ID: Cookbook: browseurl.jbs Time: 22:02:15 Date: 20/08/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 22:02:15 Date: 20/08/2018 Version:"

Barry White
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 22:02:15 Date: 20/08/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Phishing: Networking: System Summary: Persistence and Installation Behavior: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3464 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3520 Parent PID: 3464 General File Activities Registry Activities Analysis ssvagent.exe PID: 3592 Parent PID: 3520 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 54

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start date: Start time: 22:02:15 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 4m 36s light browseurl.jbs EN-KJPHBoIyHBjAlzvIdWqxPjRho6Fm45i1GrCIu ho.&cid=egvof8xk_1258_ &sid=39 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Timeout MAL EGA enabled mal48.win@5/43@6/6 Copyright Joe Security LLC 2018 Page 4 of 54

5 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Browsing link: towerapps.com/0xl1+zy1e3sugjop TQv7tuYZnOcElZe1AChgadoCe+I9xi 5uTrZarhBBYNfNq7h3lO8BOZpcNX8O b359xllh3roysgvcofgxrj5gvr+wvk D0xRcA+2VSZtyE9XU9PetPrNaJ1qn6 +9ZvLvpYIJfsTZ+K4YdY+5w8hoMFc5 CMC2PgxODjmMOzY8PrBDR4OogM_WFA ax8rcyhkcrt5no+nnxo4+hmuqzpr2y 7lRviMZ4d3fvr_9utCr8i4Yf6i_AAB ad5qp3izxeym_r5tpcx8jb3gccdhzo fy7gpj3dyylqk+0yjeekbe0nqgb6vy xtggf2wz_ofbcelmab+6lpphwbndq3 Gh+cZBMsWCXQuAD9tlKNPUjKCRdZ6U G1_LxDNnIqKqOtU+2w9dhW_C_N7CcM bkyp+opdyyrfhdho9c1illdo4egpw5 PUzIzMJYV5h8+MwbYqLTQCLB48eo0c AEJcXqxh0vW5LTm_T+2yPxWx+aluuG 85eE5erQSaiqiV7h6QTa2FYJS5zHYg l8mrssqqwr9zfbcye9ddqsvqniejga 044gS9hNgGsnOcZMOC7tLCgkhzfkQl Jy3NyoJA+f7JN5IsqUHWZCa5jcZat9 TEE3SqZ9uN2N1_jfrZLIvKIPILwcj2 zkck7jxlqhwnlhynwrzrwwdp_nfmtg 15fkaWyBtKbT1g44WOPcnF9YLXqVB1 TJ8BAo6CRQ+XPSsp0zCfosS+GEeJ3D OISZWCxV4AztY39WKtX2gTSWnHnzBM avhfxjmrjbhkpx_ziiya8wgqh0q95b uzox1nvwlbuoiggj2ge64feut9itpg ocj6kqmlxaxj+cup1vk6foyzk3glon kdd5vzafg7lp1qodbo7gfyfnnwfukb jqjqgub5nahwizysh5nho3kgzohyc7 GiaWoP8q+wZ5OTY2D66ZmMPvCQ1dqz txulsmwt+hdemb8jtxcazha0oxrddb mrxkvgouroejc4+iojvicgllvhnysq Bh_IbqMuA77hrXketlXxFpIi+UdUck 4OIn7uNg1+mEquZdvR77N_63CTlxD6 CMXtNJWzkDPKvLuUUkx5991SDS_QKK bvnv8zeierzyfvpbq+wxontjb3qun0 Kqsbix_2x8DzS9f0TIznPdwM1AjdAs Wlhz2e++ZGCu_8QuCeTNpDEwUw==-G 4cBAGTITdu2blG8fUXEFrUkBw4OOWD _l1camvmwmxa2rtarawx5sz42ezgm5 diyvt5xhgi9icekf60j+l1smf82dkb uzgunguts4lx+9ryjyccxot60fl06f BXnwbIYALC61RDR3b3DW6vjBMdNe8Q xcjprsuzdmvozabj3j4idkeflk2u9e +0TmBH0gbaxkSawlcf+8R70S+s5+LN RM0ZvUfXxRChF9n70KQQq8M0+m2JOi ObQ4R2700WIWM_jzNnWBArMyqVkdMP 26XAFOhtKo2sp_Z_q5qDruOhOMkd_s AAIpclAO0I74v q_h6j3henn5dwnu YsvI4Y9O7W5m0D+DNra1CbYJ0pBKc0 XW2VG1I+xw9x0Wi_DAvPHskPmTDM62 _zi8hng49pfz0mvyu6p2t1cvtg09l0 NTFebPRdr0C Browsing link: Browsing link: Browsing link: Browsing link: c Browsing link: e/help/downloadmanager.php Browsing link: Browsing link: channel={channel} Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe HTTP Packets have been reduced TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtSetValueKey calls found. Copyright Joe Security LLC 2018 Page 5 of 54

6 Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 6 of 54

Ransomware Miner Spreading malicious malicious malicious Evader

Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample

working Uses HTTPS for network communication, use the 'Proxy HTTPS

analysis Signature Overview Detection AV Phishing Networking

7 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Detection AV Phishing Networking Summary System Persistence and Installation Behavior Copyright Joe Security LLC 2018 Page 7 of 54

