ID: Sample Name: CCS Projects.pdf Cookbook: defaultwindowspdfcookbook.jbs Time: 19:48:41 Date: 14/06/2018 Version:

Similar documents
ID: Cookbook: browseurl.jbs Time: 16:09:48 Date: 05/02/2018 Version:

ID: Cookbook: browseurl.jbs Time: 15:01:22 Date: 30/11/2017 Version:

ID: Cookbook: browseurl.jbs Time: 22:02:15 Date: 20/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 03:47:54 Date: 05/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 23:25:27 Date: 29/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 17:28:58 Date: 31/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 16:29:51 Date: 17/11/2018 Version: Fire Opal

ID: Cookbook: browseurl.jbs Time: 01:36:57 Date: 12/11/2018 Version: Fire Opal

ID: Cookbook: browseurl.jbs Time: 17:13:23 Date: 27/08/2018 Version:

ID: Sample Name: OVERDUE_INVOICES qrypted.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 11:58:04 Date: 14/05/2018 Version: 22.0.

ID: Cookbook: browseurl.jbs Time: 13:58:58 Date: 09/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 21:43:32 Date: 28/11/2018 Version: Fire Opal

ID: Sample Name: xnyjv5cbuw Cookbook: default.jbs Time: 07:26:31 Date: 02/07/2018 Version:

VR-Plugin. for Autodesk Maya.

Field Device Manager Express

"Terminal RG-1000" Customer Programming Software. User Guide. August 2016 R4.3

UCP-Config Program Version: 3.28 HG A

PaperCut PaperCut Payment Gateway Module - Payment Gateway Module - NuVision Quick Start Guide

PaperCut MF - Fuji Xerox ApeosPort V+ Embedded Manual

Downloaded from: justpaste.it/1u2h

ID: Cookbook: browseurl.jbs Time: 02:09:04 Date: 29/06/2018 Version:

DocuSign Connector. Setup and User Guide. 127 Church Street, New Haven, CT O: (203) E:

Blue Bamboo P25 Device Manager Guide

Business Getting Started Guide - Windows

Live Agent for Administrators

PaperCut PaperCut Payment Gateway Module - CASHNet emarket Checkout - Quick Start Guide

PaperCut MF - General Elatec TWN Reader Tasks

PaperCut PaperCut Payment Gateway Module Authorize.Net Quick Start Guide

MADEinUSA OPERATOR S MANUAL. RS232 Interface Rev. A

COALESCE V2 CENTRAL COALESCE CENTRAL USER GUIDE WC-COA 24/7 TECHNICAL SUPPORT AT OR VISIT BLACKBOX.COM. Display Name.

Wireless systems. how radio works radio spectrum allocation examples. tradeoffs. non-technical issues

Kalipso 3.6 Features on each edition

Live Agent for Administrators

e!cmi - web based CATIA Metaphase Interface

METAVERSE WALLET USER MANUAL

Network Scanner Guide for Fiery S300 50C-KM

showtech 9th May.txt

Live Agent for Administrators

0FlashPix Interoperability Test Suite User s Manual

Quick Start Instructions EMV-INspektor V2

2009 Michigan Educational Technology Standards - Grades 6-8

PaperCut PaperCut Payment Gateway Module - Heartland Quick Start Guide

PaperCut PaperCut Payment Gateway Module - Realex Realauth Redirect Quick Start Guide

Submittal Exchange Design Team User Guide

PaperCut Toshiba MDS V3 Embedded Manual

Changes made for Version 2. 0 (not released)

PRODUCT RELEASE ANNOUNCEMENT

Celtx Studios Owner's Manual January 2011

Effective Training Inc. Aug 2009

Scalable geospatial 3D client applications in X3D - Interactive, online and in real-time

Customer Programming Software RG-1000e (CPS RG-1000e) User Guide. October 2017 R2.0

PaperCut Cloud Services: FAQs and Troubleshooting. Channel Availability Release: 18.3

Ansible Tower Quick Setup Guide

Bibb County School District Technology Scope and Sequence Kindergarten - 12 th Grade

This guide provides information on installing, signing, and sending documents for signature with

How To Make Money With CPALead

SmartPTT. Indoor Positioning Service

6 System architecture

Version: 2.0 Date: 5/31/ :07:00 AM

Multimedia-Systems: Image & Graphics

P3PC ENZ2. Basic Operation Guide (Mac OS)

LincView OPC USER GUIDE. Enhanced Diagnostics Utility INDUSTRIAL DATA COMMUNICATIONS

Interactive Game Design with Alice Bit by Bit: Advancing Cyber Security

Denver Defenders Client: The Giving Child nonprofit Heart & Hand nonprofit

Ansible Tower Quick Setup Guide

PaperCut MF - HP OXP Embedded Manual

Philips Holter 2010 Plus / 1810 Series INSTALLATION AND CONFIGURATION GUIDE

Hardware. «My Computer» located on either your desktop or in the Start Menu; You should see «Removeable Disk (E:)» under

GD&T Administrator Manual v 1.0

USER MANUAL VOLANS PUBLIC DISPLAY FOR JOHN WAYNE AIRPORT

Office of Physical Resources & Planning

METRO TILES (SHAREPOINT ADD-IN)

ORCA-50 Handheld Data Terminal UHF Demo Manual V1.0

Accelerator management with

Version SmartPTT Enterprise. Web Client User Guide

PaperCut PaperCut Payment Gateway Module - CBORD Data Xchange Quick Start Guide

FAQ and Solutions. 02 May TM and copyright Imagicle spa

MOAS II Client Intelligent Antenna Switch

Mountain Brook High School

PaperCut PaperCut Payment Gateway Module - CBORD Quick Start Guide

INSTRUCTION MANUAL IP REMOTE CONTROL SOFTWARE RS-BA1

DECODIO SPECTRUM MONITORING SYSTEM

9/2/2013 Excellent ID. Operational Manual eskan SADL handheld scanner

TRBOnet Mobile. User Guide. for Android. Version 2.0. Internet. US Office Neocom Software Jog Road, Suite 202 Delray Beach, FL 33446, USA

Setup and Walk Through Guide Orion for Clubs Orion at Home

PaperCut PaperCut Payment Gateway Module - Blackboard Quick Start Guide

Modular Metering System ModbusTCP Communications Manual

Submittals Quick Reference Guide

Product Overview. Dream Report. OCEAN DATA SYSTEMS The Art of Industrial Intelligence. User Friendly & Programming Free Reporting.

PaperCut PaperCut Payment Gateway Module - CardSmith Quick Start Guide

Software Infrastructure Part 1. CS 422: Intelligent Avatars Lab Spring 2010

Kodiak Corporate Administration Tool

2. STARTING GAMBIT. 2.1 Startup Procedures

CHAPTER 18 DOCUMENT IMAGING MODULE 18.0 OVERVIEW 18.1 REQUIREMENTS AND INSTALLATION Special Requirements Mapping Network Drive

AES 7705i MultiNet Receiver System Initial Installation and Setup Guide

Proprietary and restricted rights notice

OCEAN DATA SYSTEMS The Art of Industrial Intelligence. User Friendly & Programming Free Reporting. Product Overview. Dream Report

Infoblox and Ansible Integration

Multimedia. Graphics and Image Data Representations (Part 2)

NLS-HR3260 Series. Cordless 2D Barcode Scanner. User Guide

Transcription:

ID: 64084 Sample Name: CCS Projects.pdf Cookbook: defaultwindowspdfcookbook.jbs Time: 19:48:41 Date: 14/06/2018 Version: 22.0.0

Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Software Vulnerabilities: Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Private Static File Info General File Icon Static PDF Info General Keywords Statistics Network Behavior Table of Contents Copyright Joe Security LLC 2018 Page 2 of 109 2 4 4 4 5 5 5 6 6 7 7 7 7 7 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 10 10 10 12 15 15 16 17 33 33 34 34 34 34 34 34 35 35 35 35 35

Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis AcroRd32.exe PID: 3480 Parent PID: 2984 General File Activities File Created File Moved Registry Activities Key Created Key Value Created Analysis AcroRd32.exe PID: 3532 Parent PID: 3480 General File Activities File Created File Deleted File Moved Registry Activities Analysis iexplore.exe PID: 3748 Parent PID: 3480 General File Activities Registry Activities Analysis iexplore.exe PID: 3804 Parent PID: 3748 General Analysis RdrCEF.exe PID: 3856 Parent PID: 3480 General Analysis ssvagent.exe PID: 4028 Parent PID: 3804 General Analysis RdrCEF.exe PID: 2648 Parent PID: 3856 General Analysis RdrCEF.exe PID: 2380 Parent PID: 3856 General Analysis iexplore.exe PID: 1960 Parent PID: 3748 General Analysis iexplore.exe PID: 2020 Parent PID: 3748 General Analysis iexplore.exe PID: 3672 Parent PID: 3748 General Analysis iexplore.exe PID: 3700 Parent PID: 3480 General Disassembly Code Analysis 35 36 48 50 51 57 57 59 100 100 100 101 101 101 101 101 103 103 103 103 103 103 104 104 104 105 105 105 105 105 105 106 106 106 106 106 106 106 106 107 107 107 107 108 108 108 108 108 108 108 108 Copyright Joe Security LLC 2018 Page 3 of 109

Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 64084 Start time: 19:48:41 Joe Sandbox Product: CloudBasic Start date: 14.06.2018 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 14m 59s light CCS Projects.pdf defaultwindowspdfcookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 16 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal48.winpdf@23/91@16/7 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Cookbook Comments: Failed Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension:.pdf Found PDF document Simulate clicks Close Viewer URL browsing timeout or error Warnings: Show All Max analysis timeout: 600s exceeded, the analysis took too long Exclude process from analysis (whitelisted): WmiPrvSE.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtSetValueKey calls found. Copyright Joe Security LLC 2018 Page 4 of 109

Detection Strategy Score Range Reporting Detection Threshold 48 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0-5 Classification Copyright Joe Security LLC 2018 Page 5 of 109

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Vulnerabilities Software Networking Summary System / PFW / Operating System Protection Evasion HIPS Debugging Anti Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2018 Page 6 of 109

Click to jump to signature section Software Vulnerabilities: Potential document exploit detected (performs DNS queries) Potential document exploit detected (performs HTTP gets) Potential document exploit detected (unknown TCP traffic) Networking: IP address seen in connection with other malware Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Potential malicious clickable URLs found in PDF Contains functionality to call native functions Searches the installation path of Mozilla Firefox Classification label Clickable URLs found in PDF Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols PDF has a JavaScript or JS counter value indicative for goodware PDF has an EmbeddedFile counter value indicative for goodware HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Copyright Joe Security LLC 2018 Page 7 of 109

Checks if the current process is being debugged Malware Analysis System Evasion: Queries keyboard layouts Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Hide Legend Legend: ID: 64084 Sample: CCS Projects.pdf Startdate: 14/06/2018 Architecture: WINDOWS Score: 48 Potential malicious clickable URLs found in PDF Process Behavior Graph Signature Created File DNS/IP Info Is Dropped Is Windows Process AcroRd32.exe started Number of created Registry Values Number of created Files Visual Basic Delphi 9 25 started started Java started started iexplore.exe RdrCEF.exe AcroRd32.exe.Net C# or VB.NET iexplore.exe 25 62 10 11 C, C++ or other language Is malicious cs9.wpc.v0cdn.net 152.199.19.161, 443, 49177, 49178 ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States www3.l.google.com 15 other IPs or domains started started started started 192.168.2.255 unknown unknown started started iexplore.exe iexplore.exe iexplore.exe iexplore.exe RdrCEF.exe RdrCEF.exe graciously.tk ow.ly gstaticadssl.l.google.com googleadapis.l.google.com www3.l.google.com 89.40.123.12, 443, 49165, 49166 54.183.132.164, 49163, 49164, 80 started 172.217.16.195, 443, 49208, 49209 172.217.16.202, 443, 49200, 49201 172.217.21.206, 49202, 49203, 80 ARUBACLOUDLTD-ASNGB AMAZON-02-AmazoncomIncUS GOOGLE-GoogleIncUS GOOGLE-GoogleIncUS GOOGLE-GoogleIncUS Italy United States United States United States United States ssvagent.exe Simulations Behavior and APIs Time Type Description 19:49:43 API Interceptor 932x Sleep call for process: AcroRd32.exe modified 19:50:01 API Interceptor 6823x Sleep call for process: iexplore.exe modified 19:50:05 API Interceptor 1x Sleep call for process: RdrCEF.exe modified 19:50:07 API Interceptor 1x Sleep call for process: ssvagent.exe modified Copyright Joe Security LLC 2018 Page 8 of 109

Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link googleadapis.l.google.com 0% virustotal Browse gstaticadssl.l.google.com 0% virustotal Browse a767.dspw65.ak 0% virustotal Browse cs9.wac.phicdn.net 0% virustotal Browse ow.ly 3% virustotal Browse a1621.g.ak 0% virustotal Browse www3.l.google.com 0% virustotal Browse a1363.dscg.ak 0% virustotal Browse cs9.wpc.v0cdn.net 1% virustotal Browse crl.pki.goog 0% virustotal Browse ocsp.pki.goog 0% virustotal Browse fonts.googleapis.com 0% virustotal Browse fonts.gstatic.com 0% virustotal Browse URLs Detection Scanner Label Link http://ocsp.pki.goog/gsr2/me4wtdbkmegwrjajbgurdgmcgguabbtgxisxbvr2lbkppoievre6gh lcnaqum%2bihv2cchsbqbt5ztjot39wzhi4cdqhjqtac%2fhigod%2baux0%3d 0% virustotal Browse http://crl.pki.goog/gsr2/gsr2.crl 0% virustotal Browse http://ocsp.pki.goog/gtsgiag3/mekwrzbfmemwqtajbgurdgmcgguabbt27bbjyjkbmjx2jxwgnq JKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCBkI1RFpfx7k 0% virustotal Browse http://crl.pki.goog/gtsgiag3.crl 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Copyright Joe Security LLC 2018 Page 9 of 109

Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context 152.199.19.161 http://pod.siaraya.com malicious Browse http://sampleforms.org/ malicious Browse http://nantnyc.com malicious Browse https://u7732638.ct. sendgrid.net/wf/click? upn=xdxeyfdu3aoz6r L524yTTw7O DKebxteoDB RPM2JFnjSotRVkdrMT- 2BCcQmZ0gC4 emt9wuuqwp MI4X4VOM2c vmwawkn-2bx4g- 2FBNCjLywKt4h3-2 BMQoeuDez8 ZV6eaQD-2Fil2i_nZ9qD 6XHYEGbRUS fugl4gqfjpuqvtev- 2BEy4MnaaSpqe 1JURIYq0dFF0kluU71jV bc0c0muniq oofc8umnuzegr- 2FDx9SQqF-2FiO8-2FtwdEyfkU OndAc1yZGh XBmQBFZrO2t58-2BmgzsHniLgJQZ10 XokzseqRXT ky0ddcixfh bbfcldg2ye 4W0iDRLAnV VvKfvtOZYg mmwjfmpyuy ukt2odnvq-3d-3d http://www.freepicre sizer.com/picresizer.exe CAPTIVA HOME DESIGN.pdf Scan0011.pdf http://mts-cdn.globa lmeet.com/guestdeskt op/globalmeet_guest_ Desktop_Setup.exe http://mariagorre.co m/source/backup.bin http://www.pod.siara ya.com/irs- TRANSCRIPTS- 046U/71/ 6-13-2018.pdf malicious malicious 51ea9b171910a684f345e519dbb malicious 0ebc186ad2b83b2f131d954154a 0fd78edc51 98f9a18c61696ca54ff78ed287b8 malicious 14fbf23327689afd950ad4a90f833 b8ee6aa malicious malicious malicious a67ad48dcadf1c2718ebabdb834 malicious 7453a2aa1e5ea98734d72dda4ad 8b9f7f7401 Browse Browse Browse Browse Browse Browse Browse Browse Domains Match a767.dspw65.ak Associated Sample Name / URL SHA 256 Detection Link Context http://www.freepicre sizer.com/picresizer.exe CAPTIVA HOME DESIGN.pdf malicious Browse 23.10.249.161 51ea9b171910a684f345e519dbb malicious Browse 23.10.249.160 0ebc186ad2b83b2f131d954154a 0fd78edc51 Copyright Joe Security LLC 2018 Page 10 of 109

Match Associated Sample Name / URL SHA 256 Detection Link Context Scan0011.pdf http://www.pod.siara ya.com/irs- TRANSCRIPTS- 046U/71/ 6-13-2018.pdf 98f9a18c61696ca54ff78ed287b8 malicious Browse 23.10.249.160 14fbf23327689afd950ad4a90f833 b8ee6aa malicious Browse 2.18.213.112 a67ad48dcadf1c2718ebabdb834 malicious Browse 23.10.249.161 7453a2aa1e5ea98734d72dda4ad 8b9f7f7401 a1621.g.ak EMS Tracking Digit.exe 6759fb8bb59194d261f57492d12f malicious Browse 88.221.112.145 8c6ddb679870ca324a4c73640d0 c605d3848 Wilhelmsen Invoice 191738.pdf P.O 4500072552.scr INQUIRY ORDER DETAILS.PDF.exe scan3_print3_documen t3_29_08_2016_3c3262 a25d227eff9a29e1d4f8 c06a2a43b611.exe 877ec6acddceba56fdb8cd760a4 malicious Browse 95.100.248.90 00a633cb514a93dce60622a9b3b 6c9409ed85 d71c1c7ee31d86f0fdda82634064 malicious Browse 95.100.248.90 f714a782483008d8f203d75f6beb 3a593624 764f05921aeb0a5f00a439e3189c malicious Browse 2.21.246.16 c7f3337b6613e4cb9d8b05aed3c 788a55e75 90953ba9a3789dddf56acf923950 malicious Browse 2.21.246.18 fe7d0b0146262b7d000b51cece4 15ac5352f Gerador de Crypter.exe 52d6aa77ac041e35eb891d9a7e5 malicious Browse 2.21.246.18 fb6759e31844acbed59c76dfe62e df4334de2 EMS Tracking Digit.exe Office-Voicemail.pdf new file.pdf scan001.exe CourtSummon.exe SAMPLES.exe PO.16460267.exe 6759fb8bb59194d261f57492d12f malicious Browse 90.84.136.152 8c6ddb679870ca324a4c73640d0 c605d3848 15775ce085e620b776ef96228e6 malicious Browse 2.21.246.16 bd819423d231b686dfb7ea2d2d7 c6ce6f6b50 f9ceec81f52040b0c41dd06e1c25 malicious Browse 95.100.248.144 e6aaaa50a4da42141e9deeeaf07 46e9c5ede 7b0831cc18af4246aa10d5cc9d6 malicious Browse 95.100.248.144 4377fb4af07500d6919faecd32c7 976799539 73585573deeeaa9467aaa879df8 malicious Browse 2.21.246.18 a2048de1b2eed2eec0bbe9b3c02 417c452d4f b3aac810dc97b2ed6a957294e11 malicious Browse 2.21.246.16 12e8e2b54993615ecbbb5d38b11 5af6591cbc 83df6619bcfec886eb238500d238 malicious Browse 95.100.248.90 dca3742618c81eff3ec01161301c 2f56fd4c ow.ly new file.pdf f9ceec81f52040b0c41dd06e1c25 malicious Browse 54.67.120.65 e6aaaa50a4da42141e9deeeaf07 46e9c5ede Locked.pdf Please see d attached document.pdf #verify-doc.pdf C72781002.pdf http://ow.ly/8ryf30j YWv5 http://ow.ly/f2zf30g k7fa?f$9fk45ft987h 294f92b7711085a19beef7500770 malicious Browse 54.183.131.91 85801d190e9afc8226282f4a6059 38dba330 21b593a9820606f532b575e340b malicious Browse 54.67.120.65 b07b4b44635bb43edeb8ca64bfa 61dfd8a523 49899b025d33749671c2bff8f2c1 malicious Browse 54.67.120.65 afc251f6c88d51618f0f82dd50bdd befce31 14b536b64230b1292b52a70584b malicious Browse 54.67.57.56 00700164503f799234cc7d11ad1 7783ed9b99 malicious Browse 54.67.120.65 malicious Browse 54.67.57.56 ow.ly/u8cg30gnek9 malicious Browse 54.67.62.204 message html1(1).pdf ACHIEVE-1 CONTRACT.pdf http://ow.ly/4mh330j 3SCO 795a85fadb6b7a42e876925fd711 malicious Browse 54.67.62.204 ea5429279ff397fddf9bf463072e9 ae06b27 24bea02fcf153e6c4ff26fd45fb25 malicious Browse 54.67.62.204 6f6f807a27458b4ba3a5bd22675d 972c68f malicious Browse 54.67.120.65 Copyright Joe Security LLC 2018 Page 11 of 109

Match Associated Sample Name / URL SHA 256 Detection Link Context 9a835a425c8321c22d5a 216ed64f5174d27e0b97c2e2603f malicious Browse 54.183.130.144 751078cb5f020abaaaaf e7cf80fee68237d0811f 6ac876f5762ec613392f4242cc7f da0fcaa2 cae.pdf scan000131.pdf b18fcb666119dfc746c7c38976b5 malicious Browse 54.67.57.56 d7563e82062a882348c72dc1cb9 4bbe7d13c NEW QUOTATION.xlsx 8754ace26341c7e26bf5416b4da malicious Browse 54.67.57.56 03f5293fa0d21e1ae262dbde1290 acdd9098e http://ow.ly/33gn30f tp3o 1007880.pdf TR4-6A6201-N.pdf malicious Browse 54.67.120.65 2189effa478623ebf0c0b0d18d95 malicious Browse 54.183.130.144 c11822b604b3bc75ecf4936bf43e ea095338 4b7577bb422c8dc3a9bdbcf9b8a malicious Browse 54.183.131.91 120ed85cf1078461529f8c944dd3 874b2d664 http://ow.ly/avit30jzsjv malicious Browse 54.67.120.65 cs9.wac.phicdn.net http://pod.siaraya.com malicious Browse 93.184.220.29 http://sampleforms.org/ malicious Browse 93.184.220.29 http://nantnyc.com malicious Browse 93.184.220.29 http://www.freepicre sizer.com/picresizer.exe CAPTIVA HOME DESIGN.pdf Scan0011.pdf http://mariagorre.co m/source/backup.bin http://belidollar.co m/end/index.php http://www.pod.siara ya.com/irs- TRANSCRIPTS- 046U/71/ 6-13-2018.pdf http://www.promoavis os.com/captivahomede sign/acrobat/managem ent/adobe malicious Browse 93.184.220.29 51ea9b171910a684f345e519dbb malicious Browse 93.184.220.29 0ebc186ad2b83b2f131d954154a 0fd78edc51 98f9a18c61696ca54ff78ed287b8 malicious Browse 93.184.220.29 14fbf23327689afd950ad4a90f833 b8ee6aa malicious Browse 93.184.220.29 malicious Browse 93.184.220.29 malicious Browse 93.184.220.29 a67ad48dcadf1c2718ebabdb834 malicious Browse 93.184.220.29 7453a2aa1e5ea98734d72dda4ad 8b9f7f7401 malicious Browse 93.184.220.29 ASN Match Associated Sample Name / URL SHA 256 Detection Link Context AMAZON-02-AmazoncomIncUS 53Payment.exe 753baf9f3312ab82986b62a35395 malicious Browse 52.9.90.234 241b8c0ac03ba6476bcf6a9f571a 21a41892 ao87si5uju.apk http://ladockanddoor.com/print.php?xqd=r jones@ricohforensics.com 13orders20172809.exe 6341be988be00042c698511fd88 malicious Browse 52.212.120.179 c97c618e6109afac40fdf5bed523 83bcdf18e malicious Browse 54.69.210.193 3b5aac54456a037d240f9574969 malicious Browse 52.42.143.77 e9962db2434690f4cb7fa3f6b09d ed258345f wccftech.com malicious Browse 13.32.251.9 https://web.airdroid.com malicious Browse 52.52.41.137 keyserimpactseries.com malicious Browse 52.84.246.138 com.affinity.red_sox _2017-09-11.apk DashlaneInst.exe 69894f963d1125996065020a4e4 malicious Browse 52.216.84.187 3521087c16c2e6c838db482abc1 0bb7a3453a 0cbf83f1b879561d0041a0fef26d5 malicious Browse 54.230.141.251 54c570a2501123b9ca7ecd9e5ae 4d9474c4 empireofdeceit.com malicious Browse 52.29.12.252 Copyright Joe Security LLC 2018 Page 12 of 109

Match 3PO#413001.exe http://kvonline.tact ics.be/kjsdch7346 39Proforma Invoice_d ocs.exe 66Bank Receipt.exe https://s3.amazonaws.com/joaaoterca/appa ddobeflpla yerbrsetembro2044196 85306F061076.exe http://imprismail.co m/affiliate/referral.asp? site=rea&url=po p/en/ukc/1&aff_id=58 43_27027_1 9234_535127_1_357_ www.jennyreviews.com /educational/famzoo/ YXOpwUgugb.exe YxgDiqRWX.exe http://owaoutltookii i111.tripod.com/ c6ec8728f7e909af51fa9a364a2f9 malicious Browse 54.193.27.28 f61b5ec613dc37b18c95df2177f3 da9910b malicious Browse 52.49.136.181 561e765b41b0aa21f4e2313bd22 malicious Browse 54.230.80.54 e9efb167b5ac8c2955f355f526aa ef6baaec1 8755e9c426db1f40ff1a68f100cb0 malicious Browse 52.42.143.77 f33eb65a99b6604758aad810bc4 0a5f9cb6 malicious Browse 52.216.98.229 malicious Browse 13.32.179.169 malicious Browse 54.230.197.80 3b61ce3d5d75fe4a90313741cdfa malicious Browse 52.216.230.77 71c47ba6543fc568ab3293ed339 83ff717d8 60c5156e56e93c8ba14bee4af94 malicious Browse 54.77.119.10 3f2963be8c8d7bf469a892a1751d efd924360 malicious Browse 54.93.169.188 ARUBACLOUDLTD-ASNGB http://k1k.myftp.biz malicious Browse 94.177.249.222 ANSBB-ASNNET-1- AdvancedNetworksServicesIncUS Associated Sample Name / URL SHA 256 Detection Link Context https://kjhvcbnm.ga/ Drop_New/drop3/drop2 /drop/drop/ http://subscriptionsaccount.gq/glorious 7/quotation/index.php http://merasd.cf/oii o/login/drive_pdf/in dex.php https://hainjee.ga/k kk/outlook/index.php Review.pdf malicious Browse 89.40.122.180 malicious Browse 217.61.23.81 malicious Browse 185.58.224.59 malicious Browse 94.177.254.165 aeb53f191df20d5659bb364d9ed4 malicious Browse 94.177.254.151 e2c25a48438a7f71b6d325dd24c 6fe6a99ea https://drw.sh/jfoftb malicious Browse 94.177.249.41 Doc9.pdf https://uhjbn.ga/gf/ fd/seekfundzdropboxn ew/index.php https://fegrfgr.usa. cc/doc/office22/360% 203/index.html d3d59f04f0d0c57e17d4ec25174c malicious Browse 94.177.249.223 a66b2e0f520200c47a030d3470d 88cc91d50 malicious Browse 217.61.23.115 malicious Browse 152.199.19.160 Copyright Joe Security LLC 2018 Page 13 of 109

Match Associated Sample Name / URL SHA 256 Detection Link Context https://na01.safelin ks.protection.outloo k.com/?url=http%3a%2 F%2Fapp.getresponse. com%2fclick.html%3fx %3Da62b%26 lc%3dbw39w b%26mc%3dj H%26s%3Dj5 CEaV%26u%3 DhcQ2C%26y %3Dx%26&da ta=02%7c01%7chenry.t homan%40ru shcard.com %7C29524c3 0422b43dc4fa908d5aec 79c55%7C8f 0d3053db3142f785f7ab e3945bff0a %7C0%7C0%7 C636607094 710839262& sdata=nnvnyecejnq3r8 ITCTSxGVs7 AOPuvuha9G GDDMIqK3k% 3D&reserved=0 malicious Browse 152.199.19.160 http://pod.siaraya.com malicious Browse 152.199.19.161 https://na01.safelin ks.protection.outloo k.com/?url=https%3a% 2F%2Fiatsetrainingtr ust.us11.list-manage.com%2ftrack%2fclick %3Fu%3D4a4 93549eb89cc8e1c496f9 2d%26id%3D f2d12f969a %26e%3D439 6c89d76&da ta=02%7c01%7chenry.t homan%40ru shcard.com%7cf9cb524 6168b43ca4d4008d5aeb a14e1%7c8f 0d3053db3142f785f7ab e3945bff0a %7C0%7C0%7 C636607036 595300907& sdata=dywp YtvMySded2 ijvbwgqprt 7i6UOCkkkG UzS4VEByA% 3D&reserved=0 http://w2.outlook.co m/l/mobile?wt.mc_id= OutlookAndroidSignat ure malicious Browse 152.199.19.160 malicious Browse 152.199.19.160 http://eyesofellena.tk malicious Browse 152.199.19.160 http://sampleforms.org/ malicious Browse 152.199.19.161 http://nantnyc.com malicious Browse 152.199.19.161 https://via.intralinks.com malicious Browse 152.199.19.160 Copyright Joe Security LLC 2018 Page 14 of 109

Match Associated Sample Name / URL SHA 256 Detection Link Context https://u7732638.ct. sendgrid.net/wf/click? upn=xdxeyfdu3aoz6r L524yTTw7O DKebxteoDB RPM2JFnjSotRVkdrMT- 2BCcQmZ0gC4 emt9wuuqwp MI4X4VOM2c vmwawkn-2bx4g- 2FBNCjLywKt4h3-2 BMQoeuDez8 ZV6eaQD-2Fil2i_nZ9qD 6XHYEGbRUS fugl4gqfjpuqvtev- 2BEy4MnaaSpqe 1JURIYq0dFF0kluU71jV bc0c0muniq oofc8umnuzegr- 2FDx9SQqF-2FiO8-2FtwdEyfkU OndAc1yZGh XBmQBFZrO2t58-2BmgzsHniLgJQZ10 XokzseqRXT ky0ddcixfh bbfcldg2ye 4W0iDRLAnV VvKfvtOZYg mmwjfmpyuy ukt2odnvq-3d-3d http://www.freepicre sizer.com/picresizer.exe CAPTIVA HOME DESIGN.pdf Scan0011.pdf http://www.x.co/gqer thysd7 http://eservices.ngi ko.co.ke/modules/ow/ index.php?email=info @lacaisse.com http://mts-cdn.globa lmeet.com/guestdeskt op/globalmeet_guest_ Desktop_Setup.exe http://mariagorre.co m/source/backup.bin http://www.pod.siara ya.com/irs- TRANSCRIPTS- 046U/71/ 6-13-2018.pdf PDFXCview.exe malicious Browse 152.199.19.161 malicious Browse 152.199.19.161 51ea9b171910a684f345e519dbb malicious Browse 152.199.19.161 0ebc186ad2b83b2f131d954154a 0fd78edc51 98f9a18c61696ca54ff78ed287b8 malicious Browse 152.199.19.161 14fbf23327689afd950ad4a90f833 b8ee6aa malicious Browse 152.199.19.160 malicious Browse 152.199.19.160 malicious Browse 152.199.19.161 malicious Browse 152.199.19.161 malicious Browse 152.199.19.161 a67ad48dcadf1c2718ebabdb834 malicious Browse 152.199.19.161 7453a2aa1e5ea98734d72dda4ad 8b9f7f7401 40050153dceec2c8fbb1912f8eea malicious Browse 68.140.245.237 be449d1e265f0c8198008be8b34 e5403e731 Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 15 of 109

Startup Copyright Joe Security LLC 2018 Page 16 of 109

System is w7 AcroRd32.exe (PID: 3480 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\CCS Projects.pdf' CB6643A25A7ACF3DDEEF0B94DFE17A01) AcroRd32.exe (PID: 3532 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer 'C:\Users\user\Desktop\CCS Projects.pdf' cleanup CB6643A25A7ACF3DDEEF0B94DFE17A01) iexplore.exe (PID: 3748 cmdline: '' http://ow.ly/80aa30kv15x CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3804 cmdline: '' SCODEF:3748 CREDAT:275457 /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 4028 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A0264879FD1E655B75B63B9083B7) iexplore.exe (PID: 1960 cmdline: '' SCODEF:3748 CREDAT:340994 /prefetch:2 CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 2020 cmdline: '' SCODEF:3748 CREDAT:799753 /prefetch:2 CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3672 cmdline: '' SCODEF:3748 CREDAT:275465 /prefetch:2 CA1F703CD665867E8132D2946FB55750) RdrCEF.exe (PID: 3856 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250 7AFD03A53C1FE02E04974C9D99B1CF67) RdrCEF.exe (PID: 2648 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --primordial-pipe-token=2ff651452d2 7B6ABE2B0926580CC0163 --lang=en-us --lang=en-us --log-file='c:\program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --productversion='readerservices/17.9.20044 Chrome/58.0.3029.6' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image -texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0, 3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3 553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,35 53;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,355 3;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtchw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=2ff651452d27b6abe2b0926580cc0163 --renderer-client-id=2 --mojo-platform-channelhandle=1172 --allow-no-sandbox-job /prefetch:1 7AFD03A53C1FE02E04974C9D99B1CF67) RdrCEF.exe (PID: 2380 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --primordial-pipe-token=bb18846de79 238A50F315613DAE5498F --lang=en-us --lang=en-us --log-file='c:\program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --productversion='readerservices/17.9.20044 Chrome/58.0.3029.6' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image -texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0, 3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3 553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,35 53;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,355 3;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtchw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=bb18846de79238a50f315613dae5498f --renderer-client-id=3 --mojo-platform-channelhandle=1320 --allow-no-sandbox-job /prefetch:1 7AFD03A53C1FE02E04974C9D99B1CF67) iexplore.exe (PID: 3700 cmdline: '' http://ow.ly/80aa30kv15x CA1F703CD665867E8132D2946FB55750) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DF09904B59A8E36D73.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 34229 Entropy (8bit): 2.238100042014069 Reputation: CD73D7BCAA9506090A3DD9828A7BBCCC F6245FB16D4AB8EAA5254887935DB1F6E255380C 870E12CCB322CE5DCFFAD3359C86AEA980F4CE954A746648924A67BA994E64FC B94097467654A20E98041C20592EB58F79D20303FC21EC105C8D45BBCB62CEBC83DDA06C605807EDB1AEC8536A E5BE5D530B80F4542E0166739FE915C019928A low C:\Users\HERBBL~1\AppData\Local\Temp\~DF3728CF4E3E737639.TMP data Size (bytes): 34677 Entropy (8bit): 2.98024422357226 Reputation: F42E2ED23B2090CC6CD26D99C5EE5D27 4CEC8E604C67CC6103993A72249A25D737AC6783 B282AD32937F04BB3F98ABE3317A20A9E40E3CD46CDCB92D9B6A87146AACB528 3919B33EE81F9AE7770FA60BE41934E735273CCACB84B736C13C2F90D690649ABADC82051803758A0AB1E7D05E 9994067B12F31A6D82FCE4612D88295DF43069 low C:\Users\HERBBL~1\AppData\Local\Temp\~DF75AA9E3F1C3218BE.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Copyright Joe Security LLC 2018 Page 17 of 109

C:\Users\HERBBL~1\AppData\Local\Temp\~DF75AA9E3F1C3218BE.TMP Size (bytes): 84661 Entropy (8bit): 4.565618747096633 Reputation: 73A27D926B61909E85A6D7D522A9FE7F DA7327AE85B2D361ECB41CF837365C4FB79A152A 7B41DF14E16D0B1AC5E2B970A86B85124C447715AB34707C65E7C6D8F2A286B0 978AC77FB12CEA22432821ABDE8DABB13C70524679EEACE486EE2D68FB001FE9010D3B9DD24E057D89C19F8BF 8401FFF1F601BD41C33421F100369D0EB93843F low C:\Users\HERBBL~1\AppData\Local\Temp\~DF785C05C73A79FB6A.TMP data Size (bytes): 14325 Entropy (8bit): 3.942719491034112 Reputation: 98EAF63A512A9AC54B1603AFCDC5786C CE5DD3C1E83A8B00BF58FE6C44C02AA7A90F90C5 B7A34B52FA1AEBA70806C648D1E61A69B082585D9714D9BBD3A7E4B0B0015C91 803C3533569DF01A7AE17A6E279691CC95FBC0507D8A4100B2E159C531342D7289494B9CE802982B881AA73CA82 A4F63DD1DCAB4BAA0F69D4E2219F5A17C7782 low C:\Users\HERBBL~1\AppData\Local\Temp\~DF8CEBE58A95AA03D0.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 34229 Entropy (8bit): 1.8862017656520735 Reputation: E96E0EAF9F570044E3EA1D92F3A928E7 EFA966B787A0F5EF33F735B2C5A2A1A27B340682 BE70E3FB5CF2662CB31285DDE9DF97C6515D4574AA260A2985B172EC6DB9F602 6C16226D6D8F9E3F966E04AF0801030F588BD5D78E7FAEB17573FCAE315489F59319DAFA300E69E5013BAB1AED 38B7391CABDDACC4081D339D57F6F6F22D881C low C:\Users\HERBBL~1\AppData\Local\Temp\~DFC50F2DD7884C6DC1.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 21353 Entropy (8bit): 3.943679851666235 Reputation: B0470DE11262B2609106EB883FC1DD05 D943174DF5D0E90D2B0B34BAE19AD84C5DFCD3C8 1987A1DB2B6E5A2BFD8D5FE96AA7E772B31B801431E7D4C2BE70E27E112B295E B75DC6D579D0EBA8E015D03BCC4A6C20111F47695592A5DCC8C93083DE2DC847A8856C74ED56283ED82B35E4D A9CE9DA81520E24BA24209DDB7BB125198D3AB3 low C:\Users\HERBBL~1\AppData\Local\Temp\~DFDE9E6ADC965B5841.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 25441 Entropy (8bit): 1.1181954747780518 Reputation: 5DAD7C46E0FBBB1003319F6202BE58A5 9532F7B22F43B35F35351C256FA38677C78F6971 CEDAEB8EF6D3F291A4ED29EC573F732A8CBD8031A3A6A8107E6A8BA9A2918E98 8BF4A3AAB8434CA7FFB7EBF2AAB3DBD26941A9AF6CDAE89FA7EEC086639BA259B5A2BB72CB13AEC51BE1E71 C423EE4D229E67FDABC733C90692A7645D3181393 low Copyright Joe Security LLC 2018 Page 18 of 109

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages Size (bytes): 10240 C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe SQLite 3.x database Entropy (8bit): 5.629046784407224 Reputation: 8B790A6119F82CC590A152F672BDE5EE 5688470A4BD31151AF99B958CAF149D5AA6882CC FE522EBE0720B40459184BAAAFAAF15B9801ADF77FA07E17E27015B4B5F8A84B 9BB60766B78B5BF4BD6F8F5C1E79C78063A9BB5718634EF73544374F99EF760C980570DB1D8335161D8AC1A9914 74688B68BCC3828F471B36DC12149671E10C3 moderate, very likely benign file C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe data Size (bytes): 12940 Entropy (8bit): 5.036595267178427 Reputation: 0EF0B96FF3B8A3578881C7B675349BF0 65C69C8EA612BD0E779F0C78EB621FC6E242746C A091D37C5C029CBE4125C2132D0410A829D897E088FBF1B38A9F56E520105EF7 E86DF0B88B0DD9778E35A33F5D8DE021A1669FBD40C30468ED5FA90B77F38B87F93F21246E92507724FAB80978B 4575429B7D1E0CE8869247229A3AA21139C3F low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDBADE7DB774141D7E30D50EC69 data Size (bytes): 593 Entropy (8bit): 7.071734612899034 Reputation: A4E5AFC294D0CF0DC99E827104A659F7 F96AD9C327E4C0CB9E2856EF7979A2622C0A85FD FB538786C7109B3BCC399EA0FD8708EF3A6B4A013F426BD0DC6C2D9C51EC0F53 5E1470CAA8619CE0C3006B3BDC23ADDA500F5AE445525B0AC66205BF7A5B8A06EA4A39B796FD2983FECF8519C 7B3081E4B2E3F559D7761EAC763C1FB2120F884 moderate, very likely benign file C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Size (bytes): 26036 Entropy (8bit): 7.96414732129194 Microsoft Cabinet archive data, 6509 bytes, 1 file 806381CE371CD7EF9CC216BB58438764 7EBD518D1A89C6F0079BE759A38869DE9ECC399A D858B12945B35906DD709A2FA9EAFEDA3CDE7E342041AEE65BBD43CDF783C993 292C5FB7B6ED27E52F6EF48754DE5D1B9A756961A5309905EB086135BD5C5420D4882051CC8C1D82D845E8AEBD 50ACABDE23EE17A401379448DB0A13C30E2CC1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E0 4 data Size (bytes): 471 Entropy (8bit): 7.145090462928694 F0210FCA650329651CC216A3079899E2 D10B86C6F353C30D98B55BFCAADD40E7D493397C 397AD878DB2D20AFD65BA634252E0347735B089E1C9526BD654829881D1221F9 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB222089C8BEC0A52ECD39D CF139748318B994898E994C7D29C8C513BB690DA Copyright Joe Security LLC 2018 Page 19 of 109

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E0 4 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Size (bytes): 107660 Entropy (8bit): 7.995747385844822 Microsoft Cabinet archive data, 53830 bytes, 1 file true FBF75EBF1592EE2495612005C3CF63B9 FF7EA302F9C1DEC6CD2CF79909DBB8F563BE1998 CF9C9F1C30AEBD6D97038682D39370FF309359F82B4ED38F3E7C2553F5C930DF 26424509CD0BF65782DD6193B01ABFBFE4C4B08DEEAE4288AAF7CF29279A586F3A701BCCD5C2D43626C7133F37 F8D81DB58505C68ACA21DDAC4101BA9FB9F666 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 4451 Entropy (8bit): 5.521666828943894 90CC16E9EC39581AD2A78559BC94C405 F6FDACEB7ED846FDE1AB64162832715F71A61503 1173E003BC8BC529ECBFEA8959C133419A17DA67B69BC835BA5B237040AF3FF1 DCE5A7DE47BA3BC14FDA89BCF76F5E0208EA011432917B03C157A1A3D92A2BDCF10E33AAF4479EE31A66DA069 EE62815C22C71C9DC3AFEA81128D6E04349046B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\85B3F147E3624A14E6A20DB4F6C2C5D9 data Size (bytes): 815 Entropy (8bit): 6.502314464372182 BC66A157E3E9EE64D62B3D2597B8278A 82C3F11D62F2E3C5FA23E093C7ABEA7C84CFEDEE E70E62368F94E96BC2DB007C7F09233A2AD20C4B9D7C006550D060483D7913E4 272CF63EEDBAC3ACA64B2A7F41DD4CCB81EE6F096D35819E0B5B4DCA07D6CB33BD799F8DCEF29AFA6734D67 C1AB9B56D12609B4B441AD1F41B283836C5979216 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F82 1 data Size (bytes): 468 Entropy (8bit): 7.092843961483663 D9D754520AE3340AA37CCA6115EEE05B A0320372760D99C762CB2EB4B37F776625EF1B33 7DC8284C51C9A38DC1BF03BD28857EA5336E8F5C564EDDBB1C9082EE43C93738 440F6A9EA2CE5ECD1FD7CB3D122A6F5F108550D71A9FF5F88F235BE5495903712555F95C75F66CCF716AC2A4920 2716EDBDBAFBD114EFF0AD3D98E3DA6A30C94 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_2A4E1D3B424A9AB9351F05D083A0622 2 data Size (bytes): 463 Entropy (8bit): 7.208987336614294 C7882A7A3317D31AA43F3D7D30EBF74B 5F883A877A4130C76D9A8521B98B8C96DC392560 5FC0209FBEFDC0C58FC417F5F583008E5FF5A58D3E832E5F21D44BED73311A9A Copyright Joe Security LLC 2018 Page 20 of 109

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_2A4E1D3B424A9AB9351F05D083A0622 2 F25C88C3C8C97395C5713CCC7E7BDCF353B63024FD9367FC0C75B8313A46E87FD0CB9AC6516978ED8B289C0CC BD473DE9503D783DF2A42BAAB08F10F172594C7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\01B16CDBADE7DB774141D7E30D50EC69 data Size (bytes): 364 Entropy (8bit): 3.1332013531631535 E17421528A18835F7D10E7B620F827D8 8E7E8352E2C9F5C50AB9C53E62F6B9E4178B6C79 929DBD0E75B3D00224AC4B3C03C8FA2664DBA49E791E32560AA8A5403441CECB DB4E4DF70ABF28DBDB18A89F4D589EE9087DD501816B60F2AF01FB08C9031DE4C215B98D6E7D89A0D104EC5B7 F99F19619A30F4DADEEA658D26ACB6FAA04B249 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 1368 Entropy (8bit): 3.1492281938615845 73E92508599ED14ED801223DFE6668EA 081131E8703F525B476894356A3B2B6CBADE598B 88386E932C800AD8EE72F2F71B234000BD0A8FA73D17C6E6CC1EDE47B64C17D2 6C0AC2C110CCB15C236FEBF1B2466C29C6AC17982B5757FC82B7073E9955437D56530E3734DAF1155097248E026 0C93122C253D81A232E04AE69255328CA21FC C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF3971487123 2B4792417E04 data Size (bytes): 434 Entropy (8bit): 3.610590848049095 E4C7D8B502C5CB53A7BE5780F50ADD57 592249D91774412759ABB737209F0B781410F4E7 2BD61D7A4F5878F3AEAA2CC1E1F053F56295D16F05573C1401C706F9B05375C1 27D7DB001569684F04014D99B6A3F4A64F6BB4B0C04C25D1AE29264F3D5DC0222BF2215680BF954D7DEC5A0BE1 FEDD44680ED71692BB283BC3FEFBFDAD28E0B0 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 data Size (bytes): 656 Entropy (8bit): 3.1345984271266656 3B3591E386EAC496296DB2C1060F733D 5B45FA82F1A62B705076A213A565F5B2C3235EA3 F80FEDDE265AC1E2A6A932064B6D69605EE54D520FF3E5078CBD2B75F11CE0B7 8512A0C57155220298F98FF7C1B83AF62E15ACC35710DF35557D0163B5D5F8EF3FF53BABC28856529F61A725FE3 E33788DD0C3B46C2D01D24A8BB7206236C5F9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 452 Entropy (8bit): 3.3495626352577874 311057911464D6B31873806B67CD47C1 C779796413E5E1BA89AFE97A4A3F39F0E3848302 AF97D42D5B4FBC8A768A43E840EF538D3B0776F5BA2FE93A90B372EF8FE47809 Copyright Joe Security LLC 2018 Page 21 of 109

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F 2EFEB2E94A8F1EDA727D254E9A714118B034BD966AAAF368DE03ED14BE0A7D05F25E59C1E35395F63FEC2B63E 0A0981256C4F2B78602DF3E6BC5CFE5B7EC3EF8 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9 data Size (bytes): 184 Entropy (8bit): 2.6006725963107264 BF7DFE2B46E64AEE78DDE7A02CFF6A84 39D48A46951544364DAE457AB445956D2EB52BA8 5AA51C28B48BE702445B7040210DE6CC3D486FBA1FA148CEDD007F3513D9A620 83241269A5C14DE4641557C35DD3DEC1154C27F50D4910C0C2935B43DD5796D9D308C4B30C7DFA965D3BD47262 6700EC03C7E82E06CC5A53D4B1F98CF0C118B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F8 21 data Size (bytes): 804 Entropy (8bit): 3.573042791190583 00FB7A5118B0F195B0BF3FB2050B63AF A64691370C34F929D15A18FC9563BB0785CD0606 0744D606A4479ABA1B908D812675754355BA31E443D7FC142B65413CCBBD61C8 F40EC3D7897BEC62AE100302308073CD4E0DB67C16F0073F0D007F9EE2DAAF2B43C25432503D685417C61664EB C3C012FD51E53277037B4C886E6463AB8168D1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_2A4E1D3B424A9AB9351F05D083A062 22 data Size (bytes): 382 Entropy (8bit): 3.347634238042073 951F8362F617BC2E71B5DBF3A7025461 C3A616C996812F22341AEF36DD61F4FA606106EA 7DBF5068FAF7E443D3937389039D2B97BF0FDC076F3079D34D1F1108BAD8DC4A A10FF6C2D80E4978ED4DA190F0E60EC123D88BC76D83E3791E652D09229B75E79BEB64F29CF4E575F7EB1B90CB 930FEA4C4680A000294A5616A062FB321B17F7 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 474 Entropy (8bit): 6.1480026084285395 B296C9568BE4B40F54525532DA56A3CE F4B7D1E31B78D81A9740049F951E27745CE921CB 27D67BA98E8641B6A8B5BB9CCDA13FAB5B0E0C8D231311BD39C4915DC71B3159 AF25BC3A74CF1B4F914BB54D65A834020CF81DF369B6892E546EF51DB5A58769B44BA2E33C7B29C3D4B23454F7 5007E9EB88F454CF51459DB2099F361E3272A9 C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3532 C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe PostScript document text Size (bytes): 145477 Entropy (8bit): 5.17580297711918 50BF1970D9DB8804FE9BD16975703683 FEB8ED36FAC209E820E23C179E7D8632995A53EE Copyright Joe Security LLC 2018 Page 22 of 109

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3532 5E3E101A1C587923093FE23FE3CB41559B1B29FC655DF18C1F9EB68361B2D565 8F75453936AC7BEB7AC63FCD958380CBF490ACF58D73529EE59DF76D5325302E04E23B95B09A8D791CD3BAFFD0 BAE14FF18659A48C29F1D3D3970043BF94B4FE C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe data Size (bytes): 56514 Entropy (8bit): 5.409122803165463 E4F4CF2F222E32C572DC62B436ABDB1E 528CF7B94A68944FA623EA7368212897522D1FC3 FA2145F0649BCC4A0887962EDFE74BD416EABCE7C628D76929824500EABFF965 E35D4E1D302130BD1885358CD60ABBD6377CF12322EE4E683AFC1863370CA6B13E694CC59099856712D515AE7B A6FF17BF5B7D87C24B4695382F8EA4F23A440 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BDBB3F1-6FFB-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 92824 Microsoft Word Document Entropy (8bit): 2.325801884106383 649F880FF55252EE8E44876E9A2A1BA2 90F9A3EC6739C5ED89CE17A6B14BE3B1E810D523 DC8471E6FFEFA437C479ABF30D12788CF69B5CEAE7EA9F4D65C086FE91CF80BF 0940F6FFD77C6C5BE5C64268FA3D99E3F3A110C266E5F819784944947BC35D5872BF8163EE8632DFEBAB5BD0C9 FD261FED07A5CF4EC84ADD3B937881743DA128 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5BDBB3F3-6FFB-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 48536 Microsoft Word Document Entropy (8bit): 1.8099585422216848 E0AD5F205CC604E976627288461F4BEB 56A24F30C0109F1A1EADC0E765CF3B1EEA54CD3E 56D39600AE490A4FB1955DA6BC0899AE4C0FD0B41B261CC33700131FDF42B8F3 61A97D1D1E1EF0332DD7E23BE56760A6162D67882ECE77FB4690CE8AAEC3FF6EFB85C13D8DB2ADDFB5602D460 39BD77AEF5C00F6510021BA9DBFB5B71228DC52 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{68285BE0-6FFB-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 14936 Microsoft Word Document Entropy (8bit): 1.5448226688510234 42373C404BF54F02FA013A441CA26501 16307097768467B1C018218A235ABC5605B86530 074009DF2F466ACA7DF77E269BC882102244CAB8D0E7B934F9A6968CCFBC2B0A 9A4961DECD5EACC963A97893A0DE704FA08BD4C6C729FAA92E5066B199ADA4916F0CEEF84BBD23934CA787725 2C5AB9048C0AE15AE20EAF2E406881F21F8E689 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7D919170-6FFB-11E8-B7AC-B2C276BF9C88}.dat Microsoft Word Document Size (bytes): 23648 Entropy (8bit): 1.6707483242353325 3810212ED43C3647D363475BAFD028FF 469823D594EBA0AFD6C5127B570995E4BFC7C8E0 Copyright Joe Security LLC 2018 Page 23 of 109

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7D919170-6FFB-11E8-B7AC-B2C276BF9C88}.dat 3C45705AC1078B1E760B73F4CBBA20E009F501DD4EDEC54CD05E3A9DEB46F5CA 4147972840913080C9059E10A8C25A6A1351450FF2124AC66AA66EDAE992C54B543287207AB18F4CE00F8C520A7C 4A42FC61BE8B84DF68420A4B01C4B124549C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7D919171-6FFB-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 23640 Microsoft Word Document Entropy (8bit): 1.7356715016558975 8318706AAE0B5230D2CF3688E332AC03 3E0A283365E332B1DB59E1DBF06FDAD8F4699BD2 36A76C14215471F3D001DB0EAFFD2A21BD55EBD21DB577EA9CB03B20B8E1BA64 6FADECBFCBF2908E8BBD215FDD45B35E2A601BE790AE1D299FD1F5E3C03F45DEE518E51E4493BD7000EDFCAF B56CAB3A6258AB53B4D486C7514EBBDCFABB75BD C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7D919173-6FFB-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 23656 Microsoft Word Document Entropy (8bit): 1.6758489167220199 8E0F67929025A59370484D09137A9CDC 73F49EC1981789D2A10B2D3692E56864F49EA814 4A1CB6A36252C37FEB5F46540D75C8E4BC3BAA9A85D997E41B56A9C6D7DF3398 161692EE01F5A9F8079DFE4FB5B99FD79183D8397E1AD7C3C60EADF7FFD7468FC7B27C60B86B8298CE7FA1525C 0991953F4F73B54D11ADAC1DEA3A429A1956A5 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8800A530-6FFB-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 16984 Microsoft Word Document Entropy (8bit): 1.567846265157522 5F0F4E20E045A5967CC46C1F92AF1AB5 0946E28C5F4F2AD47EA27FE2AE0CAAE1431DE963 FD70BAF7D9218E842B8C91B396139F0209DC1CEC904E00AE82E6C60B2D9E996A 2B407ED79A58ABDF6F82DD9705909A7650926E88B1D0F2E139C4021EDE1590E2983B22B521B727D32A0573C06F5 3079CE733EB8CC66B0D07931EA98C021A08F0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): 5.2079120169371445 UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA06901EDB98633A686B11D02F4925F827BF0 8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102 A416C09733F24E8468984B96843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\down[1] PNG image data, 15 x 15, 8-bit colormap, non-interlaced Size (bytes): 748 Entropy (8bit): 7.249606135668303 C4F558C4C8B56858F15C09037CD6625A EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781 Copyright Joe Security LLC 2018 Page 24 of 109

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\down[1] D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F76 8F4840BCD5B62CB6A032EF292A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): 5.076790888059911 UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A 1676D43B977C07A3F6A5473F12FD16E56487803A1CB9771D0F189B1201642EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E97640918C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico Size (bytes): 237 Entropy (8bit): 6.1480026084285395 PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A691078558E77D6848202F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE520395234D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\green_shield[1] Size (bytes): 810 Entropy (8bit): 7.169189975235994 PNG image data, 14 x 16, 8-bit colormap, non-interlaced C6452B941907E0F0865CA7CF9E59B97D F9A2C03D1BE04B53F2301D3D984D73BF27985081 1BA122F4B39A33339FA9935BF656BB0B4B45CDDED78AFB16AAFD73717D647439 BEB58C06C2C1016A7C7C8289D967EB7FFE5840417D9205A37C6D97BD51B153F4A053E661AD4145F23F56CE0AEB DA101932B8ED64B1CD4178D127C9E2A20A1F58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): 5.312819714818055 UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B665151571B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC28513482409FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625B8F9F90C8FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\invalidcert[1] UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 3084 Entropy (8bit): 5.290176356968778 F927FC64C6CCF8F9E508B5C8510C8D26 9AAAD2E4766412C151FF294A116D66D7286CC052 D1122EFA5A5D7CF93E9DA4CB8525CC7E6CCF50B9FA16C167A5D7E8965575A5FA Copyright Joe Security LLC 2018 Page 25 of 109

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\invalidcert[1] A70CE43D8497EF7D91D8C2C78DFB52FAE9AA1C39691D46D8EE3A2E65D82482E8F2916C39B3D85CE8B8F9A0647 FCCDC831C1FD6824FD300AA91818D0191AA4C50 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\mail[1].png Size (bytes): 1694 Entropy (8bit): 7.247510147707822 PNG image data, 22 x 22, 8-bit/color RGBA, non-interlaced 34C474722FC5046A7F984C307050365D 1995EDB41E576CEB3C8A1ECED59C1D8813F5108E A2B00DC7E4FF8539CF742BF8D295C111DEA08ACF46328483D68640135887E70A 53636BF7C605F133BAB85DF11BDC90229FEE29ADC2568402E01E1B2F6671B9115B775F08FDFFD98918E901BAED BEF1EEEED0CFFF39A506FEC276BD84F1252BBD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\mem5YaGs126MiZpBA-UNirkOUuhv[1].woff Web Open Font Format, flavor 65536, length 18296, version 1.1 Size (bytes): 18296 Entropy (8bit): 7.965525620736569 1CD5320F8937D337B61D5117CF9D7B28 24798EF7AC55BA93AAA033FEFDB7CA4D57DA44AD E19B28AD1AAFCB23735D02CBEC4E2697EBBF7D608CF47FB8F8565DEF01B28C2A 9DBD69E362FE4144C686ADC1C53E0D55EFE9AA173C2402667559E14A4ED505A00FC6D5AC95B1E0259D26EFB9B 846C34034359E1D88148610EA5CE89D300D9008 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\oneDrive[1].png Size (bytes): 17474 Entropy (8bit): 7.9849069734941445 PNG image data, 212 x 44, 8-bit/color RGBA, non-interlaced 3C056ADCE9C03F44BC6EB31227E5232E F6A575918F5FBEBB8036A49CA1252AE63D6B96C7 AF6B42EDFADD722F3C918BFA04F60206880C95EA4E14F23A7D9CA5501557A2CD 04279514D1F8934AE490B7395C31DA3D2BB951AF1977E0222E0B4042BE4F6B569AC0842C19048BF670ED0BA53FC 67C11A318F7B0F6A41CCB16FC105C12834F77 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\red_shield[1] Size (bytes): 810 Entropy (8bit): 7.08447668600376 PNG image data, 14 x 16, 8-bit colormap, non-interlaced 006DEF2ACBD0D2487DFFC287B27654D6 C95647A113AFC5241BDB313F911BF338B9AEFFDC 4BD9F96D6971C7D37D03D7DEA4AF922420BB7C6DD46446F05B8E917C33CF9E4E 9DABF92CE2846D8D86E20550C749EFBC4A1AF23C2319E6CE65A00DC8CBC75AC95A2021020CAB1536C3617043A 8739B0495302D0BA562F48F4D3C25104B059A04 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\6d0fecb66fbca13ec8bea4e3d33d5a40[1].htm HTML document, ASCII text, with CRLF line terminators Size (bytes): 2108 Entropy (8bit): 5.088284516560789 AA59CE6A4FB020036738B2C947C3A667 1B4CD561C3F2FEF3A79B218B719C05976D371DA9 01CF48A4991CFF46680B1EF44B60B282C95D3E1B5096D265E8CD39DABC592BE1 Copyright Joe Security LLC 2018 Page 26 of 109

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback