ID: Cookbook: browseurl.jbs Time: 16:29:51 Date: 17/11/2018 Version: Fire Opal

Transcription

1 ID: Cookbook: browseurl.jbs Time: 16:29:51 Date: 17/11/2018 Version: Fire Opal

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Mitre Att&ck Matrix Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3240 Parent PID: 548 General 103 Copyright Joe Security LLC 2018 Page 2 of

3 File Activities Registry Activities Analysis iexplore.exe PID: 3296 Parent PID: 3240 General File Activities Registry Activities Analysis ssvagent.exe PID: 3356 Parent PID: 3296 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 105

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Fire Opal Start date: Start time: 16:29:51 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 3m 50s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout CLEAN EGA enabled clean0.win@5/67@13/10 Adjust boot time Browsing link: whatsapp://send/?text=the workers who worked between the 1990 and 2018, have the rights to get the *benefits of R by Department of Labour of South Africa*. Check if your name is in the list of the people who have the rights to withdraw this benefits: %0Ahttps://mulhervaidosa.info/za-labour Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 105

5 Strategy Score Range Further Analysis Required? Threshold true Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample might require command line arguments, analyze it with the command line cookbook Copyright Joe Security LLC 2018 Page 5 of 105

6 Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Valid Accounts Windows Remote Management Winlogon Helper DLL Monitors File System Logical Offsets Credential Dumping System Service Discovery Application Deployment Software Data from Local System Data Encrypted 1 Standard Non- Application Layer Protocol 2 Replication Through Removable Media Service Execution Monitors Accessibility Features Binary Padding Network Sniffing Application Window Discovery Remote Services Data from Removable Media Exfiltration Over Other Network Medium Standard Application Layer Protocol 2 Signature Overview Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads files Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Copyright Joe Security LLC 2018 Page 6 of 105

7 Behavior Graph Behavior Graph ID: URL: Startdate: 17/11/2018 Architecture: WINDOWS Score: 0 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend mulhervaidosa.info started iexplore.exe started iexplore.exe Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 4 80 fo-fd-world-new.yax.gysm.yahoodns.net , 443, 49203, YAHOO-IRDGB United Kingdom , 443, 49190, GOOGLE-GoogleIncUS United States 23 other IPs or domains started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 16:30:44 API Interceptor 96x Sleep call for process: iexplore.exe modified 16:30:44 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link 1% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 7 of 105

8 Detection Scanner Label Link mulhervaidosa.info 2% virustotal Browse limited-prod.giphy.map.fastly.net 0% virustotal Browse URLs Detection Scanner Label Link 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% virustotal Browse 0% Avira URL Cloud safe 1% virustotal Browse 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 2018 Page 8 of 105

9 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Startup System is w7 cleanup iexplore.exe (PID: 3240 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3296 cmdline: '' SCODEF:3240 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3356 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab99C6.tmp Copyright Joe Security LLC 2018 Page 9 of 105

10 C:\Users\HERBBL~1\AppData\Local\Temp\Cab99C6.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 2AF3E4B57A8B637FCEE8CB FA3 4C31CEDFF6E2E366085C BC08BCE9A F5E8DF34D4641F11AA0AD917A629BF75F7C0EAA77506C5A27919E7B12AA 3DF74FF25FE90543F3FD74643D6A4E80F637FEB5DD638D4B34B7194C69F994DC2A9FBAF B8DCFB2C7C04 7F7FFE538F3A C86A6B18C64893E35F8 C:\Users\HERBBL~1\AppData\Local\Temp\Tar99C7.tmp data Size (bytes): Entropy (8bit): B5CC2B410F59E60A60EB D A130D9B7BFDF43867EDFBAD1EB2DF3 114E885BA63CF9FF16CBC3AFF1134AA44F0B31DE68D391D5EB2C50756CA83AF CA D87FE349BCA25ADFBF93175A42479ECEC5EE74B806EC5DF6007A18EEC3203B79BB16EA0EB F4A3E8A183F6C05590F4EC1D575CE0F69BE6422 C:\Users\HERBBL~1\AppData\Local\Temp\~DF0446B5C3157AEF2B.TMP data Size (bytes): Entropy (8bit): F17351C7DA9D942D5F9B50426B DDC8DBB8126C908E5EB3707E8EB381133BE BA4E5F22492C2B212B87F7A AE24AC05E671859DEE2F7D5441ABE 2B26E4413C66D51B3A67B311EB8FD278B A4EE88DDE4217BA7BECD6EFF01985A678DDC534A02CA FF966B794A B31AD3A6E796FA86F5 C:\Users\HERBBL~1\AppData\Local\Temp\~DF612F07FFE6EFD055.TMP data Size (bytes): Entropy (8bit): EC996BAAE7889FC9F41845A0ABDB6BAC CA4EA9A601472C EFE23C7F060C C99417B925DA92CF9A9DC BB35151F7580ACD7D26B1B95FA5E 1F4454FEFFED0F4AC466E1FAFC290143EBA3B6A881D290E042E365C37A49799C30869C D9DC359F00AB D045F2B66BC245F847DDB0D57C336D8F C:\Users\HERBBL~1\AppData\Local\Temp\~DF65013A23AEFB4F5C.TMP data Size (bytes): Entropy (8bit): A84B0E6FFD1FC556580D302B2A349E1 EE93AD585D4B528E97C746A21A2DEBE1BCF2AA49 E8AEC371E57DE09E93F6EEB179649FB5F8D4950E5AD6F1C8710F05C73578E252 E670AB68E637EEF3C1A1C552FE6FF5ECDF96BC7553CFF372C35F5455E674FB D24DDB0FA8FB415A BAD8FD7EB50C9054AA48D5832A202B0B4C82EE Copyright Joe Security LLC 2018 Page 10 of 105