8 Hooking and other Techniques for Hiding and Protection Click to jump to signature section AV Detection: Multi AV Scanner detection for dropped file Phishing: HTML title does not match URL None HTTPS page querying sensitive user data (password, username or ) META author tag missing META copyright tag missing Networking: Downloads files Downloads files from webservers via HTTP Performs DNS lookups Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Persistence and Installation Behavior: Drops PE files Hooking and other Techniques for Hiding and Protection: Copyright Joe Security LLC 2018 Page 8 of 54

Disables application error messsages (SetErrorMode) Behavior Graph Behavior Graph ID: 73271 URL: http://www.getreadyforsystemupgrading.win/?b9zd1=men-kjph.

9 Disables application error messsages (SetErrorMode) Behavior Graph Behavior Graph ID: URL: Startdate: 20/08/2018 Architecture: WINDOWS Score: 48 Multi AV Scanner detection started for dropped file Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend iexplore.exe Number of created Registry Values Number of created Files Visual Basic cs9.wpc.v0cdn.net , 443, 49186, ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States started Delphi Java.Net C# or VB.NET C, C++ or other language iexplore.exe Is malicious 2 45 alwaysup.readyhighcentercontent.website , 49164, 49165, AS12876FR , 49162, 49163, 80 AS12876FR 5 other IPs or domains dropped United Kingdom France started C:\Users\user\...\mpp_setup_ [1].exe, PE32 ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 22:02:43 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link ho.&cid=egvof8xk_1258_ &sid=39 0% virustotal Browse Dropped Files Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D T\mpp_setup_ [1].exe 28% virustotal Browse Copyright Joe Security LLC 2018 Page 9 of 54

10 Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link 0% virustotal Browse js.dihogghotsoy.com 1% virustotal Browse cs9.wpc.v0cdn.net 1% virustotal Browse URLs Source Detection Scanner Label Link 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe ho.&cid=egvof8xk_1258_ &sid=39 ho.&cid=egvof8xk_1258_ &sid=39 0% virustotal Browse 0% Avira URL Cloud safe 0% Avira URL Cloud safe 1% virustotal Browse 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe yctrvwoburucq8puxktbasgagmhaeff2ouxfbqikipvephgbhq..&cid=egvof8xk_1258_ & sid=39&v_id=efwbfyxdrk6xc37ghc6bswm0yobycwlyufp9nxiud_o. 0% Avira URL Cloud safe 0% Avira URL Cloud safe arhbbynfnq7h3lo8bozpcnx8ob359xllh3roysgvcofgxrj5gvr+wvkd0xrca+2vsztye9 XU9PetPrNaJ1qn6+9ZvLvpYIJfsTZ+K4YdY+5w8hoMFc5CMC2PgxODjmMOzY8PrBDR4Oog M_WFAaX8rCYHKCrt5NO+nnxo4+HMuqZpr2y7lRviMZ4d3fvr_9utCr8i4Yf6i_AABad5QP3iZXeym_R5 tpcx8jb3gccdhzofy7gpj3dyylqk+0yjeekbe0nqgb6vyxtggf2wz_ofbcelmab+6lpphwbndq3gh+cz BMsWCXQuAD9tlKNPUjKCRdZ6UG1_LxDNnIqKqOtU+2w9dhW_C_N7CcMbKyp+OPdYYRfHdH o9c1illdo4egpw5puzizmjyv5h8+mwbyqltqclb48eo0caejcxqxh0vw5ltm_t+2ypxwx+ aluug85ee5erqsaiqiv7h6qta2fyjs5zhygl8mrssqqwr9zfbcye9ddqsvqniejga044gs 9hNgGsnOcZMOC7tLCgkhzfkQlJy3NyoJA+f7JN5IsqUHWZCa5jcZat9TEE3SqZ9uN2N1_jfrZLIvKIPI Lwcj2zKcK7JxlQhWNLhyNwrZrWwdP_nfmTG15fkaWyBtKbT1g44WOPcnF9YLXqVB1TJ8BA o6crq+xpssp0zcfoss+geej3doiszwcxv4azty39wktx2gtswnhnzbmavhfxjmrjbhkpx_ ZIIya8Wgqh0Q95buZoX1nvWlBuoIGgj2Ge64FeUt9itpgoCj6kqmLXaxJ+cUp1vk6FoYZk3GLoNkDD5v ZAfG7LP1qodbo7GFyFnnwfuKbjQjQguB5NAhWIZysh5Nho3kGzoHYC7GiaWoP8q+wZ5OTY 2D66ZmMPvCQ1dqztXuLsMWt+hdEmB8JTxCAZHA0oxrdDBmRXkvGOuRoejC4+iOJviCGllV hnysqbh_ibqmua77hrxketlxxfpii+uduck4oin7ung1+mequzdvr77n_63ctlxd6cmxtnjwzkdpkvlu UUkx5991SDS_QKKbVNV8zeiERzyfVpBQ+wxonTjB3qUn0Kqsbix_2x8DzS9f0TIznPdwM1AjdAsWlhz2 e++zgcu_8qucetnpdewuw==-g4cbagtitdu2blg8fuxefrukbw4oowd_l1camvmwmxa2rt Arawx5SZ42eZgm5dIYvt5XHgI9iCeKf60J+L1sMF82dkbuzgUnGuTs4Lx+9RYJyCcXot60Fl06FBXnwb IYALC61RDR3b3DW6vjBMdNe8QxcJPRsuzDMVOZabJ3j4IDkEfLk2u9E+0TmBH0gbaxkSaw lcf+8r70s+s5+lnrm0zvufxxrchf9n70kqqq8m0+m2joiobq4r2700wiwm_jznnwbarmyq VkdMP26XAFOhtKo2sp_Z_q5qDruOhOMkd_sAAIpclAO0I74v q_h6j3henn5dwnuysvi4 Y9O7W5m0D+DNra1CbYJ0pBKc0XW2VG1I+xw9x0Wi_DAvPHskPmTDM62_zI8hNg49PfZ0mv yu6p2t1cvtg09l0ntfebprdr0c 0% Avira URL Cloud safe 9wzDjM9yctrvwoBUrucq8puXktBasgagmhAefF2oUXFBQIkIPvEpHgbHQ..&conversion_id= &app_id=175&lp_id=2613&v=icrevk&stub_name=1855&v_id=EfwBFYXDRk6Xc37GhC6B Swm0YobyCWlYufP9NXIUD_o.&lpp=%2A-%2A-%2A&cid=egvof8xk_1258_ &sid=39 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) Copyright Joe Security LLC 2018 Page 10 of 54

