D2C2A8DDE326B8CBB53 4BE2FEAACDBC C8CC3642F6A2DC6EAF DF8CDF467D79CF12D9C05342AFD0AD9894FC59A B9F A3EFD1A8431E48093ADE C3247CF5C65BDFC73CBEF2C0142A091434C C0FDA620DC00CF11F1A3DE A1008DEFD746AB EFEC321 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[2].jpg JPEG image data, EXIF standard 446A32F5DC1049AFC94D8F2AAFED3198 DDB E BCEA693BBA8349ABF AE1EAB06CC2D95F185D0C5964C0C702317A5E4B7197BA36BC962D1AC2F9C0 2233BCA4D6A742D2996E5F53A11B44AFA2CAF EA0BA4BC6D323B2A2E1C37025FDD EB534EA5AED90B E235A0D8C1E3A019BFBC7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[2].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 1196F49EEDE97A4D83D486ED0655B5D2 88C8F2F86923ACC106A8B60B F39EA68A 9BC7D4AE2B438B70B7C0F1AA6138B295FDE17EEA451C1AB2D8B3486C471DAAE6 AB8F8B9DACADCCE6019F65EB2EE9B378E29DF852EAFD430A052178F2BDC64FA7F9DDD5825F8E2801FC72498AFFC4C4 DC672198A839EE8A240A1639B693A47C46 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[3].png PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced 2504C1D3DBCEF0178E FEBB13D 157FE6557CDADA1C88576F13E4E256B26C9F1500 6CAA D31F9A7A447D983DDE40855E317F4937FB526F2B7535D3D05F29D FF3804D94429D415F3323A B073CEC83AEC7D7BF5B38AA68EDF8EBE7BA58A4AE078279BF ED183B 6B02782E09AE4414C54CE01B4B531BD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[4].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 579D58CE3B333812D6C65F C40CC6E1353F600235DF03FC D804A5357 D592669B454954D68EBB09C8D13AB5EB89E09B5C CBB709BDF945DA06E 03B006A160BA77FF16FE52BFAA85A3DF0E359E863A31ACD F64ECE124F2272D CBFEDC8B0B845B E8C60896C18BB9932B81277FDEF5D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[5].png PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced 7BFD43562BF80B98BC7BEAEA1E7C1BC3 DC014E8DCF357950B3EC0B3CB59A53C7E1D37AA F2EDC7031ADE0BC75775D126D3DAD8F C8E592C23F8438B5F5 80A686D9C33C52BF4E40CE13CD72AE195F9F14F0DB57F2438FB02E EE494671D8BE94048A8ECAD8B71A3C51E2 AF3955AC94771D B B Copyright Joe Security LLC 2017 Page 20 of 168

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[5].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[6].png PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced D8A5A1295AEE72A76FB78B7CC3C0137C C1795D7958A96ED2040D581D31E9B D7A4134ED99CA8FF02D496C07B07955C831279C0BE58E5DA8E7E1AE67D3E8 6F5B8F52D0ABC8D600BED51F49CFB95D7A5E9B1D1929B795378A524716F18A0C2BAC2FDFB14C118260FF41B0AA46EA51 2D0FEF B484CFD00E413D087 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[7].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 913A306AE0216D93EBFAD210C361EBAB 127A5168B9BE47B27F343BD268FAFF6F20632BF3 D8E0505A8971D10226AB65576DEFD182845F E11F855E F 47CED2F7E5EAB B221368FB60FBA85D8E2CD31FC483CA682BD418929E2177F7FD146D9FAC9527B8EB6F6FC2EB5 12D14F F605DC4972D996FF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unnamed[8].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced DC B0CA0C4355A171DA76CA098 BDAFD7D045B0EF FD19FBC8639D00329B4 4A C3F9F70BDB71C8F13FBCABEE586B9B17C0879BAD923FCEF E CDC2AFB9F900224AC324567ADCC0BDC9B16C43A9AEC5AABD5A BF41CFA365FE7EB4B6ECF0283C 18DA88C299BE28986FE001AE6B65CFB73 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\vzIUHo9z-oJ4WgkpPOtg1_esZW2xOQ-xsNqO47 m55da[1].woff Web Open Font Format, flavor 65536, length 19936, version 1.1 E9DBBE8A693DD275C16D32FEB101F1C1 B99D87E2F031FB4E6986A747E36679CB9BC6BD ED1A9B98E195A E3571FF91878A20A93B2 D1403EF7D11C1BA08F1AE58B96579F175F8DD6A99045B1E8DB51999FB6060E0794CFDE16BFE4F AB126269B C3A835CC6788EA4C B1465E75 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\RxZJdnzeo3R5zSexge8UUT8E0i7KZn-EPnyo3H Zu7kw[1].woff Web Open Font Format, flavor 65536, length 20012, version 1.1 DE8B7431B74642E830AF4D4F4B513EC9 F549F1FE8A0B86EF3FBDCB8D508440AFF84C385C 