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DF65013A23AEFB4F5C.TMP C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 017CB45FBC57D338A2204D32D6B8F6DB 98FD6EEC0B0B6BE10F7D5BC30FF2497CCEDA0B E2F58ECE25489C98D00C7A11EAB9033B72F681C2C16AE48A09D08C8ACF03 E4A E24E3C0A45EFA9EFA76718CC00F4DCC CCE7677C55F9F44A47438E2C6DDFADCF1BA54D 5C311BA2C5752BDE4F4E0DCDCE6BCEE6BA198E7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A data Size (bytes): 1786 Entropy (8bit): AEB4E76C6F68EFD7A48092E9F0F A035C0BDCC3DC09C881E788F7FACA53C6B458 FE1B9A0EABF44FDBE4DDE97C3CC1209FAD2FBB2D2D7476FFBF64066BD9919A4F 50D98FB4C9875B1AED0AEC06A9C934DB5010B6C5F54539E323EC14FD487E1D92D01652E4614DDF308AB2F1EDE A9E9CB1E23030C971255CC106016C6E7BBAF48C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 656 Entropy (8bit): D360EBFCAE3E058368A3F3FE7DDEA A9120FAB67829A9B6A030761F3D59FA69F30 13F7CD1D81730E3E3E23646BCD4919C F19DF06B7FFEC5AA870E6ECDB9 6362BF405E2D29ECB8E8A625F F997A5F19E3B0276A9050B B732BA798E8615E6847ADC320970C2 6320F4EE330F505FBFF330A49BEDE7D79B09 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A data Size (bytes): 424 Entropy (8bit): D068CD26AB856C1B610F2FBCCA4 957CDE425E3BF4C913EE6E640ADAC2AD4C306A40 B9E8702BA8EF6E069719B7A540E6510DDEBA70C7FF34B4E897C9319BE1D0F2CE 049BBEBE99B090E6E50BBD6D2F79458F38DBDCB8F4211EADAC42EB5386B788D5EC8657AA0BCE164DC80069F0 7810E6EDBFB6A144AB7717AA995038F51C5A96B1 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Entropy (8bit): FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 Copyright Joe Security LLC 2018 Page 11 of 105

12 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\VBLQ8DEE\mulhervaidosa[1].xml Size (bytes): 403 Entropy (8bit): ASCII text, with very long lines, with no line terminators 7F16902F6C36365FF84CC29602CAF6CE D6C0EFCC12485B46DEFD3BEBD769CD96F7166FCA 0D49374CA3693F17CACDE0DDE1AD4AB3B0B5FDD8865AC4CB2C69E5E112ED23B5 5AF AF11FEEE7BBF187079A2FF8AB5087F98EC60CD F75C048A62884E093B004E4C0067D50A087D D2F0F6E3D76BD7ED37ECF90D5ACD6AE5C04FE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BDF6B031-EA7D-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): E460AFE07BAC1CFDD6CE3729E5AE8AF5 504FABF4C4BAB95699DDF313EE418C96F8426E66 406AF642B70EE D210B1E0E516C2A63C1E8C5E0563B97C62A D918B17337C85BAF9D59AC36D8EC5753D45FB4B556E643E56B9624F0EFB766484CD8BFB337C5C50C0D0A683D 824B63839DD2C5F389D332BFE956A99043A860 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BDF6B033-EA7D-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): F09FFA7B2E235F5EB4DFFC688A23D9E 8F16F204EF4DF0E903091F5BEDFFEF4DE3A36ACD 278B3F01CDD4BDC0BDAA9D2A69668BAEE0BBB23FA1E8EDA4F A FC31E85074FA07BAF7064F91C7A9765F364C9B235B55B18D9DB85DA09BB66C5C8B13A661F19850C2CF9F5C8CF 15DDD380CA8EF3C68BC827359E9A3AD0AB9BA7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C70E1AA0-EA7D-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): BF9F F1AB327A7B3061E2E C26B92B3EF3A066E91832E28C662BE2DF5 9642C DD B3CB98DB10C55C6FF96482F57C998F0456 FFE6DF48205C42ABF838CF92416DE64ADD04AF7C613F91FCD074F7ED82A88550D9BD8DAE55FDFE932247E948D 8ED40A41F536D21CC A843E340098A14B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\6uQTKQJz[1].htm HTML document, ASCII text, with very long lines Size (bytes): Copyright Joe Security LLC 2018 Page 12 of 105

13 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\6uQTKQJz[1].htm Entropy (8bit): C9E4B6667FD2C5A2022D05786D2E B66F78DDE4E117D0D EC3FDF9DA43E EAE F B42B8FE A83A E6F489DC07A6 4F485993BE0F3B0C7FAD86AC19F4289EA2D89E BCA866F551239D533075AD F0856BCF60B7 F13C A92E108CEA1F527CA36B2151 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\OneSignalSDK[1].js Size (bytes): UTF-8 Unicode text, with very long lines Entropy (8bit): A776B1A227AADEB746AE708EF94AAE D301D85EBAC6A4CF3A6E577FDC5915ABF3E3A963 2D5AC08E4132F90F51F48DE81D6BFA47AA88B BB82E0F0B203E7D1ED 6F5FC2F6B5EF DAEF3F37B06090BCE4D096126E8D52A24144B911CC F901D2C8C44D2E9F16CA A8CDAF10CFA8DF147FECD613575EB5A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\V6zvOIoD[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): C4282D96F88C1DF302E270FF6FE0B5A7 B38B6E255CA110C5AF993660A04500C29ACBDC90 57ACEF388A037B38756FDD178F FA2A6A9A92D0BD9655E48A9B811CD EA063D783FB81D21F9C591CABC18CA9D28823BE94C054B9EF5B8AC0616AA12BD5EB08A41A0F03E3 851E34C5604D3993DDFC3F6886AAE58E6AE0B6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bootstrap.min[1].css Size (bytes): ASCII text, with very long lines Entropy (8bit): EC3BB52A00E176A7181D454DFFAEA D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68 F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F B7DA88E4E002C7B0BE3B72154EBF7 CBF01A795C8342CE2DAD368BD6351E956195F8B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\bullet[1] Size (bytes): 447 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced 26F971D87CA00E23BD2D064524AEF BEFF2F4F8FABC A13BF26CABAD27D9 1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B A7EABEDC9D41D C62EB51BE301BB96C80539D66A73CD17CA2021D5D A37DB72E E581CC99652F3D8469B CA6C62DAD2A9D57164C620B7777AE99AA1B15 Copyright Joe Security LLC 2018 Page 13 of 105

14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\css[1].css Size (bytes): 247 ASCII text Entropy (8bit): D73FA89D13D278C11F81D3E7EF131EFA DC8E82C959FDD9527A8C2339C42B2B8B607BB89C 4B0504BEE4D87EE40DCD78F34BB8070CCFC313056D8FBA7191E51415C72F2CAD 476E989C18EF3BF39A4490C12C1CE8DF0ACA95ED2FB5E831BD F10D673E22042C1DC F6D1A C05DDDB79AF0D9CD8ED7CB4DC62B552D9D4852 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\jquery.min[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): F6B11A7E914718E E85366FE9 69BB69E25CA7D5EF E6153F3FD9A88C 05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E 0D40BCCAA59FEDECF7243D63B33C D0330FEFC78EC81A4C6B D5B211011CA4BE23AE22621CCE 4C658F52A1552C92D7AC EB640F8514DB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\jquery.min[2].js Size (bytes): ASCII text, with very long lines Entropy (8bit): D596B2B8FA35FE3A634EA342D7C3 D6C1F41972DE07B09BFA63D2E50F9AB41EC372BD 540BC6DEC1DD4B92EA4D3FB903F69EABF6D919AFD48F4E312B163C28CFF0F441 9E1634EB02AB6ACDFD95BF6544EEFA278DFDEC21F55E94522DF2C949FB537A8DFEAB6BCFECF69E6C82C7F53A 87F864699CE85F0068EE60C EEBCDB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\js[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): D6EC34224C17B4925D86BC239C0B5 5CAA9C01D002D53C9AA9C11CC7F65D0440E30DDA 0FC213C B8DC E61AB FC23D5A21CEA0103AF952FDF 4992CAC0CD68C57878A23EB625A24998E491764F4176C4A0C7AA0F0B3BDC0B6835FDC7A2AEEC0806F6474CF302 7C1FA8FADCE69DA3F2415A34DFB455940B12FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\setuid[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): EBEFC7104D681D E9AD514 15CDF8DF32AA251DD6DD590A60BF9CF74474E7C5 4B5B6B15C E06720CCE42A06D3AEAD8B D9C52CB C25EF 71DB FAC031DEA18B2C766826C77DBAB01400A8642CDC D5DF C3BECA6F808187D 42E1A1ACC98FAD9A0E1AD32AE869145F53746 Copyright Joe Security LLC 2018 Page 14 of 105

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\setuid[1].gif C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\topa[1].jpg [TIFF image data, big-endian, direntries=10, height=1136, bps=0, width=640], baseline, precision 8, 640x475, frames 3 Size (bytes): Entropy (8bit): D0490B8ABE C0EA764A347 EF E033095A5A90DD09F54775E71F4B8 F691922B7F0FEF642E840F EDCDD2B9EAE4627F55E28C24D4895E EC FA C ACD2D7D3AA6BADDE590477BF5207C23C02FDE47D4BCA523A3BEE2A 91F0902C718B63AA4DD87C2A6C6DE94DBE521B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ [1].jpg JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 300x250, frames 3 Size (bytes): Entropy (8bit): DE3F73053A3B4715F7972D88831CEA D1A79A6D2CD7CF01D9F80D738DCA2EC44023F514 2E4D7D88264A5F12779B10804B19178A03141AB7F3BC65D21C32A8377A3F330F 50DFD1F D2F0B495FB10E607F19BED4F78822FDB7BFF95E79F98D0541CA32A9341C49040EFB61C EDBA9D65B911261A717A042E0A1F628230DB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\CicMV6Y[1].jpg JPEG image data, baseline, precision 8, 200x200, frames 3 Size (bytes): 6220 Entropy (8bit): FEE25AB4F7995D7A9D BB0C F3E440A54951DE0E0D5BE5080E513CEDA5329D54 30D999CF83C496E9EA5F FFC0F72D539D43327D4E5282AC60F6B90C 18DABDFC167255F5DA9F90D7A4B46E608A1135EC50E2AC8BF263913A2CF452BCAD07876E4D5A1ED358F8F D72FF10A52FE1D9C99887AC332AF234C16D92 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\analytics[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): A7F0B8DAFB F3CD86C0E83 77CC1B529ACC9BF11AAB466970F5E5BF292DC90D B688A3BCD1297CC0FE08E6E52FEA14BA9108EE4B9A2052C03E7BAC6E B26CCC14B461CE620DB B07F7B489D031AEE231BCEDC165518C049C6708D14DDBF0167EA B3360D9EA0D DC752E5A4BC88B8DDF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\f[1].txt ASCII text, with very long lines Size (bytes): Entropy (8bit): Copyright Joe Security LLC 2018 Page 15 of 105

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\f[1].txt 5E2EA29E6368EF382D8D53B4A394AFD0 FD0153C06B3A872F7A94EEACB68D17A06A499E52 E9CF77EDB95978FA6B193724EE40FDE E030FED8735CDEF6B1A DA42EFAA9D9BB5DC1EA39CE49B50183AF1B B91D5BEA ADB65E83A37E70FF71803D82 DA C6EAFB92AB0A5891B49A89B2E50DD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\f[2].txt Size (bytes): ASCII text, with very long lines Entropy (8bit): E06689C2ED C2F3A9 841C A730F6B6BFF1DA7DE3B C5562D37543E0D9505B8B75C787EAEAA2EE08A99F9F385568F565B0444AFB 1BE2F50ECB9120A9F4E8B86DB3E8FBE338F6216B8D48C31BE5E4CB504EF8B43CAA56B671D2D808B5BEDBA42E A124BA3D509F7BFE6AF48F327D3442BA7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625B8F9F90C8FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\lNPofv3[1].jpg JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x500, frames 3 Size (bytes): Entropy (8bit): A17D44501C0D9F8C86A60668EF34D7 3F860992D93FE39BE3D13291D13DBE453BDE425A 14B756254E09DBFC49DDE C9CB70091AA1AA70BC8E46FBCE50EC0782F 47B171165BBC5E30879F0DA379F652C0753ACEFDC4906E13840A9A368D01DAECBE714B1F E7810F8EF EDC0EA9DC43798A0E0B4FF2235E71E1BDCF453 Copyright Joe Security LLC 2018 Page 16 of 105

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\unknownprotocol[1] Size (bytes): 6823 Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E69253A0565EB7266FD032879E F6F59912A1C3E0F528FA48501BE24C AA50A4A6A101C48ADDB7555F0C4CCC3EAE62FFD49D2A47FB4B10C3EFDFECABEA F918AF2F1BEE27EF500F B99E32B625BC31FE075C E589AE32BBEF8E1A4D0EE802DE0943B16C FCAC6310B95C33D78341AFBC52CCA63C2366F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\zrt_lookup[1].htm Size (bytes): Entropy (8bit): HTML document, ASCII text, with very long lines 55D8C9BD E6720AD7F06A8A B484A74D3F56D60C955BDE1AB5B7A2A7A 82410F237BD936C479321B0DAA3DEC57A4C12F2C136520EC16834F2A1BF60EDF 0C4498FEB834CEA752ED7C386C704F83DDF80448DB425574A800AD7C76A A7202E5E83FE21EC510 4F8AE DDA666B2DC54A717652BC0954 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA06901EDB98633A686B11D02F4925F827BF0 8D B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E BFAC A416C09733F24E B96843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\N42335a[1].jpg JPEG image data, baseline, precision 8, 225x225, frames 3 Size (bytes): 6615 Entropy (8bit): AF00B040C501BC4AF476173B6DE5C99 DDE0629F8A001CDDB0E05E A86716AB B87F40A2E763ADDB7D5CED53CD5A861620A8A39A45196B65C923B65 CDA389B B73ABA5A346BB291C4E897CB C374BDF86187CC24A2CB4E4E5D2D2490A87D3D90CD3 CA40DE4E144D237CFB6FB8F055FDABF2DB3370 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\b6E9XNw[1].png Size (bytes): Entropy (8bit): PNG image data, 500 x 500, 8-bit/color RGBA, non-interlaced true E0D7519DA066B1EFCCB905167D3BA681 F102282B6DF760C33AF41677EA079D1090B7CB9A 02BE505600FD92D EB484DFA140547C702A3F5A02143F17EB9F E31A063600CD1945C1B6555C7E87D971DBB52E9B759B3599F3EF6A7AA310580BAB680A76AAA77FF15AA4ACC BD DC6927E63AE9EE2C642BB5926FD551 Copyright Joe Security LLC 2018 Page 17 of 105

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\b6E9XNw[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\f[1].txt Size (bytes): ASCII text, with very long lines Entropy (8bit): E9FB811EA9B5195E64E3E84D0D53CC B03F05286DB647EA70ABE04543B36A2A6568A43D 39D9DF610B76AB2F7597C AEA4B D B4350A5B9036B1C AAF95D05E6A563F08CB4E9B0A4F4B0A D6E44996FC4E2D D8AD01D7020C987970DEAE28EB7C32A AEEE868B B3DE6A54CB68F64DA62E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\f[2].txt Size (bytes): ASCII text, with very long lines Entropy (8bit): DAEB2C8444FF5DF58E7330FA9113F D5B9D915B028D22A946B5AA267AE82BA260D4 E9A335A91A37DF7D67BA AFB2F3EE5A5C574DA89C02956CFC573578D 292CA0F8B3C1E999192FC9227C0E2E98A3D9F1F298047F7AB9F31AB AEF8D3C9D7A2C2FF283E222F8 DCEC957796B F5DEBD2AE152DA9E031 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\fnf8kzy[1].jpg JPEG image data, baseline, precision 8, 225x225, frames 3 Size (bytes): 6351 Entropy (8bit): B34CABF2DE89A9E28D9AE76B982BCA3 2A1E862D302CD3F8DFAE8C5BA0EF0985E484174F EDC1F5DD F8F976B211040E281B5F6B92C0BB217EF39C5A0FCBDA06A55 251DA4E175D19F3FEB3D7B F0902D492E17A8903EE262634CD0BFDDF2E F2314D F AAD486D70CC70A0DA96D59BB3597F9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\gen_204[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 42 Entropy (8bit): D DA2D9510B64A9F031EAECD5 D5FCEB D0D84FFE09C40C481ECDF59E15A EF1955AE757C8B966C BD3A30F658CED11F387F8EBF05AB D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A E0DF38B62847F B771463A0124EF3F84299F262ED9D9D3CEE4C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\giphy[1].gif GIF image data, version 89a, 320 x 320 Size (bytes): Entropy (8bit): C932390D7EF8B6E381A5CDFAB589E781 Copyright Joe Security LLC 2018 Page 18 of 105

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\giphy[1].gif D53E F31730E3E45F0F41CFAEDDB3FB14 7D066C2F996B7F65F25C0E62529C9884D12C4609CFFE5888EDACC3C2FEC67826 DACBE2F979C49CE407B F116C86AF45C69D5DAF993D2E6B93FBDB004CEA9C015D732F1441F7CA695BD6 F2D6DF179C0D955B06ECCBBFF5F0031F96CB458 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\info_48[1] Size (bytes): 4113 Entropy (8bit): PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced FCC163AA3A79F0B746416CE69 B97CC66471FCDEE07D0EE36C7FB03F342C231F8F 51129C6C98A82EA491F89857C31146ECEC14C4AF A7A20C699C84859 E60EA153B0FECE4D D3B763B14B9A140105A36A13DAD23C EAAB DEB8C68EF078E8864 D6E288BEF7EF1731C1E9F1AD9B0170B95AC134 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\pixel[1].htm Size (bytes): 294 Entropy (8bit): HTML document, ASCII text, with no line terminators A94F2E BA6C54D71085A95BBF 4A268617D19CEABBB2B2B BA0D430C6E 3D8ABFFC079D26EB4AD8B36F7B7EDC34F7F6EFBF3DBB0240DFC A9 BBC6D1FE795F CBFC04070A5667E133DB22E2020A7A026506AB B8347A67023C1EB7270F458677F4 A6C6B5F6EC9CCDD45CDFE6E5159F941EA75B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\source[1].gif GIF image data, version 89a, 800 x 800 Size (bytes): Entropy (8bit): CBE287D6C1384A47F3264BCDAB62C4 21B08746A80879DC8D28F0066DD25635B0C4C0BC 15EC3637DAC5B76DF6C7DF5CF0BD5BA7A86DF41335E6630E115D812513CA4533 CF92D8B3AA2D49F77F402FF1DDF9A0E7494B B748F0DEF8F1C76FF59B8401F1E06906A C2734F216 5B ADCC18FA116DFB1FA5F551EFBD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\za-labour[1].htm Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators 532CDA A07C F5D740 7DDD0585A394D530F A7FF3FB2085F258C D CC9F20ACC68D6E3399A599F49C666B3D3856D1DBB5FCA1ACF7824D0 B D8E36F1C34A4C12DC51E9A8EC7449CC31B90C84EAC7C760AC0A01BCFBB42D7F984D6EA4DB4CF67E B15A4FB5A6F241B5FF8F19C2DCB60FD8914 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\JTUSjIg1_i6t8kCHKm459WlhzQ[1].woff Web Open Font Format, TrueType, length 22804, version 1.1 Copyright Joe Security LLC 2018 Page 19 of 105

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\JTUSjIg1_i6t8kCHKm459WlhzQ[1].woff Size (bytes): Entropy (8bit): F29D2B B6BEB5B29B25B8BC572 F439AFC6A45DDC AD5284F31ED5B0F40CC F73C9F5598D19C1D050C9D5D81DCC6A77B8790CB94129A C2B5DA045 FADA02932F482CF5C4232DBA0679A ED9C9C99944B0CAB069E84B1CFAD5DB4537D10987F294BC A7FCF4F457E6538FF0339AEB430DA5ABB99FF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\MFEsfnq[1].jpg JPEG image data, baseline, precision 8, 304x400, frames 3 Size (bytes): Entropy (8bit): FA04B21CD153BED8887D9B13112D5 7F189E70E20C198D5BE15EAC C11CB5B FFAC4A7562A563691D399859F273B6BB21ECAB2CC1F92F4124B B156 9C99E0FBF044B86B82BA833B0E4636CB40F AA848E775A88FC89030F09504C37EF80C02827EE21E A0CF6F5CBA01C58F81D50BEBD668AFA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ads[1].htm Size (bytes): 8756 Entropy (8bit): HTML document, ASCII text, with very long lines, with no line terminators F6257EFFE22B1DCBCB735E76DFA770A7 633CDA0CA17B692C9D7FCA856C4B4F27B6EE9D4C 5775A1841F6A02C0690D5C6D9D8A2EDFF4E752B83237DA944D6532D37D3F22D C062A2CB799125F1AB6116B8546B0D09BC9A7B FAD025EFAC5697D B7CBEAD92F2C973 0A8177DC ABF475006FEA52D887BE86 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\background_gradient[1] JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3 Size (bytes): 453 Entropy (8bit): F0110ED5E4E0D5384A496E B 51F5FC61D8BF19100DF0F8AADAA57FCD9C BE91E53C2640FE7BAEECBC624530B D93F2815DFCE1865D5B 5F52C117E346111D99D3B A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86D D7C56C25E44B14EFDC3F13B45EDEDA064DB5A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ca-pub [1].js Size (bytes): 133 ASCII text, with no line terminators Entropy (8bit): FB7F7C012AE22196DF874A68990E7CED 46E7B1F812FED9BCE06793D8ADD CDE98B AD3F D58F0C5E8B2F074EDC3FB50E776DDECDB8A90531FD30407D6FF F8F0E16736D D296E60EADBDAB38A25626EE91616C542A0ABA8D0E55E7A2AE7A48EB4B6E08D851 8DCF6F7B24D65D063DD6D804DDE67D6050EE8B Copyright Joe Security LLC 2018 Page 20 of 105

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ca-pub [1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\f[1].txt Size (bytes): ASCII text, with very long lines Entropy (8bit): E8BB19BDA3EADF203BEC8D9342E1CD B2F9DB25F9B71109ED81F61A849FEBE9E5D829FD 4D9D0B73DFCAE911B875ED7F9242EF6036DF970A6676D75CDF0DC921B06AD DC6FB3D06E4FFCD2D1EE81150BF EF400A0ECB7BBA551AB91D73D2B79BA B03AFCA 4A0FDF77792D56F53070F9FDBA220EDF1EDAE6B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\f[2].txt Size (bytes): ASCII text, with very long lines Entropy (8bit): C57CE56072C7898FB01B1B0B3D637 50DB28E6AAF8117E2B81281DE258B116C90B1C05 EAD6EE232C50B11DA020A4A3A65A2BE599530DA1684F40E CB A5C00F696FA7CD74E4ED3D56A1787E754BA485F5999DBC71495AB72474F807DF172473CEEAF8B B5E6CD CF949824BDA8C E2FB64F139AD8A0C0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\f[3].txt Size (bytes): 2950 ASCII text, with very long lines Entropy (8bit): C6E1CFD7B29D942CB0AD0A1A1EB29 F4695F23708DDB98469C6998D478FBE4645DF E8BB56D7D922D27E89E19B714FEFBF4410C83964AA09D571F6AEB4A3C 16E8EC CCC2A63DCDF962AF2ED0C559EE9B49D8F7B794F478BBAC502B3BC E99AC303E541FE4 92B A5B64880E0F4B83407EAABB447A8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\f[4].txt ASCII text, with very long lines Size (bytes): 8205 Entropy (8bit): AF14156B4FABCC8FE4E8B9470D8DC6DC 26BFAEEC8DBB8D4010F16DBEEEA7B3994ACBF2BB Copyright Joe Security LLC 2018 Page 21 of 105

22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\f[4].txt 34D2D30765A5A242DB5077C B8D30BEF3762F2DEC047A347EDCC3DC4AD 3C E FFF78200D60C8B579B901DA348EFA8F0A37F0DC1021D9BA9452D545D295C7E6587E305DB 97A33B9B0A2AD0AA0606C34D519AE86DD464A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\kRT51_aRRIxP7N1g0woWOmver0i0ckrzIpkEtf GIHI8[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with no line terminators 79CAB C1D3BCC974D38AF 7411A2840B4F3C02E D0F57E0C1BAD08B4 9114F9D7F691448C4FECDD60D30A163A6BDEAF48B4724AF B5F1881C8F 5D C60B58D74DFA18BEA29F8D5B40AE3F4546FD94ADF9E3A25224FD920765AA12D1A7A90328D07860C6 D4EFAECE2ED50713A558F3C7AFAD8CE4449C7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1NF7DTN2.txt Size (bytes): 101 ASCII text Entropy (8bit): FAE8A6E08E48DEC76AF005BDD6C5810 8E42C4D53ABFFADEDD29223BC898A08F8FF97D72 7D F950C6F02D1310ED6F5C8B198A0DB751DA963CF50E553E5C3EE5EA1 83AC6F059C54AC44C71B685FE3BA9D6E1C6D312296E1EC498A94F9F74BA5849CE53C8538B125B574D85E841A3E 28D3EF7353AC3A8DA358DFB9CDEF612F2AB0B1 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4F03RTGM.txt Size (bytes): 292 ASCII text Entropy (8bit): D2F6CD8F FDC270B71FD1 576EA72EDE6BB1456D3061BA2B9B9B A7 4728A3CA244F4C13C95ACFF14D5D30EC08B9F80C8263A A6C568D3A76A E908FC7C65CD277DAF1E16B D8156F0B457C4FBA9FE2D5E2A4FD9B349F57FE0C8B945F64CC392494D7F F932B7CBFD33F6137B EECED746D281 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\85IU16TT.txt ASCII text Copyright Joe Security LLC 2018 Page 22 of 105

23 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\85IU16TT.txt Size (bytes): 139 Entropy (8bit): BF54ACECB817965E41A75808B447429D 004D5F9AB1772BBF9B2F9E17A814509B71C11AEB A5B5E37F4E3016AF0AB14B9DC67450AEF25DB839AEBAC2D4675F9 1A2CF51BAC7F506D6B02E13F01B4E1D66AABEFAF6FB97B75F2C6D0896ABEBBADD5E388C C8C2E6B4 5FA5ACB4A2F827DAE4ABDC83EC2570CCD7E020BC C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PG2SFAUH.txt Size (bytes): 179 ASCII text Entropy (8bit): F690DD03C5447C C63AB61 A8D970135E036C3A5048C56CDEDA1637DA79DBEB 61A89AA39C4D0E2C EBD86E858354DC409964DBCFF3894E71E5F36B 2B C76D48CFA9756C916A96BAB3B61EEFBF2EF21C0A3F54E8691D2F5A85A9C35A8D82A35B4FA83E383 5EEF78693DC46945F14AAFA60CA6E87ED15524 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RHXULJ3V.txt Size (bytes): 98 ASCII text Entropy (8bit): E397F341281C62496F6742EDC675DC8 5AAD27814E5D248C584094E2C01D69BD485B77B4 D FC F3E910EACEA3ABD5EC8EFCE5FFFC84C7 A8AB14F63BC8BBF03E5380B87BDAFE39F9AB0A2AEA31D6FB2CD46B1F98455A57CC27F68A9FBEB10EAFE49536 A05C76FEEF B4BE295AD490E9B80EAB8 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RNS8L512.txt Size (bytes): 139 ASCII text Entropy (8bit): E1F660F7ADDF17C62CCDCD5E41F2426C C27F ED9FCCF1E2FCAE8616 B142DB46268C9A3E5BA72D A78A49C4A50A20CCC7789FDA F62 D2565F03A15C82D7F4D0C40ABC2FE57E06C2408A0233D7579FD85460DC1ED9314E24BAB1C3171FF C F48F26BD40D286D012192A7A7FC7FCE3CC505 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\S1AR1ZY3.txt Size (bytes): 198 ASCII text Entropy (8bit): CB25E8A9B99DB2A8A2743ECB8CB5C8 886A804FB CA370865F5390F3828D1A0FD FA9018BBDB137258B17B256638FDA3E3973D04700FDDDB45CE0BDFD B9 CB56CEB4D5770A01A673D9FA5DEBD0559D66C58477C9D77EB28EE27FF4CD3E C8F9334B7467D ECEC0C03D02E40545CC195D8E4FFB024 Copyright Joe Security LLC 2018 Page 23 of 105

24 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ULNCP6HM.txt Size (bytes): 93 ASCII text Entropy (8bit): F4BFED D2865D49ABDFF8E CAA3E394D B1F502E4A093DF7716BB810F 3C85CE16C9AA1086BCCF66CADBFE735C08FCF C70F30D339B53843DBC 359B39B7EBF9F272A67D70D996A2BFFA48A0FDB9921FE243907A58EFA74CB58D051F7F9FBE AC03530A E9DE22225B305AEAAE43DCFB53A95350DC446D Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation cdn.onesignal.com true high pagead46.l.doubleclick.net true high prod.imgur.map.fastlylb.net true high fo-fd-world-new.yax.gysm.yahoodns.net true high pagead.l.doubleclick.net true high apps.digsigtrust.com true high ib.anycast.adnxs.com true high mulhervaidosa.info true 2%, virustotal, Browse unknown opau.download.windowsupdate.com.c.footprint.net true high limited-prod.giphy.map.fastly.net true 0%, virustotal, Browse ads.yahoo.com unknown unknown high googleads.g.doubleclick.net unknown unknown high googleads4.g.doubleclick.net unknown unknown high cm.g.doubleclick.net unknown unknown high maxcdn.bootstrapcdn.com unknown unknown high adservice.google.ch unknown unknown high i.imgur.com unknown unknown high ib.adnxs.com unknown unknown high s0.2mdn.net unknown unknown high media.giphy.com unknown unknown high URLs from Memory and Binaries Name Malicious Antivirus Detection Reputation za-labour[1].htm.1.dr high za-labour[1].htm.1.dr high {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr Avira URL Cloud: safe unknown za-labour[1].htm.1.dr high /zrt_lookup.html p.min.css client=ca-pub &output=html&h=250&slot version/ {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr za-labour[1].htm.1.dr high {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr js[1].js.1.dr high za-labour[1].htm.1.dr high t=dc&aip=1&_r=3& {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr high high Avira URL Cloud: safe unknown analytics[1].js.1.dr high Copyright Joe Security LLC 2018 Page 24 of 105

25 Name Malicious Antivirus Detection Reputation /zrt_lookup.html# {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr high za-labour[1].htm.1.dr high google_nid=appnexus&google_cm&google_sc&google_dbm {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr Avira URL Cloud: safe unknown pixel[1].htm.1.dr high za-labour[1].htm.1.dr high za-labour[1].htm.1.dr Avira URL Cloud: safe unknown za-labour[1].htm.1.dr high analytics[1].js.1.dr high za-labour[1].htm.1.dr Avira URL Cloud: safe za-labour[1].htm.1.dr 0%, virustotal, Browse Avira URL Cloud: safe getbootstrap.com) bootstrap.min[1].css.1.dr high za-labour[1].htm.1.dr high js[1].js.1.dr high bootstrap.min[1].css.1.dr high esig=1~b04e c73fafd60e0ed8cb49a70ecfb061&nwid = &sigv=1 pixel[1].htm.1.dr high analytics[1].js.1.dr high js[1].js.1.dr high e.gif za-labour[1].htm.1.dr high {BDF6B033-EA7D-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr {BDF6B033-EA7D-11E8-B7AC-B2C27 d=cpt3mhcpvzuy8cylrzab&v=apeucnw4amskwlcqmlr 6BF9C88}.dat.0.dr op4uzystp 1%, virustotal, Browse Avira URL Cloud: safe unknown unknown high Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States FASTLY-FastlyUS Copyright Joe Security LLC 2018 Page 25 of 105

26 IP Country Flag ASN ASN Name Malicious United States CLOUDFLARENET- CloudFlareIncUS United Kingdom YAHOO-IRDGB United States FASTLY-FastlyUS United States GOOGLE-GoogleIncUS United States GOOGLE-GoogleIncUS European Union ASN-APPNEXUS-AppNexusIncUS United States CLOUD-SOUTH-CloudSouthUS United States GOOGLE-GoogleIncUS United States GOOGLE-GoogleIncUS Static File Info No static file info Network Behavior Network Distribution Total Packets: (HTTPS) 53 (DNS) TCP Packets Timestamp IP IP Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Copyright Joe Security LLC 2018 Page 26 of 105

27 IP IP Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Nov 17, :30: Copyright Joe Security LLC 2018 Page 27 of 105