11 No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 11 of 54

$exe (PID: 3520 cmdline: '' SCODEF:3464 CREDAT:275457 /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3592 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.$

12 Startup System is w7 cleanup iexplore.exe (PID: 3464 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3520 cmdline: '' SCODEF:3464 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3592 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DF CA9E510C.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): DBEE33388CC792E696E E3FE66D2473F6BDEEE508EFA73B715734DE 28DBE7FBC31B65D6B24716DB5379FFADF92F11254B8BDC0957BE8C786474F56E 27B937EB674E83E6597AF3BC9FEDFBAE17E8D358C803ADD A51A9925C2D73878D A83E99991B3F 7CAA00DC91E0B8D1E23B5C4855BBB150441C2 Copyright Joe Security LLC 2018 Page 12 of 54

13 C:\Users\HERBBL~1\AppData\Local\Temp\~DF1B026042F78BA582.TMP data Size (bytes): Entropy (8bit): E8596E49C533FB12B84138F5590E2FA3 594E07153B71ED9F8E5F55019E22B32FF4BB5A4A F6C3DD33177A77F E2E32094CC2DB15166D9680E36A5ACDBFB ECC17B33CFB5A27066C8FF1EB3CB71D667F50D48874FBA57771D2BE3FC EAA68E499AFE7CD9FE2D 9FCD286C68F1D9546D37E70A388E6A64E74DF03 C:\Users\HERBBL~1\AppData\Local\Temp\~DF3B8E5F76465F88CA.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): EAD1E82FA9381E70D65D7D C4556E3DCF8EC842DCBFC14E C9 00D C217023E5CAD05C2F9C DCF9B6720E6E72FC9F4B35996 DEAE801D6F77D9A6ECB2D67902A875A1ECFEBD0371B116A CCE3BE6261FC98FDDC9CC6290AAA 3D493B33AD433972D2D838ADDA3D6E376D95835 C:\Users\HERBBL~1\AppData\Local\Temp\~DF54CB043449FEC613.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): B3AB0CC63A23CD8852DE013DE902BD D ECDFD8B5A527C971905AFF4F891CA 6A1ABEDD9606C85B56083B0DE8BBF13F4DFB4A952627CFC55F405E7E63F4483C 13F7A685780C51B700CA71FD39FB78E2E83E6E10BAABB7121FD9426B1158F6322ED02CA2C00A0A296939E7F A5C30F09D3CD2B28B76B68DF443A9DB C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FEAB1671-A4B3-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): F0A1BB47B1B70E9DF4C9EF50E9214C A8A185C4BC21C9B530AD151819B5D F9127DEEA8941FBD196D0E977D7DA559D112D2F896ADC1364A8F D332ECA962E98B10B7CF32B7E10760C048090B2E7403DC96F91FC33D311EFE78CFFF843AB205D0A85AD24233B C62BCBEE7D73797EC28FA86BE039AF56C Copyright Joe Security LLC 2018 Page 13 of 54