3BFE46BB1CA35B205306C5EC664E99E4A816F48A417B6B42E77A1F43F0BC4E7A 57D3D4DE ED954B796C13BFA34AF22A46A2FEA310DF90E AE8ADAC62BCD2ABF7D7768E6BDCBB3DFC A D07ABFA483C1025AC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\angular-touch.min[1].js ASCII text, with very long lines 7AC7AB797EC11742B327E7C25BFEABBB E1CF955A1EA344413EAD7DEAD319F7591 9A7B8275C DC6DC7C8EFAA6F875859A FE300386B92613C5 61FFDD9815A08B3734BB1A244103B74A9064E63AA09CF036DA E72388E3E68840DF679744E8DA48B9D9E12EC441 CA2A14452B32A2D2934F0FC9E11A760 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\angular.min[1].js ASCII text, with very long lines 5CC821195B6FA A50E512E1 AB51807BC99FA00572B422AFDE E52885B Copyright Joe Security LLC 2017 Page 21 of 168

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\angular.min[1].js C527E4D585393DC21C148E39B1B7A80197DC00FC66BA5AF11E DC97 9E252E A38C2B4EAD616541D5677F66E83238FD3963BE49EB064D8D4C466EF282438A33C5D9477B45A36D04CC E1565F71A9FD0683E4FE FD9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\close[1].png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced 63A63167CBCDE98A11A58A67958EE C78A419719FF99DB5F9C9D3B0C77657C E61699F4419A9389BADD812C4899E ACB9770B32E046BCDB236656D96 AFFC09F8B03E4F FB30EB50800F9414BD26E78F739362C587D5D14E2F1DBEB7C692C E4637FDB 3049C A8772DD8CDB0510 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\css[1].css ASCII text C856F7F6CA2B0A76369FAFDA76446A3C 9E0D8A7C626C B71473FB5501A7863B 13FDE2F A8073C158C374CAAC49EE7E216840AE790E6A210C7DB C70E2D14314A87C281C26E9D8FD973E0390F55B5B727CB0D87FE14DA B431B7B56B2316E2701E0D5C6C97022 D2BA0E32B71C6CC738FD75889AB443 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\options[1].htm HTML document, ASCII text, with CRLF, LF line terminators 2C3663CF6D84742FF683C34390E6AD A22222EAC8956ADF0F3485D7AB7EB13EAB0 43FDB2FAB18E3BA135FFB FE618561A4812CEF38F88EB AB 7A8137B759114C19A1FD7BC0B96A4BC8204BCBE7F234FE9B92EF0BB4EE EA822CBFA205B6FEE0E6FB C995A45238A6D2EC1F BB07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\picturefill.min[1].js ASCII text, with very long lines D45307D10CFF4297DAAD697FE31106A6 E25D78E4773C5ED2E99487DB0964EDAD B 5562A799C0B0457BD06E40F ADC75F568D567CA C21 DA927BE862631FF2F294F78734B942C2A73A96957D3C9CC6DD2F5128DF3FCD7930A675FE92DAA09A053B8E9C96B8B482 C6194AD9E5241FA61B5E94DD3A276D85 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\prompt_embed_static[1].js ASCII text, with very long lines BB02FE2D84FD09D897CDC C8E4D4C8E4DE4E020A0DC57FF E189CA D3E8BEDF86033FC4740F846584E3281E9744CF46449EBE52E82F05EE438E378B DEBDDD26A38B91FBA271360F9FE499982A2CEC15177F99539E22E9EE2E401B22FFC5AD0FEB5EC20E4C EDEA0B C40496B49D3D40EE3AB86BB DD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\social-instagram[1].svg ASCII text, with very long lines, with no line terminators 5A1A4D88CFF39B9C986A492042F84DCE 52EACD29D3AF047BDBE8CBAE2BBCC9A58CFF2942 3BDCA65353D7CE3CD519D8F98B9B218B41E3E9B22E90D735541B62FB6F84C D02521B1F183457C31D9216BA705BE469BB3E6A3409B3D754FF1A8747F8C3A94D9267EA6B8C78313B4C21452E7702E9 4EC942A0F46BBDB2C4CC327F4A61A6 Copyright Joe Security LLC 2017 Page 22 of 168

23 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\social-youtube[1].svg ASCII text, with very long lines, with no line terminators 98FF2CC296F6D28F6C4C5922DEC14EDB 44CC85ED54F0C3ED229185C336BA66C058C004B7 7C3B4A0EAFB2EA267E6C3AA0072B53B13CB14A2AFDC36C1AC9C53CA9FEB28AF0 1967C4F4620E32B6E9DBFCD823D073FD6BE6026E629FDB710E580F61531EC55519A4E7B96A22ED6DCE1392FBF13D3242 D C7A03D C8B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\suggestions[1].en-US data 5A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A609B2590 C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[1].jpg JPEG image data, JFIF standard E405A CF84 72AA03F7EE5A4A7D3C3BE22DF2616D5FE528A0A0 D7A732234A6511D3B0E75420FCF4D24367A37F6687DC1733CEB67A1C A A5180BA292FC7A205587A1BD03E3835BBFED70470CBCD8754B43ACE D122C65EDE986D7941C1E CBAA2BC EF3E50CD7FE27F9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[1].png PNG image data, 120 x 120, 8-bit/color RGBA, non-interlaced 1A68BA209B6CB1DCF1B05C8626DEF99B C2A607368A10F91AA2A953C E3BC67 DF3E47C06953AF79E6900D6067D8DD78B17F A874EEA47121F7DD2D3A1 0DFAC4608A6F926641D3C0094ECA10624E803D7F0A8ABBC511E450F1766CAD4C6BBC2BA86F133DE83CE59EFE E0BA00F8DD7BE F8DAC1E8CAD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[2].jpg JPEG image data, JFIF standard 1.01 F97F496C5EFC7BAD55F02B3D81EE B161EDAB541253B8BC EDB8F9BF1 4AED17B1FA8CB607CD12A667963B5DDED6C71522F5154ABC45CA12A790369C6D 7EC737590AEEDFDBCB4CB2FA510528F48AC3D83F055445DFD639ED158FAB7D BCA10FD7C0D9B2EC71EF803 D86F2923C7041DD1E03AE10190F3E0460 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[2].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced DB044B2852CA756E320C49E C6422E53633E D1DA82428CCF25FCB ABFD2D34F759577B757A4C1781B2ADED5BB3411D6C8AD5D1C8F10242F53 945CC3CC4CB F366D319491F BBCC2EC44E224393D79385F2C818DEDFACAF068507FD126F04F46 AA2098ABC5E13A9CDE77DB5E8DDD33 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[3].jpg JPEG image data, JFIF standard 1.01 E8CD3CAF944E3355BE2791D6AFEA45AA 9B8E0D6B326E846D8726C9AC5F E8289CD5818BC1B30E565C4D D C57972A5C2B A 1EFD539B99D44A8F08EC5EEA92C35D921CA58CB09A2F7B83EF90A9BEFAB72D24779B8C0EF4E5DF89A113A4C7FB692D2 DA7973E70FD8990DAF12D55AB75C8E96A Copyright Joe Security LLC 2017 Page 23 of 168

24 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[3].jpg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[3].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced D94FEBF84C C50E2EE 1B2A743CA09F25297CA1EFF8D99904B74E F81922FA20FC3651E4847DFE1DBDF8D1F BB7F689EC1B4C73C B1B506C0D77C2939CD22A01D3439F2B95D8BED4382F6A7C1D6E4BBBE306679D50FEAC52D0379F3CE382EFB09E838A929 43AC974F50CB C9DF300D77220 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[4].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 3EC17D BEF7EF7DBBED1914AD0 BCD00C2E0051DA39C751B B85428ED 9CD8BEAFA0A488BE5A332F373D D4E0CA7F9728C E77C900A 0242E78C173D4CC37550E7C426A7ED7304B2530FC2AEF145ACE5854B3037DEC59F3F3BDBE319C856E05C037111E5AA09 EEDE662C821A3EB4EB0F19B30A746F6B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[5].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced 6A7BAE5225C4D9927C82C6B7AE20844D BAF769B07C00FF F AF182FF483 F6A40AB5AB3D6AEC204D0B94F43BDDE8D5FFEABA02121B9E25D66EFA57059FC2 B72748DC6544DC29BA C B8204AA90E3894A0431F86560ADE5EDC10B85609D5F324BD82E61B1E8A6A 3F973DE6DDBFD37FACF590BEFF49C8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\unnamed[6].png PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced BB9074B80B133F1595E4E3B548C0D706 9C7FF06526DBAD375BBD08DFA604F8D42E09B5F7 B D2925D695A81C0DE8E2E711A8A479BB245A86D71C5CCACC076FC78D5 BD052DD9DCC27BEBA756DBF7FD29C C11E87AA712BAA356B02E71E1B40BBCCE761AE08A7AF905461C95264FA CD157235BDA072106CED98840B40D2691 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13 A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Hgo13k-tfSpn0qi1SFdUfT8E0i7KZn-EPnyo3H Zu7kw[1].woff Web Open Font Format, flavor 65536, length 19916, version 1.1 A1471D1D6431C893582A5F6A250DB3F9 FF5673D89E6C2893D24C87BC9786C632290E150E 3AB30E780C8B0BCC4998B838A5B30C3BFE28EDEAD312906DC3C12271FAE0699A 37B9B97549FE24A9390BA540BE065D7E5985E0FBFBE1636E894B224880E64203CB0DDE1213AC72D44EBC65CDC4F78B80 BD7B952FF9951A349F B903C63 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\TweenMax.min[1].js ASCII text, with very long lines D9DEA E F1C6C07D14 FA2169BCC6FF8AD8E0E E84A6810DFB2 Copyright Joe Security LLC 2017 Page 24 of 168