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FEAB1671-A4B3-11E8-B7AC-B2C276BF9C88}.dat C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{085E3620-A4B4-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): A83232D57121D7CF748D4DE828 BF108E7F502A931A94052B28D7A5C5DBC98E1CC2 7E1E AD4F962182AF7441AC6158A33125E4C0AF059BF5960FC5DA580 C54558A51AAB0BCD C26464DC2AB0DC58FB30F5023EB092AF87B87B5642CA44CA562AB20989F76BA01 FF321E8BA72EC2115AE179287C3BB78763D12D C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ A4B4-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): BFEB59275A3922B9BEB5048F2B7E73CE D408197AF073A5C5F5A8A40111B80542D147F D267B0D94B76F463272E323B9FA FDF91E164C303863BA15F3 A4056B28CE50AC7B73DB51FFE1485FD7ADBD01AAA1BEE6DA0BC23E73FC0FD5BC7F46793FE3A39933DD39E926 29BA250CA6317F02361F8BB13CD75348F413F4EA C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FEAB1673-A4B3-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): B9649AE39AC67939F31CA34D6B13CF E94B23994EE3443D5EF989C0CE7E74FB EC5BC103746EC4E3F35F54CAAF040DF7A22BBA00441BCB313D0B4D188A9D 85D5B0E26DDD6094C4E720D02DA32582D95936DB67619FE7CEB0777EA9ED807C1131B AA45F36F D9C39F BC30FE A10E31 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\apple[1].png Size (bytes): 1192 Entropy (8bit): PNG image data, 33 x 38, 8-bit/color RGBA, non-interlaced 2E162C0CBABD F6A37EA839D AE79391D4CF5B7AA9A41DDEB934ED9EA0D1AA068 F32FCDC2C152DF13186E D155458A8F812229E7C597E1A828FED FBB0B2528F4B5DF3FDB8F95AD71180B0E5F4133BE959FCA183DC745C1A AA38FC25191A0FA9707 D285AFF83C44E8077ECE9AD5946AD16B58FCC0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\red_flash_mac[1].png PNG image data, 150 x 124, 8-bit/color RGBA, non-interlaced Size (bytes): Entropy (8bit): EFDFD15C5D64FA7D AC9B9740 Copyright Joe Security LLC 2018 Page 14 of 54

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\red_flash_mac[1].png D76A15685B8BDA56160D4BB29F2217DCEF461E77 F7A2BE71742BAFBF402ED941C48B981CEC234709E12ADC5C20BB C63D9AD9B731F382848C01F5A2D1D75292C45B5E56E2452FF00D01DE C27A9064C100646F1C5A08FCE9C6 A1461F9FFAA954C C5D2EE953E15A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\step_1ch_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced 01E07E4A6FE3D EF2E7D1C0DAC EB80C0F96F73979FB BDDDE05E7D564 EE2A07BD37A9929E7DD189AD0C05E3EB27EA31E6DDC6BEB2D6A4DB5A B2F4060A DB111299A4ECCC1D4E5BAD1B3AC0D67BBD25EACE56D09EFB742FC6DC9CB4A1A8794C8B 238BFE6AF84E4194F1E02DCA9819AFA6CAE87973 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\step_1moz_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced 3CFDF3F5C2E771C25383AC7B50D90C00 2FBE004BBEBA40BD8EBD518EB8015A1E44F0CF4F 36DC7C37393EE468E4EFD16B9A DB37D5937B0BEB5CD01F628A A928A83D5FCC019DABCB06DC7FC427C758C683D7E06897C371C31AD8A9D E75321BD48789DC1F2 08FF6A89BBCF8B13C59497A736C6618B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\step_2ch_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced 2AD0A264A53516F31B3CD595C7A69FD3 3A162585B2150E28EC53F5F5D4F C 00E13EF52545E82FA4D31907EF274A76D7755E102B10029A54B2A650C6D380A C65E3A07EC094FE28C C ABCF5303E5BC99E2CB6A2596CBBC BA CE46BD566DFD8BE AFFF69DF14D9D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\step_2moz_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced C2126AB53E81ED840A8EB3DC063E1013 A6F019FEB52C A76AB752A9AF85FA5990 D7187AEACACD4D14C0E0B31C2D3686A10E334E61A4A8B3C64DD38AED62EBA4D1 9D3F3865AECD017EAA A ECDA37EAB21AD3DE6ADC739DA6C776E30EC8760E3CFB6AF028E192 2F3F915373A8F63303E698D29580FEA4E8C016F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\uninstall[1].htm HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Copyright Joe Security LLC 2018 Page 15 of 54

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\uninstall[1].htm Size (bytes): 7014 Entropy (8bit): D7B7EE8EBA028DF3DDD96E A 2879C1EB8504D01AB3A22EF ABCDA0505 D14D9CF3A34B0C8F1ABD48C5EC29EB78F80FD5F1AEAE65EE5256EFB15ABD58E9 57B3AA4DEB7ED7B3626C6243F05D37F0390D3A1AA1FE72F94E8640CF9E8F26AC89067FD45FF DBE F1BA5E7A0CF D83725FF24AEDBD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\BZ0BJZ8L.htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with very long lines 56D78CF6D4ABCA6EC1BAE6B3E0D30FA4 7D54BCA10BD91C7F22C22CE55CA097F0068B94DA A159812D6B5EA2DA93ECF1A F3AFC0F480FCDA978F89D1BC7D D 4F4BA95429EC1630A20516C513DDBB F5A9003AEC15CFC066C624B22407E8BFE7DF241D543DB099C D D07C235D530A126177C6CEB9DAB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\arrow[1].png Size (bytes): 3486 Entropy (8bit): PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced 07C61E2E0BE3B0BDD5526FA68679FA44 58BD6AFC FF7FE8F7DE93DE DCB 2493D582926C5A2F2045D44C5042CF9221B88E3F7C B D 86B E282B748D4FCBFB5E58C452D6D59B5B1C9F8457D5DFC55DCD5ECB570048CEB3478E27AC2FD 3AACCF314CDAB629B2DA89A4F C692D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\eula[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with CRLF line terminators 2DBA3FFFF1674C224C268D4E4E251C4B BE6CD D3F8F107070B7B1F5ECF FD84D0E41CB2BBEFF350FF5F6783DAC56ED99E3B657B8EC0B0AFB FE356E37E4D9EA5C1C3BCA59CD71FF656D23D6FC7B641E6BFA204C362535A313C35B0B4B D95CDF32F D4ECA54A8BB5C330E6D1F39CCCD308E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B Copyright Joe Security LLC 2018 Page 16 of 54

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\js-2.2.3[1].js Size (bytes): Entropy (8bit): ASCII text, with very long lines, with CRLF line terminators BB46AF818426AE2C3EA4F6D70BF28E1E B692A3A177DDEAF5822F6B4A D218A9E63 75FB73EB E2B21B30812AE50511A2A398BE3652BD32BC2EC47A9 2301ACF5CBC6720F57160CA0D63B689B14EBC13F1E158F86AEF49AD8B56796DE601771AC8F8A3D3760AC07FDD B8FD6B9313F0B36426D2AA EEE9D4FA9E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\privacy[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with CRLF line terminators E193DE DAA7378F4391E6880A FE70D61C966387F9C26CE2E44B7EB2F389E 025FF32981D19678AF37C0D99220A BF6D2724B683C5F2CAE4864E4C 425EA A2C03C38158D303517AE304EBE3A BF2637B272F F14D847ABDB4231ADE F72D AD AA4A2308C7CCA3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\tos[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators AFA4E4E39F175D DC0A4 408D6B69671BDCDCEA01CDC50D2915E451CDDA95 E75C01999FA1304C6DC0C9902C1E528B990C0BDD72BBDA1A2200E3207CAC4A28 299E4915BB15BD54ED31E B40D99C44248F78FE01EAF577BF2898FF7ACF43DCF46DB9316DC7B5A8B8C4E CDFE0247A619A0D95E2CDF11D839B3DC18D23A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\affiliates[1].htm Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with CRLF line terminators 88C634CB2B2CAC579BAC3896E3E0E594 BBA46490A519289B13E646F68034FE94C1E97CC E9E87E8D50898F1F329E44997D03AD83110F8A9EF500CB5BB6E2FE1F C56F44DA7AD69769C7DF89A7C54803F01E3774C5A940CA05A1FA90EFBC799D63EA1E0B6ED3EAD3ECDCECEB67 405A782A2116A3B159C527C1A6625B445D4F4DC3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\css[1].css Size (bytes): 474 ASCII text Entropy (8bit): DC000CDA1B81C1F87B3FB1BB53D00 C94202D64BAECE11E36A7659A092379DE3D5C97B EC2EC05470DCC81D20DD40431CE14952ED50553B4A91F B AACBA0F81CB957E4A428F5B8FFD7C082FDABA1E0D736FF9755D8A8A A9F A0F28EF37EA5 66C5C764F8D4C7C023843AC8E9CE7EFB Copyright Joe Security LLC 2018 Page 17 of 54

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\css[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\dl.min[1].js Size (bytes): 1836 Entropy (8bit): ASCII text, with very long lines, with no line terminators D28C723C4D3857CAC4EC0071AFD843C8 C54AC8DA9F89CE5F2113B037F4F61FCC4AE05BDD 1BCBDEE1992F8DBBC4C7F0254DAD16177C9B55B61362A526BC195021DCC6B43C B19367ABAC2494BD DB74B B9F8D538CA6CB0701AA508EA0884B3DD53A3B4ADD46CDE B1D30A7E5C8D48D23F0A4C62160D9E77C32ACE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\downloadmanager[1].htm Size (bytes): 3843 Entropy (8bit): HTML document, UTF-8 Unicode text, with CRLF line terminators DC B6D2321FE8C12DBC01D C6CD3F16B5CCB88E6761DE9D94A24CB2D9A43F D789C6C3B455842C3EFD BD95A217E6EE9F5327E2775EEEBE9CC4 782B CBCCFFCB B6B9E0AC65E90E7D227B8D541F844E E F39936DB8D87AC66 246B0413A4C9E2F5A03E34B240A941D8B7A3C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\mem5YaGs126MiZpBA-UN7rgOUuhv[1].woff Web Open Font Format, flavor 65536, length 18476, version 1.1 Size (bytes): Entropy (8bit): E AF47FC2B88F9335D19 B5F79D1934DA79C8A4BA381092DAD82FFB0582CB 5E03E0C CAB D75C219FCEC2B1E82A7C11797BA9B C332D1E9A6F222BC931131BC1E7C8914EC38FB0E6AA52F6BF4C1B08EB165323D025D7C FAD2BAE B0815E419BFCF5EB FB2D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\mem8YaGs126MiZpBA-UFVZ0d[1].woff Web Open Font Format, flavor 65536, length 17704, version 1.1 Size (bytes): Entropy (8bit): BF2D B7D75C35BDE69E01B3135 0E92462E402C D912A7B8BE303D0257D DDA27B80BB105FBC59B5973EF9889ED976ACA1FBE39F77688DCFF8C C9D19E1CB91481CD8F23A90FDD3BDC0058DC36E9A29E1D5C F359365B588B1EC0B9D22AE975EFF 9475EE662E93A0E BD0620CB307D44D9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\mpp_setup_ [1].exe PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): Entropy (8bit): true D1C26FB0ADB462317BC5CAD35F0E55EE Copyright Joe Security LLC 2018 Page 18 of 54

19 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\mpp_setup_ [1].exe Antivirus: 0FC CD0DC153C842956DAF95760 A938D622C15A06B439BBCBC66CFF7155B82C83C2DD211379E259C473C755E57A E51A140CFC4475BE85C654E5F8FA994A348D66C33F7B46292DB5181BA7A595D FB083C758900C8D22 3BBC B65940AB40121D62BD7 true Antivirus: virustotal, Detection: 28%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\stylenew[1].css Size (bytes): assembler source text Entropy (8bit): C3B A6A45E2B7A C3 8BB9CBD1EFF1B7ADB5A76AB3B6A5F28B07DCCAE C3CD183DF493AD3C E14FD A6FCADABF90876CCDD25 A6DEDEDB91A36BEDF3FE7A0C5CE03A DAB9301D DD47BA5E8DF0E8AAB3AA9E75F0AF5908F8B EEF C8D0504E D83B796DC5FC5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\contact[1].htm Size (bytes): 8318 Entropy (8bit): HTML document, UTF-8 Unicode text, with CRLF line terminators 1C71E7B5B BF87FDCD417A2CD0 6A977DF09C312A8DF2F0819A105BD6AB23AB5F3F F7FAB23FD7A54EB7E971644F843C64814C61388EAA D4F44EAA5C D01B019EF2EB1DB687B3BCACC E8DC427F1FC F0A5CBA523A5C966C8 87CBB3C7645DB66E5F03FA1B99E7674DBB49C3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_1edgeT[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced A2727BAA76AFA6FAD9E36B8660C096E8 62A2F23767D7FDBC68F29E458B085C179EEF2D9D 244D51C52BE8F4AEC58FE17D0383AF45245F410FCE160D0135A3CE173D51BCC1 6E9B2E3BE7B F04B09EE8F89F C2AAD5178F1C4F2CC0194FF4B9F0C EF9067C68C5DDC6 0AB72D3C39DE5A2DB D2D1FC94B8233 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_1edge_win[1].png Copyright Joe Security LLC 2018 Page 19 of 54

20 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_1edge_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced 9AC129AF C24A C D8F4CBE62FACA7FEDA91926FDDBAD38D9C 1AE1E057DEBC221E F15431C18D456C7FD7543FE8D968B1797A19AB DFBF26C0CDC83E39ED104BA1BEB66669EDCBEED4B3B7FB850923DF620429AC0A31BA8AF E0B49F 24EF F16A204922C88E625BEF6CC4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_1saf_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced D69D5252F C85D100C05554B57 CD3D6CB37CBF41BF92AB8F6DF727BE2AA3E39FCF 2750E17782B11CB2D53A78FD8CFE909A57CCE7834D9F1D2B5ACA999F6D23638C 2E989ECE62D0ECDF0C24539C429C5829ED94621CCE0B4F52EF4CF77DF B979D06FBE658F87F 509AFC A60101DB6942F5AA7EC28DDD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_2edgeT[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced 16EC20241EB E4F51C E62313D0FFC720566F3F486D44033FE F6D6B968ABE38B00398D4B9BEC6909F2EEA0DD7752D43D7A5C04E63A31E 9FFAB588E54A2C64C45C4EF027BD5EAD1D1169B178A1DBD75ABED34F0DEA1ED173ADFC BF941CC E0E5EE76D05BA157B1F852C7AC378C03EAE40FF3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_2edge_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced A08C0DDBC8370F ED7A537 C6EFA6A53B10CC29D31EAC311CE C9F B5F27C8524EB5C38F182A45ACDA474D2117B6AE6B618BA19A8B92ABCA4DE2 4E0B9DAE72B22F11779F9C1CC8424C06B1F39BEDAA9B17ECA1ED6E8D246F4D9BB B4F554E4D2EF71275 AB077C21AB2E A2CBF56F3A1678E09 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_2saf_win[1].png Size (bytes): Entropy (8bit): PNG image data, 710 x 267, 8-bit/color RGBA, non-interlaced 1BAD64BBF4CB0F A4C8B8360A1 BC57E4E75D39D5E16B26A128FC18D78D1575C7A1 59EEDA148701AB1739C450F45EBBC1ABED681B4E732342B52968C478F30C0EC0 B61B56CB1DB00CBCCB242AB91B F6C A82A ABF0E90D7CFD E0F83AC354FF364 BABDDF D8EC4BADDC E2971DAD Copyright Joe Security LLC 2018 Page 20 of 54

21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\step_2saf_win[1].png C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3T0QVTLY.txt Size (bytes): 109 ASCII text Entropy (8bit): AFCFA5AE7FA524A632AED AB6D0CC4325D5F75DDE70D9BAEE47B A82 6C0BF0B93AB67C35C8809FE90E393974FD109FFC9900C7699F5E083AB2E87EE7 BD4E38D78176AAC38C191D8862FC7CC1DB90B0206B0F620F8A98313FC304C211AD9648D1CB E8FA683E A3822A786FBCC8A9C6B432E25339CC3E8DCA28 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QJIODP3R.txt Size (bytes): 309 ASCII text Entropy (8bit): A0DAF232B81C2EEAD8C43C2188D4 F597378BFA0963E86AAA3BD4320F6D3C87CF00EB 6B687ABA2CDC96E2D37A453C5C1006B5EC67D AC726C8B06C4A9C145DC FC27DA088EBBBF90C AE3FF366304C860BAA99F35C1F945E11784B74DF7FADA2E1138E61742E8DBBFCD A9067B44C68054FD6E B0DD3816FB1AA C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZKF9VIHE.txt Size (bytes): 210 ASCII text Entropy (8bit): E49BEC5B2C8B6C988DEA D EF262E2559CF4F018E1DA F A418B940008D58A657E E186083CC7E FAB22FE12C498993DD 8CD1FD7A5AE7DCDE436C27BD39BDA050D7A9EE790E6E381CAB4D0A300B4DC14FA0F442CB8B48AA23E4D5277 CE80655AD015DA20BF67FAA14AF3DEB5DC5232A48 \samr Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Contacted Domains/Contacted IPs Contacted Domains Copyright Joe Security LLC 2018 Page 21 of 54

22 Name IP Active Malicious Antivirus Detection Reputation true unknown alwaysup.readyhighcentercontent.website true unknown d179f8imisfuto.cloudfront.net true high true 0%, virustotal, Browse unknown js.dihogghotsoy.com true 1%, virustotal, Browse unknown cs9.wpc.v0cdn.net true 1%, virustotal, Browse unknown Contacted URLs Name vof8xk_1258_ &sid= ucq8puxktbasgagmhaeff2ouxfbqikipvephgbhq..&cid=egvof8xk_1258_ &sid=39&v_id=efwbfyxd Rk6Xc37GhC6BSwm0YobyCWlYufP9NXIUD_o Process cnx8ob359xllh3roysgvcofgxrj5gvr+wvkd0xrca+2vsztye9xu9petprnaj1qn6+9zvlvpyijfstz+k4ydy+5w8h omfc5cmc2pgxodjmmozy8prbdr4oogm_wfaax8rcyhkcrt5no+nnxo4+hmuqzpr2y7lrvimz4d3fvr_9utcr8i4yf6 i_aabad5qp3izxeym_r5tpcx8jb3gccdhzofy7gpj3dyylqk+0yjeekbe0nqgb6vyxtggf2wz_ofbcelmab+6lpphw bndq3gh+czbmswcxquad9tlknpujkcrdz6ug1_lxdnniqkqotu+2w9dhw_c_n7ccmbkyp+opdyyrfhdh o9c1illdo4egpw5puzizmjyv5h8+mwbyqltqclb48eo0caejcxqxh0vw5ltm_t+2ypxwx+aluug85ee5erqsaiqiv7 h6qta2fyjs5zhygl8mrssqqwr9zfbcye9ddqsvqniejga044gs9hnggsnoczmoc7tlcgkhzfkqljy3nyoja+f7jn5i squhwzca5jczat9tee3sqz9un2n1_jfrzlivkipilwcj2zkck7jxlqhwnlhynwrzrwwdp_nfmtg15fkawybtkbt1g4 4WOPcnF9YLXqVB1TJ8BAo6CRQ+XPSsp0zCfosS+GEeJ3DOISZWCxV4AztY39WKtX2gTSWnHnzBMaVhFx JmRJBHKpx_ZIIya8Wgqh0Q95buZoX1nvWlBuoIGgj2Ge64FeUt9itpgoCj6kqmLXaxJ+cUp1vk6FoYZk3GLoNkDD5v ZAfG7LP1qodbo7GFyFnnwfuKbjQjQguB5NAhWIZysh5Nho3kGzoHYC7GiaWoP8q+wZ5OTY2D66ZmMPvCQ1dqztXuLs MWt+hdEmB8JTxCAZHA0oxrdDBmRXkvGOuRoejC4+iOJviCGllVhnySQBh_IbqMuA77hrXketlXxFpIi+UdUck4OIn7 ung1+mequzdvr77n_63ctlxd6cmxtnjwzkdpkvluuukx5991sds_qkkbvnv8zeierzyfvpbq+wxontjb3qun0kqsbi x_2x8dzs9f0tiznpdwm1ajdaswlhz2e++zgcu_8qucetnpdewuw==-g4cbagtitdu2blg8fuxefrukbw4oowd_l1ca mvmwmxa2rtarawx5sz42ezgm5diyvt5xhgi9icekf60j+l1smf82dkbuzgunguts4lx+9ryjyccxot60fl06fbxnwb IYALC61RDR3b3DW6vjBMdNe8QxcJPRsuzDMVOZabJ3j4IDkEfLk2u9E+0TmBH0gbaxkSawlcf+8R70S+s5+LNRM0Zv UfXxRChF9n70KQQq8M0+m2JOiObQ4R2700WIWM_jzNnWBArMyqVkdMP26XAFOhtKo2sp_Z_q5qDruOhOMkd_sAAIpc lao0i74v q_h6j3henn5dwnuysvi4y9o7w5m0d+dnra1cbyj0pbkc0xw2vg1i+xw9x0wi_davphskpmtdm62_zi8h Ng49PfZ0mvyu6p2T1CVTg09L0NTFebPRdr0C rvwoburucq8puxktbasgagmhaeff2ouxfbqikipvephgbhq..&conversion_id= &app_id=175&lp_id=2613 &v=icrevk&stub_name=1855&v_id=efwbfyxdrk6xc37ghc6bswm0yobycwlyufp9nxiud_o.&lpp=%2a-%2a-%2a &cid=egvof8xk_1258_ &sid=39 Contacted IPs Copyright Joe Security LLC 2018 Page 22 of 54

23 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States AMAZON-02-AmazoncomIncUS United States 1326 ANSBB-ASNNET-1- AdvancedNetworksServicesIncUS United States AMAZON-02-AmazoncomIncUS France AS12876FR United Kingdom AS12876FR United States AMAZON-02-AmazoncomIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 23 of 54

24 TCP Packets Source Port Dest Port Source IP Dest IP 22:02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: Copyright Joe Security LLC 2018 Page 24 of 54

25 Source Port Dest Port Source IP Dest IP 22:02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: UDP Packets Source Port Dest Port Source IP Dest IP 22:02: :02: :02: :02: Copyright Joe Security LLC 2018 Page 25 of 54

26 Source Port Dest Port Source IP Dest IP 22:02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :02: :03: :03: :03: :03: :03: :03: :03: :03: :03: :03: DNS Queries Source IP Dest IP Trans ID OP Code Name Type Class 22:02: x2622 Standard query (0) dyforsyste mupgrading.win A (IP address) IN (0x0001) 22:02: xa93e Standard query (0) alwaysup.r eadyhighce nterconten t.website A (IP address) IN (0x0001) 22:02: x802f Standard query (0) js.dihoggh otsoy.com A (IP address) IN (0x0001) 22:02: x9564 Standard query (0) d179f8imis futo.cloud front.net A (IP address) IN (0x0001) 22:03: x9e76 Standard query (0) alwaysup.r eadyhighce nterconten t.website A (IP address) IN (0x0001) 22:03: x8704 Standard query (0) werapps.com A (IP address) IN (0x0001) DNS Answers Source IP Dest IP Trans ID Replay Code Name CName Address Type Class x2622 No error (0) 22:02: dyforsyste mupgrading.win 22:02: xa93e No error (0) alwaysup.r eadyhighce nterconten t.website x802f No error (0) js.dihoggh 22:02: otsoy.com x802f No error (0) js.dihoggh 22:02: otsoy.com x802f No error (0) js.dihoggh 22:02: otsoy.com A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) Copyright Joe Security LLC 2018 Page 26 of 54

27 Source IP Dest IP Trans ID Replay Code Name CName Address Type Class x802f No error (0) js.dihoggh 22:02: otsoy.com 22:02: :02: :02: :02: :03: x9564 No error (0) d179f8imis futo.cloud front.net x9564 No error (0) d179f8imis futo.cloud front.net x9564 No error (0) d179f8imis futo.cloud front.net x9564 No error (0) d179f8imis futo.cloud front.net x9e76 No error (0) alwaysup.r eadyhighce nterconten t.website x8704 No error (0) 22:03: werapps.com x8704 No error (0) 22:03: werapps.com x8704 No error (0) 22:03: werapps.com x37a1 No error (0) ie9comview 22:03: vo.msecnd.net x37a1 No error (0) cs9.wpc.v0 22:03: cdn.net cs9.wpc.v0cdn.net A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) HTTP Request Dependency Graph alwaysup.readyhighcentercontent.website js.dihogghotsoy.com d179f8imisfuto.cloudfront.net HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process :02: OUT GET /?b9zd1=men-kjphboiyhbjalzvidwqxpjrho6fm45i1grciuho.&cid=egvof8xk_1258_ &sid=39 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Host: 22:02: IN HTTP/ Found Server: nginx Date: Mon, 20 Aug :02:53 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Location: yctrvwoburucq8puxktbasgagmhaeff2ouxfbqikipvephgbhq..&cid=egvof8xk_1258_ &sid=39&v_i d=efwbfyxdrk6xc37ghc6bswm0yobycwlyufp9nxiud_o. Data Raw: 30 0d 0a 0d 0a Data Ascii: 0 Session ID Source IP Source Port Destination IP Destination Port Process Copyright Joe Security LLC 2018 Page 27 of 54

ID: Cookbook: browseurl.jbs Time: 16:09:48 Date: 05/02/2018 Version:

ID: Cookbook: browseurl.jbs Time: 16:09:48 Date: 05/02/2018 Version: ID: 45097 Cookbook: browseurl.jbs Time: 16:09:48 Date: 05/02/2018 Version: 20.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature