ID: Sample Name: Zipongo Value for Investment_ Theresa & Year 1 ROI vs. treatment costs.pdf Cookbook: defaultwindowspdfcookbook.

Transcription

1 ID: Sample Name: Zipongo Value for Investment_ Theresa & Year 1 ROI vs. treatment costs.pdf Cookbook: defaultwindowspdfcookbook.jbs Time: 20:35:00 Date: 24/04/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Software Vulnerabilities: Networking: System Summary: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static PDF Info General Keywords Statistics Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers Copyright Joe Security LLC 2018 Page 2 of 484

3 HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis AcroRd32.exe PID: 3840 Parent PID: 3316 General File Activities File Created Registry Activities Key Created Key Value Created Analysis AcroRd32.exe PID: 3896 Parent PID: 3840 General File Activities File Created File Deleted Registry Activities Analysis RdrCEF.exe PID: 2144 Parent PID: 3840 General File Activities File Written File Read Registry Activities Analysis iexplore.exe PID: 2208 Parent PID: 3840 General File Activities Registry Activities Analysis iexplore.exe PID: 3404 Parent PID: 2208 General Analysis RdrCEF.exe PID: 4048 Parent PID: 2144 General Analysis RdrCEF.exe PID: 2340 Parent PID: 2144 General Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 484

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 20:35:00 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 10m 23s light Zipongo Value for Investment_ Theresa & Year 1 ROI vs. treatment costs.pdf defaultwindowspdfcookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal56.expl.winpdf@13/521@133/88 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Cookbook Comments: Failed Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension:.pdf Found PDF document Simulate clicks Security Warning found Click Allow Close Viewer Browsing link: Real link is: Copyright Joe Security LLC 2018 Page 4 of 484

5 Warnings: Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, svchost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 484

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Vulnerabilities Software Networking Summary System Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2018 Page 6 of 484

7 Click to jump to signature section Software Vulnerabilities: Potential document exploit detected (performs DNS queries with low reputation score) Potential document exploit detected (performs DNS queries) Potential document exploit detected (performs HTTP gets) Potential document exploit detected (unknown TCP traffic) Networking: Domain name seen in connection with other malware Connects to many different domains IP address seen in connection with other malware Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Potential malicious clickable URLs found in PDF Contains functionality to call native functions Classification label Clickable URLs found in PDF Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Uses Rich Edit Controls Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols PDF has a JavaScript or JS counter value indicative for goodware PDF has an EmbeddedFile counter value indicative for goodware Malware Analysis System Evasion: Copyright Joe Security LLC 2018 Page 7 of 484

8 May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Behavior Graph ID: Sample: Zipongo Value for Investment_ Theresa & Year 1 ROI vs. tr... Startdate: 24/04/2018 Architecture: WINDOWS Score: 56 crl.godaddy.com Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values Potential malicious clickable URLs found in PDF Domain name seen in connection with other malware Potential document exploit detected (performs DNS queries with low reputation score) Number of created Files Visual Basic Delphi AcroRd32.exe Java Net C# or VB.NET C, C++ or other language started started started Is malicious AcroRd32.exe RdrCEF.exe iexplore.exe , 49185, 49186, GOOGLE-GoogleIncUS x.ss2.us 95 other IPs or domains started started started United States RdrCEF.exe RdrCEF.exe iexplore.exe contextual.media.net , 443, 49393, ZAYO-6461-ZayoBandwidthIncUS United States b92.yahoo.co.jp , 443, 49310, YAHOO-JP-AS-APYahooJapanJP Japan 85 other IPs or domains Simulations Behavior and APIs Time Type Description 20:35:28 API Interceptor 1041x Sleep call for process: AcroRd32.exe modified 20:35:46 API Interceptor 2x Sleep call for process: RdrCEF.exe modified 20:35:46 API Interceptor 1490x Sleep call for process: iexplore.exe modified Antivirus Detection Initial Sample Copyright Joe Security LLC 2018 Page 8 of 484

9 Source Detection Scanner Label Link Zipongo Value for Investment_ Theresa & Year 1 ROI vs. treatment costs.pdf 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link ssum-sec.casalemedia.com 0% virustotal Browse crl.rootca1.amazontrust.com 0% virustotal Browse pixel.quantserve.com 0% virustotal Browse eb2.3lift.com 0% virustotal Browse global.ib-ibi.com 0% virustotal Browse bh.contextweb.com 0% virustotal Browse pixel.mathtag.com 0% virustotal Browse fls.doubleclick.net 0% virustotal Browse tags.bluekai.com 0% virustotal Browse 0% virustotal Browse trc.taboola.com 0% virustotal Browse pixel.advertising.com 0% virustotal Browse 0% virustotal Browse secure.adnxs.com 0% virustotal Browse s.amazon-adsystem.com 0% virustotal Browse crl.godaddy.com 0% virustotal Browse loadm.exelator.com 0% virustotal Browse dsum-sec.casalemedia.com 0% virustotal Browse vimeo.com 0% virustotal Browse f.vimeocdn.com 0% virustotal Browse u3s.mathtag.com 0% virustotal Browse crl.pki.goog 0% virustotal Browse crl.sca1b.amazontrust.com 0% virustotal Browse x.ss2.us 0% virustotal Browse match.sharethrough.com 0% virustotal Browse ocsp.rootg2.amazontrust.com 0% virustotal Browse ocsp.sca1b.amazontrust.com 0% virustotal Browse odr.mookie1.com 0% virustotal Browse ocsp.int-x3.letsencrypt.org 0% virustotal Browse secure.gravatar.com 0% virustotal Browse ads.yahoo.com 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Copyright Joe Security LLC 2018 Page 9 of 484

10 Unpacked PEs No yara matches Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context ow.ly/u8cg30gnek9 malicious Browse ad.yieldma nager.com/pixel? id= &t= e.fedex.com/?qs=affd fe0585e497fced508cd8 f296887c27f77fe33c6a 1a927dbac9a246938b3f 85d13bbf568d489b9659 0ca1aef c3fe e413ce1d45369 f i111.tripod.com/ urityhelpdeskunit.fl azio.com marwadiparinay.com malicious Browse ads.blueli thium.com/pixel? id= &t=2 00ef9edb Scan001.pdf owbe4.com/a/1022/cli ck/583/ /b0b95 ee283cb9cc9fc41475b7 77a158c4a77b943/c87b baf38d4b29945b7da12c 092baef68324febe ab.com malicious Browse malicious Browse bh.context web.com/bh/rtset? do=add&pid= &ev=Q J malicious malicious ebfe29a473bdfda517a950e5edc2 malicious 9ecaf16edba2e62a1c23f92fab0b ac4ec988 malicious malicious malicious malicious Browse Browse Browse Browse Browse Browse Browse malicious Browse dmp.adform.net/serving/cookie/ match/?cc= 1&party=1009 Domains Match crl.rootca1.amazontrust.com Associated Sample Name / URL SHA 256 Detection Link Context com/rtop_setup.exe com.br/fgaspari_anti go/ _mkt/parcela s_vencidas/g ustavoh enrique/about-fr.php? science=s28na6a1wd3 malicious Browse malicious Browse Copyright Joe Security LLC 2018 Page 10 of 484

11 Match Associated Sample Name / URL SHA 256 Detection Link Context brary.com/relay/?rel aystate= bizlibrary.com/learn ing/?playlist/shared Playlists/1d21d6c b-a660-2deb55 685e9e org.es/index.html imecast.com/s/v68aco 7mzSp8JJzBtErub5 m/tt/7982e396a30be48 7d52872fd121ee /6f9d2976f69cdf 1ec152cfcc7d66e036/e 6b d27ffd99d51 6fd374e0795/app.smar tsheet.com/b/home?tg =explore&utm_source= marketo&ut m_medium=e mail&utm_campaign=ne wsletter&mem=button& mkt_tok=eyjpijoitlro ak9eqmhorf UyTW1JdyIsInQiOiJPS1 hcl0dndsts ZjZwd2NFVD JQOXN6TFhC RXYwdHRYMV NpcEJxcjg4 N2E5VGdRa0 Q4RGhoeTVt R0w5a2FBcW 5cL2xWd1Bj cxhxqlqzuf IyeHQreFdq dhltrgjkddczuytic0c5 bgxrbgdnkzcyythjr3lo Nm5nTWZBUl VPTTlBcXR4In0%3D qs=81c82a99b40eb 1e841048d373fa e9a94aec2f6644ed7661 8dd950c7fc0bf839cdaf 32442b7c4d365047e5c ef315a255e5d41 ostads4cash net/souplink.png l.ru/question/ Southgate, MI Apartm ents for Rent - real tor.com#uae.html er.broadridge.com/ e.aws/win/releases/c hime exe ostads4cash Po for parts.html ed.com/download.php# hashgenerator 17I bat malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse a25e8dc9589be0cf3b b malicious Browse e56deff3ef47211b95ce684f4d22 8fdec076 malicious Browse malicious Browse malicious Browse c3bfa7f99005d631deb6e5b malicious Browse c bc981aaefa08c2fca5 e18fb30f malicious Browse cb7117c037350cb891597a546d malicious Browse b0a84e1dc4646d97ae5f0a8258 9b7d2932af ssum-sec.casalemedia.com wccftech.com malicious Browse Copyright Joe Security LLC 2018 Page 11 of 484

12 Match YXOpwUgugb.exe b61ce3d5d75fe4a cdfa malicious Browse c47ba6543fc568ab3293ed339 83ff717d8 malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse malicious Browse global.ib-ibi.com malicious Browse pixel.mathtag.com ed.com/download.php# hashgenerator 45DOC p df.exe rc=system- -outl ookplugin-new&utm_me dium=system- &ut m_source=outlookplug in-new discount_50_ pdf malicious Browse db af19f0f190538b5 malicious Browse dd51abb75dc73e495b5bae f004edf malicious Browse a427a959dff52b2edae3ee2f99fc4 malicious Browse bb78548c a4c6ac8 fd3cc9ec malicious Browse pixel.quantserve.com wccftech.com malicious Browse i111.tripod.com/ malicious Browse malicious Browse lethat.com/ Southgate, MI Apartm ents for Rent - real tor.com#uae.html ndment.org/wp-admin/ includes/ofiice malicious Browse a25e8dc9589be0cf3b b malicious Browse e56deff3ef47211b95ce684f4d22 8fdec076 malicious Browse ow.ly/u8cg30gnek9 malicious Browse Med.pdf SUPERsetup.exe yolasite.com/ b4080ca1bc9f90b53d123 malicious Browse a7fc c40b086ac1 5e1d998a8d e0dbe12c f4d555368a8 malicious Browse b41ac938b373afb4f f0f7 6536e62f malicious Browse malicious Browse bh.contextweb.com wccftech.com malicious Browse eb2.3lift.com Associated Sample Name / URL SHA 256 Detection Link Context i111.tripod.com/ malicious Browse malicious Browse malicious Browse rc=system- -outl ookplugin-new&utm_me dium=system- &ut m_source=outlookplug in-new eerbuilder.com/share /setpassword? =m scott%40peoplescout. com&token=prp6yykcba 0sl4zhcxhim6xfkmieuj d1jz2taoy8nkzmve malicious Browse malicious Browse ow.ly/u8cg30gnek9 malicious Browse ASN Copyright Joe Security LLC 2018 Page 12 of 484

13 Match Associated Sample Name / URL SHA 256 Detection Link Context AUTOMATTIC-AutomatticIncUS wccftech.com malicious Browse HSFO specification.exe 4b8eabdc3f25cf0a2d797a6dc18f malicious Browse cc8e2ed58e7df4763f48daff3 bd717d3 empireofdeceit.com malicious Browse ementserve.com/bhar. htm&data=01 59PO3390.exe sample-1.exe sample-1.exe sample-2.exe sample-2.exe sample-2.exe sample-2.exe m/presentaciones/org anizacion/images/res ources7.php?weight=u aphmw100b33a 15Verification.exe malicious Browse dd3f6093ce8873c6a99facf2 malicious Browse e3bb2f1e23ebd664373a913 a18088bab 7983a c70e3da2da80f malicious Browse d3352ebc90de7b8c4c427d484ff4 f050f0aec 7983a c70e3da2da80f malicious Browse d3352ebc90de7b8c4c427d484ff4 f050f0aec 0fa fca6c562cfa389ad3e malicious Browse f44c72fd128d7ba08579a69 aaf3b126 0fa fca6c562cfa389ad3e malicious Browse f44c72fd128d7ba08579a69 aaf3b126 0fa fca6c562cfa389ad3e malicious Browse f44c72fd128d7ba08579a69 aaf3b126 0fa fca6c562cfa389ad3e malicious Browse f44c72fd128d7ba08579a69 aaf3b126 malicious Browse b15c302725edda6039ff57187ee malicious Browse fba8944beb2ab718cc2a4a9c429f ab2f079d dineroenlaweb.com.co malicious Browse SWIFT SCAN pdf.exe 49Payment Swift.exe 1fb42894a9e493386a586c149f61 malicious Browse e8597d2c584c6a17c675e90948d 756e6b15f e140e0f21c2556b1a081 malicious Browse f4ba471090b9c645b1cb e2c2c malicious Browse Recieving Bank Det ails.pn.exe 10Recieving Bank Det ails.pn.exe sample-1.exe f657923babd9b malicious Browse b1694be9edd8e78aabcb6c496 26a628d f7e51c24acf011c254a1a4c0e malicious Browse ab2b1363aba069c3c c a c70e3da2da80f malicious Browse d3352ebc90de7b8c4c427d484ff4 f050f0aec AMAZON-02-AmazoncomIncUS 53Payment.exe 753baf9f3312ab82986b62a35395 malicious Browse b8c0ac03ba6476bcf6a9f571a 21a41892 ao87si5uju.apk jones@ricohforensics.com 13orders exe 6341be988be00042c698511fd88 malicious Browse c97c618e6109afac40fdf5bed523 83bcdf18e malicious Browse b5aac54456a037d240f malicious Browse e9962db f4cb7fa3f6b09d ed258345f wccftech.com malicious Browse malicious Browse keyserimpactseries.com malicious Browse com.affinity.red_sox _ apk DashlaneInst.exe 69894f963d a4e4 malicious Browse c16c2e6c838db482abc1 0bb7a3453a 0cbf83f1b879561d0041a0fef26d5 malicious Browse c570a b9ca7ecd9e5ae 4d9474c4 Copyright Joe Security LLC 2018 Page 13 of 484

14 Match Associated Sample Name / URL SHA 256 Detection Link Context empireofdeceit.com malicious Browse PO# exe ics.be/kjsdch Proforma Invoice_d ocs.exe 66Bank Receipt.exe ddobeflpla yerbrsetembro F exe m/affiliate/referral.asp? site=rea&url=po p/en/ukc/1&aff_id=58 43_27027_1 9234_535127_1_357_ /educational/famzoo/ YXOpwUgugb.exe YxgDiqRWX.exe i111.tripod.com/ c6ec8728f7e909af51fa9a364a2f9 malicious Browse f61b5ec613dc37b18c95df2177f3 da9910b malicious Browse e765b41b0aa21f4e2313bd22 malicious Browse e9efb167b5ac8c2955f355f526aa ef6baaec1 8755e9c426db1f40ff1a68f100cb0 malicious Browse f33eb65a99b aad810bc4 0a5f9cb6 malicious Browse malicious Browse malicious Browse b61ce3d5d75fe4a cdfa malicious Browse c47ba6543fc568ab3293ed339 83ff717d8 60c5156e56e93c8ba14bee4af94 malicious Browse f2963be8c8d7bf469a892a1751d efd malicious Browse AMAZON-02-AmazoncomIncUS 53Payment.exe 753baf9f3312ab82986b62a35395 malicious Browse b8c0ac03ba6476bcf6a9f571a 21a41892 ao87si5uju.apk jones@ricohforensics.com 13orders exe 6341be988be00042c698511fd88 malicious Browse c97c618e6109afac40fdf5bed523 83bcdf18e malicious Browse b5aac54456a037d240f malicious Browse e9962db f4cb7fa3f6b09d ed258345f wccftech.com malicious Browse malicious Browse keyserimpactseries.com malicious Browse com.affinity.red_sox _ apk DashlaneInst.exe 69894f963d a4e4 malicious Browse c16c2e6c838db482abc1 0bb7a3453a 0cbf83f1b879561d0041a0fef26d5 malicious Browse c570a b9ca7ecd9e5ae 4d9474c4 empireofdeceit.com malicious Browse PO# exe ics.be/kjsdch Proforma Invoice_d ocs.exe 66Bank Receipt.exe ddobeflpla yerbrsetembro F exe m/affiliate/referral.asp? site=rea&url=po p/en/ukc/1&aff_id=58 43_27027_1 9234_535127_1_357_ c6ec8728f7e909af51fa9a364a2f9 malicious Browse f61b5ec613dc37b18c95df2177f3 da9910b malicious Browse e765b41b0aa21f4e2313bd22 malicious Browse e9efb167b5ac8c2955f355f526aa ef6baaec1 8755e9c426db1f40ff1a68f100cb0 malicious Browse f33eb65a99b aad810bc4 0a5f9cb6 malicious Browse malicious Browse Copyright Joe Security LLC 2018 Page 14 of 484

15 Match Associated Sample Name / URL SHA 256 Detection Link Context /educational/famzoo/ YXOpwUgugb.exe YxgDiqRWX.exe i111.tripod.com/ malicious Browse b61ce3d5d75fe4a cdfa malicious Browse c47ba6543fc568ab3293ed339 83ff717d8 60c5156e56e93c8ba14bee4af94 malicious Browse f2963be8c8d7bf469a892a1751d efd malicious Browse Dropped Files No context Screenshots Startup Copyright Joe Security LLC 2018 Page 15 of 484

16 System is w7 AcroRd32.exe (PID: 3840 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Zipongo Value for Investment_ Theresa & Year 1 ROI vs. treatment costs.pdf' CB6643A25A7ACF3DDEEF0B94DFE17A01) AcroRd32.exe (PID: 3896 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer 'C:\Users\user\Desktop\Zipongo Value for Investment_ Theresa & Year 1 ROI vs. treatment costs.pdf' CB6643A25A7ACF3DDEEF0B94DFE17A01) RdrCEF.exe (PID: 2144 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor= AFD03A53C1FE02E04974C9D99B1CF67) RdrCEF.exe (PID: 4048 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --primordial-pipe-token=03a577419be D623DF412BAF079F5C2DC --lang=en-us --lang=en-us --log-file='c:\program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --productversion='readerservices/ Chrome/ ' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image -texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0, 3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3 553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,35 53;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,355 3;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15, disable-accelerated-video-decode --disable-webrtchw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=03a577419bed623df412baf079f5c2dc --renderer-client-id=2 --mojo-platform-channelhandle= allow-no-sandbox-job /prefetch:1 7AFD03A53C1FE02E04974C9D99B1CF67) RdrCEF.exe (PID: 2340 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --primordial-pipe-token=f1bd74355f5 E84C56D6B3054C4A8A921 --lang=en-us --lang=en-us --log-file='c:\program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --productversion='readerservices/ Chrome/ ' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image -texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0, 3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3 553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,35 53;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,355 3;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15, disable-accelerated-video-decode --disable-webrtchw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=f1bd74355f5e84c56d6b3054c4a8a921 --renderer-client-id=3 --mojo-platform-channelhandle= allow-no-sandbox-job /prefetch:1 7AFD03A53C1FE02E04974C9D99B1CF67) iexplore.exe (PID: 2208 cmdline: '' CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3404 cmdline: '' SCODEF:2208 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): Reputation: F8A0EDECEDD0C7766D1211D89EAA1111 8EDF61032A9DF79C35E944BD5E1CA DBF5 2488FDAD30E6A58DBF7DE0458F3DE580DE13791AFDA64EA567BCF2F9236C5C48 1AC249D7F88A6567C46C8391ED1C22C9E8D210EAFBAB1F98A2967F68C221F489C650BBFD369C872A76D350D047 5AFCE0EA93A E7C0FCA91998DB460 low C:\Users\SAMTAR~1\AppData\Local\Temp\dat2385.tmp Web Open Font Format, flavor 65536, length 1364, version 1.0 Size (bytes): 1364 Entropy (8bit): Reputation: FF1066A79C3873D668E75B39BF3CCFE7 7B3D9C726FFAF67BEF02D67A5A42CBBA0F02EF36 B432D575DD4D2CDFCFE7A3E624E352C37F829580DDA5E38C72F577C7EC1ACFDD 8C7D5AC0A74E234DF10B9653C6DA85BB5D83C0FC5A55DC0C0BCCD4FB829C423AB46F12030FF4C64EC6110A316 AE7E435EC0EC6BDCCCEF1C4B030FC9E low C:\Users\SAMTAR~1\AppData\Local\Temp\dat4CFE.tmp Web Open Font Format, flavor 65536, length 1364, version 1.0 Size (bytes): 1364 Entropy (8bit): FF1066A79C3873D668E75B39BF3CCFE7 7B3D9C726FFAF67BEF02D67A5A42CBBA0F02EF36 B432D575DD4D2CDFCFE7A3E624E352C37F829580DDA5E38C72F577C7EC1ACFDD Copyright Joe Security LLC 2018 Page 16 of 484

17 C:\Users\SAMTAR~1\AppData\Local\Temp\dat4CFE.tmp Reputation: 8C7D5AC0A74E234DF10B9653C6DA85BB5D83C0FC5A55DC0C0BCCD4FB829C423AB46F12030FF4C64EC6110A316 AE7E435EC0EC6BDCCCEF1C4B030FC9E low C:\Users\SAMTAR~1\AppData\Local\Temp\~DF4BAD5F902C TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): Reputation: F0BFAB89317E3F DDF157A8C F419643AE06FBA13C727BCE1C7210E553164B8CA 7712F4C255A16480B96C320EABCB640A0330B7D3BFD5083DDAFB93E3A4E446AC EC66072F8EEE7458D256D6B6ADB60C7C B626CCEAD2CA4D82CFD EB26B85077EC1C577D D971FAD16C5B370E02BCC74316E0BEC2EF5DDA8 low C:\Users\SAMTAR~1\AppData\Local\Temp\~DFA5F9DE3480C92971.TMP data Size (bytes): Entropy (8bit): Reputation: AE58AE6CBF53F99BFDF370778F A08C70877BFC8FC465981D3E500CAE8EA43BD7 AABADD5CE32B521CC D08B4E0A3D06150C9EB7389A67F47BEEAAB E690E76F060034E3DBAC814733B7C66E480ED8D0DA9454EA28879A529FEA2BFD5D0EC207A8D30EC42A87F 4B8FA25A755481DAB72D472A2C91380CF0FBA5 low C:\Users\SAMTAR~1\AppData\Local\Temp\~DFEE48C12E9FF737D8.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): Reputation: 5AC3D71AD8BF1F1E712D76D9C B7333D7EB0235A293C80C947306DDD FA7FD42FF3DF096A2B818F93AADDE9C18AB9AC5F7C DD78394DDBCF6 B1F6FF20352E805E6B42515A734F2627C59530BBCD1ACB3AF9B0EEF4BDCC DCDF125E08267B664A0F8D BA6594C2CEFC2462B7F4CBD3AE7924F low C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages Size (bytes): C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe SQLite 3.x database Entropy (8bit): Reputation: F10D9A1AEFB C57E2C 14F8A65AB44D8F99A84DF03EC1A13143DD6828FD AD747744F05E2269D F52B5A653EA16053DE10FA2E2A3A90A6B53204E CC5128D0A3B22FD4D29C97615DAB5B021F5FBDD7E9477B372ABA280A4B41F7FB92AA04CA2702DAEF669F1F988 37AC1ABFCDA3FBCA626FB661F203B609028EE0E moderate, very likely benign file C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe data Size (bytes): 5176 Entropy (8bit): Copyright Joe Security LLC 2018 Page 17 of 484

18 C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal Reputation: F8470C7F8AD26AD9C3099A91AD ED890775E225454C7CE593AD7076B12 E1F2F9D4AD3E0544F7E012C978D0B43484B98AD B60E468D80E CE1366EE94FD506FFD097309E71CDDC98CF231C9EEB2683A6122C13366B197E41400C68DBC3B22BD0D119F9 A1DF1EEEFF7674A44FF63FA62E664310BD49FC low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\001836CEC9B3850D003670B9D75C6973 data Size (bytes): Entropy (8bit): Reputation: F9E2C281A5C26B13342AD6BAC E06BEEC F925E020B2B830FAA4 AB82704D64DD287C FD7C2A5ED0E7435A33D8243F24CEE6CB1D7C4 90EBF3B49BF6436E9A974F050DECE7F9B05D6D404E480D22B35F347DAEE15F6D1BEDEB0675BE992DF9F33DC8C 628B0F97B09C15D39B7A4AD8AA10E8F13FB9B4F low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\01B16CDBADE7DB774141D7E30D50EC69 data Size (bytes): 552 Entropy (8bit): Reputation: A522C83CF406B6E4CDC772C0AA90055E F8FA4CB89C8DC3EFED8A2145E0A53E2EBB D FD1AC0F3A0FC7274C5D916B F74D47CDC970D746A016C 1F5DE D4768CE4D9347A560CA868D8079C7A0CBDC A8F81A9FB73B7B2A8DC87F4E0EDA858FF02 66B2C26C641A34F7FA1088BAFC72C64D82DBEC low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_71E96368D9B65D311A432DABED data Size (bytes): 472 Entropy (8bit): Reputation: FC5192B8D641F770AB52 E40E157FE9611D85C42FB F345FDCE C7CBC528FD75620EB8E0AD105383D460F00FC321BC371CFA911AA9FBB C3C407F359D026E31E2934D34DA11794E5CF6CAE CB B5A D61C885FF6F6841C5786A0 CF74D642311A837A7A8A47BA842E6BCC4E14 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ F846F08BEFE0DD8112D932FEF data Size (bytes): 543 Entropy (8bit): Reputation: 4490C169ACA1B5217F8BF150F1D0A6F7 3CD647C770376C97476B3E3AC4E4171F1F696F81 7BDC F23F7C866A1EE2AEC98B6DF3495B631F18CF540B52B42B8444EE 2D24EA2A7615B7D44E8FCE06C2FCDFC704A44146FA77B33CB40E99618C119E05D5BE3DA284EABD6C7AAB068A 27B6E1B600A5D651FED04416FCABBBDA10DCD3AA moderate, very likely benign file Copyright Joe Security LLC 2018 Page 18 of 484

19 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E D9D67350CD2613E78E416 data Size (bytes): 2604 Entropy (8bit): AB1579E53AFCCF C19D25AF FA9EF64F2F27D7C6C039BDF0DAD3814B1 FA8F31103CBCB150797C4E49D43F6FF150549BCE3D15511C ACDE12AEE F70E91BE7B8E437C98ED40B633A6E30E8E0EB25EB392BD6EF937D09B2A24CA478F18A3CE76F81ACC513781C2F A70BBF1361AFD8CF58A7AC81A06641E0BD7C14B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0AB67BD4882FB0E CFEB33A58 data Size (bytes): 531 Entropy (8bit): D B73641E5F A4B8098DF4D396A5E27E672F92693B48D3F8B7 500FC139B45549C8DCBA79CCD68C46657EAE788F4D64E3031BCFCB17E0A32E8F BBAF C72B94EED762715CC54AD CFBDA08111A64DCA10012BEDA52857EC31C3109CB6D C389C7692CB5ECF0415B5F48BA92F8C4E07D9B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_7DC3E633EDFAEFC3AA3C EC2F data Size (bytes): 1521 Entropy (8bit): F4C0E830943F04C17FFFD4BEF37279E 451B5A9AF78AB3D9E43BE4773C2EC7F795976CD A940E3A4B4B BFB627B46ED6D8D64B400C27A6FD58B2E B2D52986E8DB494E3E523440AE01301CB39DBEDBC7219FB838FA1686BF450B51FB5C231A3CA7E7EB8C913B63 D071BDD370612FAF6E6B93E86E407F6FA35DF96 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E5B83846ED89B DE6F9B data Size (bytes): Entropy (8bit): AA8C1BE4700BAA4E71FDF6074F157 0EA01C8D3C3E1CAAE1FA53A35962A5BD0900BBAC DCD8E31C4375FF7A4727F29382F9353A2E30FA56E5DD41CDD93350EFAF0BC1BA 2C4582A4CA2EBED801F9DBFF28034F3A2E3C8747FF3FEC7A3B51FC58AC8924EDCF0E0D425BB8FFFDC566570D F5B665D86D110BFCDD59FD0C6FB53DFE46019B63 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F1583FFF42FFF476A09801ACB69213F_D4C83E C1763EC8ED5C0DDE848 data Size (bytes): 1378 Entropy (8bit): EE681F87F57E66199F8544C756A63 A1E9C8651FE7CE1937D29AE48BCD452DE54EB367 7A51F02C0048D801709EB5E085781E934E8CB14CBB7AC8F72D45AE4F973F2CDE 75D8845E32E6B03806C456CCFC4C10A A72D81BE223EA765DFBD8C69E3A67F65C85A3EA0A785F5A5 D1F16185D2B BB776EB178F340D69676 Copyright Joe Security LLC 2018 Page 19 of 484

20 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 data Size (bytes): 1378 Entropy (8bit): B6A8318B FD31B17C73C149C FABB771BE2F21BD515B386050E47D7A7733C E6033AF2A3E32B4872A566895EFE5EF6E4A88EB3DC56E5042C66CB D9AEA58843F1547CF26D5CE8D5BB25966C0F0058A807F940A2F85F1F3F42B94A2E18B05FDABCEBCC6DFB81BB D29E392C58C736FDF78AC50BC54F9DFABE7BD81 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BA79029EC3FFD076F5DAC2F70A18685 data Size (bytes): 782 Entropy (8bit): D66F3FDD48B C7088E 0CA ED51E57440DA7D0676B A80 3A91BCC378CC1EEC801DB9C FC36B6B0994B B0CD 515F6D051D7AACE6089E776FA7F8CF25B81B26F81B FD D025D3B453DDEA0273AFF8967DD0CF8F B9C4F48B0A110B2D07D509F8372C28D75A45E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC C193A7AA85AA5B_D4F01D341AC185E96A60D 3BFDE3BA124 data Size (bytes): 471 Entropy (8bit): E3D6F6386E7F8C45308AD333421EB64 4E00F9173FE5C936BC A3A06BDBF96 D60E0A81B974A82A72F2F237B97950E1F9D537206BFEAFE1FBB2B6EB080F0AA5 5C1D86BB50D B0BD BACA88341BABFEFC99FC3B02F45AE4FEA8E8BB80319A21F2B6337E33E F12923A739200E4FA7C E5A97CCA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_258E133D9C26B471949EBD864CD15AE 3 data Size (bytes): 471 Entropy (8bit): BF5FAB4880B37E6CB5B64F9A86F6B 9616B736DA5E7C C673D8B33C5BE CE39FA115E83BE6031ED377BE2B1A4B9FE5FC2E816A3EB7A74EF82A9C 649F4D27D70C BD3685EF8DBA16A9AA336D3DBC4D5D4A9FEA9FC1B23CC3E6870BE05E0B45EADC D65D7A023266F1174ADA62A1B2A5B286BB5B5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_5F950C49FF1BB97D28C8F39F6B7C8BE 6 data Size (bytes): 471 Entropy (8bit): B7560B7A136F0D3AB1AE824773AE95C EBFB82E1158FC95A045B2F04E283AAD5F12DAC1A 7C3B B3FA5E2BF6E4A69A7BA647D9A443A15C600954F440D5ED5E0E418 F5A98BB8317D12B27DCA8419C82B5D0FFA5AAA94465ABDD A1AE8F66F5A8D3AC EB9F6561FD E5E1497C F479D4DFFE12C803E190D1 Copyright Joe Security LLC 2018 Page 20 of 484

21 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ C60AE785DBDEF5542B4B6F5 data Size (bytes): Entropy (8bit): DAAF17A5FC72A4B83FBE640B42B49CBB CF2C52D402C77A7E28EC8956D A993AD6 29C9D2F4B42E2EA3B383885B94979C001D4250A7752DDB143C2B0B142584BD01 370CF3AA0F8284FEDB88B A0EEF5023B70790DF84CB5232E5BD01EDAAC0BF2A786BA A1F09 56B160CE9B224B845E320D C9EF4BEB3 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B177 1 data Size (bytes): 1730 Entropy (8bit): DE6D28DCC3CBD7C7CD4EA5E2C0E2169E 94D71A9A8A711BF107FD3B12CA2A8BDA87B D4D D943DA4C156F5E519B229EB283E9817B8D2ADC38E8E87C301E78A 998F8A FBB964ABB0930D40ECC4B3A5735B FECEB94A49220FA360B6255BEA2BBDAB04063A8832 AA B17E507994F85D462E152F6634A4 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D data Size (bytes): 325 Entropy (8bit): D57B6F69205B896A C773B B35A1FD32055D6AFAFD86CDE8C87E364E E0C972EF7519A91C82E9EBADF750329CB51F0CDB9EE7F34FE18BDDAEA5F5A AAEFCD8C75B9F E9987BD49E89D7981ED04CB800E1912A742DDE9D3A C0E12DEC190C8 9B9EBF9D477AF77BC511893C8FAB51EFFA8CE3 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3154F0E8356F80B814870A1CC17F5A20 data Size (bytes): Entropy (8bit): B0F899DA818FA6E508A5CAADF5C7013 EA4947FFC CBFED0DB597D68D1394B47B 2AECD CEA6CD2C524DF90F5C636845A9FB86A2148AB015BE E2C85BDD87C7A931426ED7F6C327526FBC9F640B9758D8D83DAADE181EC69CFCF3A80E7E D2105B04DFEB8D7B E7844D619ECF C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3388ECC3F7BC4A9271C10ED8621E5A65_E06277F09C6CC2E7002D39B924D24F06 data Size (bytes): 1419 Entropy (8bit): B6E065B847CFD7A67855CCF22B8EC 71924DF18507DC2205F6AF8B6560BB88839CDD3E 9FBFFFE3FB9C87690BE706299FE1A20DE7E8BE441390A3159F5C50C921034DE1 8A2465AC29232D2C30C964E4596F8859EBD911E45DEA3DB75FBBDF2B885041D6AE767E5EC513F61D6E02A982FA B21BF75ABFBCD9937AAC04F D84B184B Copyright Joe Security LLC 2018 Page 21 of 484

22 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF D1D277A171D8DF7B_F2DE72102A14736B534BA AAB62F0BD4B data Size (bytes): 471 Entropy (8bit): D45B749FCE3534F2973B4BCF90E345DB 8A6C99838CB7BA7DBAF439C2C8F9CC7D6CAE5CD4 CFBF0E6B4CA0FF8F178998EE1BFDF3228D1CB7EAB19E2ECFA86B5EA FEC0B9E2FBEB3DCB4CE230B91457D6E2C206977AA015AF92A24E89990DD4BDD7EF235F B42CC9AF 5329A5F3F092E9CDA5CEE51AE1CB803D848B5C6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FA0F92EA40DC353FF9E95B9F7D06EAF_02A7BB8D663AB0A2D3E0C E44422ED38B data Size (bytes): 471 Entropy (8bit): B877C4E2FCB116DCD3D2828A458A712 A00C695831D45FE517F510E B06E75FC4C DD82EDE0FE C7CFD31B55610D216A58E370855A6B0D4AB5AF91BA059BC B7FF3B6013D1B7570CE04B70A858F99CC0881AD824732B84CF02148E5216CFEEA862DB05BB64FC1BFD1B3709D DB D1A7822AF27F68154 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\41E BD186E9FDA558705F775 data Size (bytes): Entropy (8bit): AF358862DF479567B72A25115AB0 1100D7BA777B3AA5B645F1269E46B4B6F7D01CA8 E42FCBE6A35EDDE14A8C7AEEC684BC96B812A1EDBC6B409AF22AB2A868C5ACEB C4E7D54C6373B0290A36E78DE3786BB462FB19B3CA90EA3D8AD777434A9A4CB2AD881A1BC2645FC2B6 5F5D608503F5D14FF3E3165D0ECF5D876598B6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE CDE_33C46E8C1DD7F664A280A5BE389BC47 8 data Size (bytes): 471 Entropy (8bit): A6C27B9ACDE7EC72050BDCB6C79 099A6559DEDFCFC28D7C06B753E634B2E04E18D DFF0C468CE49F61FA3D9A B700F8DCD0D0696A4F C BBBAA8FE7D9DC6547FCB8AEC941E2837EED751B7C420B625F5C1C27B BBB655E4FFE F37B 17B9A20BA1134FBD46581EB7FCB2AA9221AF000 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE CDE_ E55D84FD06862F9F4C3CE103 data Size (bytes): 471 Entropy (8bit): D2B1BF357D36A6BE5B1F59EC8EFD47A7 E5881D6C52AF845F90D3850A7CDDD67ACDFC618A B4893D393764EF414FBF5C6AA11E F22C0379AFA3D26BE05FDC1D0EEB 9ADA0A13D8558C82D139CFC96D252A33DFEE7E C855C97D80BC1F5D26F F4D68BC79526A99F9B E7F49B A67089C0821B1C3A1F124FFB Copyright Joe Security LLC 2018 Page 22 of 484

23 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5024A99DB487E61F859A7848B9CAE2C4 data Size (bytes): 665 Entropy (8bit): C0FC7EC6D88ECC67E0923EE47D40E10B CD441B B732BB92E3B22F62F4 B4B70625D79853B396A7344C8481CCB068A115DC9B442303C40B26999A86DD6E 63C93C1B2E363824BABDD F973EC3FEF8E3CE0347E7F55D E2B351CB401B016CBA962D2B B8F79AA7E7693A28ECCF0A695C1C2A9FFB3670 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C622 0 data Size (bytes): 727 Entropy (8bit): DC5794E2AB4C245A413C9DD57151AC1A B7BCF280CAAD5978DB4058A6C94D8AF8C128844A EF3E1DC9CF8C53E9638CEB486B8DFEDA97877DE146C23CF9A2B965AE07A6A560 4C87DAB9961BDE7291B1E8329EFB6900BE34F26A7EA6FB5AB5FC03D3AC29D8EF6E710F056D47A3D5C3FBB8BE F3EC E44D779D99A1F9BC5EE1CAD2E7D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\537EC5B641ED5E0F8A F35B data Size (bytes): Entropy (8bit): A00117FE74A6ADE68CE142BA8FE FBE8F407DE5057DD0A857D0ED8D427F6A4D331 6D6A52A433E5A CBA46BF02D400985D5D9A35CF CED6CAF E67D9AE1D92DB1474B341921C6747BCA752B8CEBDB84F3B7DFDBE84670B057D3BAC CB2B5A63A 6F9A780D092965A0E9355AFC E3A811BD C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B 4 data Size (bytes): 471 Entropy (8bit): C2CEFD4E7AF98E2A646732B5A5FAC0 DE94F7FA39FEB40CF9BE3C4C84D16B51B859C6C4 F200A10C8E32B163A137A7D55791B328E6692E98E86FF3258F3113B5FC61E35C A FEC9059AD0E BA3C02BC1628B7AF49C3D AB18AFA439007B91A7D79D C3D573A6A17419C93FEEBCCE2B7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5498EF90B621354BB7F904ABC830A9A8_D ECFF5ABBC8A8F C083DC1D6AB data Size (bytes): 1777 Entropy (8bit): AB43E69DE1DBA553AC3492AC152AFB D00446F51108B6845E48823DA2 EB77438B669A1B227D9ED819F87AB57FE8B700BEC89A05C9BA55015C497D0DA0 C876FE25A677874C82509C03AD58F508D2BB29E3E7663FCD7E726D B66533EA34A EC765E5A 0606D8AE34F CDE130A3690C6A2D0 Copyright Joe Security LLC 2018 Page 23 of 484

24 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, 6497 bytes, 1 file 1277B9A60DE934B5B3B7CF17D533F9C2 EBCE941ED65B11D9412F4A87CD125FDB C4EC3CEE10948F8DFFA18D689D3F E375B6D2B0BB711633B5D3663FAF 9215D7155C0DB3F02C0462A192C7A75CFEEC90AA32BF38C8FB35E16569E027FB8F6F2F14563D E98E9BC C993EEC23C480D333E7B26D865D5B911FC04A C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59C48DAF0C5D8F8B7B9ABAA5A55BD5E2_0F9D B677A0BD5F 3C9403D468D data Size (bytes): 1777 Entropy (8bit): BF012536D9C33E678915D85DDDD00 3A06DC232B35BB0B1F09FF63B74FEF43C799FB BF1E A1AF2DCB4CFF9C979805AD8C2FE36E6FFC24C FAD4EB9E902036EE1B3CE0C78B00063AA84F33373CAF8D7E9B A2CFA CF8CC3615F630DD9FF74 B2BA F52A9FEC6DB8F15026ED8A253 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5B9763FB83E74617D0DB F69B data Size (bytes): Entropy (8bit): F7393C73EE337B20C70CA728F9DD16 C3FFE0EEE4FE6657E2731FB7C1F734A62F65DD8C F3CA04E473B4827D841BF1F2C5F1D61B53C FDC2EA97AA95A17572B26D 0380CB2A04DE550BCC363B C8537B465D7940ADD6B73378CADDA136EE7397F57971A2E5EFCD1DD62916B E8B25EF078F2AA62979F4E41CAE1A86FD01E04 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E F2A5 data Size (bytes): 1073 Entropy (8bit): F69F9FD3206A BA45A E758CA442E729D3A47D3FD653E D1F049 0D877C5F8B67B85B1BEDDFBBB1D8B82BB6D22E41EFCAF4622A328BAC795092CA 6F4583D60AD0F37BA19ECF0B076529B3BD57EB9791E7E9AC8AFFF AD1BAF1E80C8218A10E49A4AD2EF0 CF D596C6D70011DFECD62AE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\620BEF1064BD8E252C599957B3C91896 data Size (bytes): 439 Entropy (8bit): A76B87E3E2A9F0C864610B7CCBC3C AA0762C939E3155CCC4E051F9B2EF5B1D060299D 2176AE7D47513B54DADD14FF28C141A7BDC92EF6F84D211C B60D8644D D4D41551C97E8E422A9D7D9CEA3953B3A486E83B711DCB11E04CA9613A179272B3A685268F95BF78DB0EFB6B51 2C373A1F B4D2DBA6BC7ABA5DEADA106 Copyright Joe Security LLC 2018 Page 24 of 484

25 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B B5E195ECB0E8F243A4 data Size (bytes): 896 Entropy (8bit): F4DE9D7ED07B90F74B30F8E6F338ED 5F4AF4AA669988DC C3E529D7E1 DE7D8C72B389E18C8B1C835B0DB12A3A3EBABCAD3496EE63D2EC7DF594D62541 BDC1DA76BDB19EA306C1F66CE8FDBD9384D0F65580B04DAB5286C8F5A66D25F5DD9F4B17DDC7DFCB6D9F1D3D 64687A80371AD96B33EA8B85509ABC7D96DA34E3 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\67F6625BC22310D5C99DDE12020DBD90 data Size (bytes): 462 Entropy (8bit): A68A2AE020719B8942F12700C2AA7326 8B382EF2E4FE11578EB042012F49DA87F2CC56E9 D605EF4CA0057C59A4E90EB65A86BFFCA2A76509F5D67A2B7C6FCB66DA48B95F E9E343A249A7E304703D C17A870C4245A84755B2592A6736A70CD921D0B249A14A7EA4E3C9674CED206B E0D D A722A7495CE672BAE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C data Size (bytes): 531 Entropy (8bit): A997FD2F832622F036EC06CF4D1B8 A06195E325B099682C20B0564E C8A9E38CA6AA009D91D9AFEA85C004376DCC9CAC165B8A06D1F873A94CEF FA3BEDDD54DCCF4188D333DB38A3B468400C20765CEDA C4B43846C DB306890CD562CE3 B D9FA9C67660D5B12CA940E0EE023 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6A2279C2CA42EBEE26F14589F0736E50 data Size (bytes): 434 Entropy (8bit): CA B3A8B8E912E7D2138B DEEC92073BEA F ECF6F2750B1B4 A7692AA2B5B2664DE344B922A091B7BA6F4FA01A4FFC80F279BAC31D4A3E468B F8DC07C60ABEAB1B60DED14C3D51C25A41F28FA7EC657A06038ECB2AFEF D FAFBD A 8ED5A2039A20B37F3A341518BACDD319C7B6D02 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6A59C2B4529FA60196FE66A9AA54C0D5_43E48E0B92A607AC2A5AB0D2C data Size (bytes): 471 Entropy (8bit): C2DB6CE4099AD47B673157AA8BA22EA 24306AB1A582C4C60A7788EDECF2D031D199222A 213C240726F1C8C6B3BCE8258EC226B33BA9F46935E80D4286EBE61ED782CB4E 66A0D4CFA422DD3BB1D96B1CBD211379CFD6037D034ED2F0C96DF39D50E760DCBF924E2C9CE3F6B9D7C EBD4C3BDDC588979FABC37DE099FA Copyright Joe Security LLC 2018 Page 25 of 484

26 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B17EC2CD0C9B FF1C12BC489 data Size (bytes): Entropy (8bit): F7393C73EE337B20C70CA728F9DD16 C3FFE0EEE4FE6657E2731FB7C1F734A62F65DD8C F3CA04E473B4827D841BF1F2C5F1D61B53C FDC2EA97AA95A17572B26D 0380CB2A04DE550BCC363B C8537B465D7940ADD6B73378CADDA136EE7397F57971A2E5EFCD1DD62916B E8B25EF078F2AA62979F4E41CAE1A86FD01E04 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (8bit): F0210FCA CC216A E2 D10B86C6F353C30D98B55BFCAADD40E7D493397C 397AD878DB2D20AFD65BA634252E B089E1C9526BD D1221F9 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB222089C8BEC0A52ECD39D CF B994898E994C7D29C8C513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD AD517DA data Size (bytes): 471 Entropy (8bit): B888F6ACEDF622DFC0182A8197CCE4 F96CB2A18EDEAF9CB9755EDCF5ED77ADDDA02F32 C0DCF3DF26FEA5DD85A9429DE3A8F1AF2BC34FD092A21A951CE08EDE2B44C9EA B96343B16789B2E97AA678E14F73F72FB8C28841CF93F0B2C63E2ED9CE53255F5BBD8EBA101405FEDBD2 CDA0969AFD5DC254F22DF179E50BD5E6F208E9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD data Size (bytes): 531 Entropy (8bit): A997FD2F832622F036EC06CF4D1B8 A06195E325B099682C20B0564E C8A9E38CA6AA009D91D9AFEA85C004376DCC9CAC165B8A06D1F873A94CEF FA3BEDDD54DCCF4188D333DB38A3B468400C20765CEDA C4B43846C DB306890CD562CE3 B D9FA9C67660D5B12CA940E0EE023 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6E5336CDD9652A36A93E734B280625C5 data Size (bytes): Entropy (8bit): C07AD27FF07B9EDB9F638F319CDE4 7A41FB83E858EB889F6F1164F6ECDF6EDD77E2C0 29CE429F3331F28C6BF514F2E4BBB746D8D2147FE9B2A2F491F1115AA2DC0059 AA78218AF5E735EF4608F5560C6D10F41F5E339AC0ECBFADCDC4CFD044C0519E87801BEF5EF35D40F582CEABE 4CC8F10896B876F2FC7E7BD6BBACC70168B86A1 Copyright Joe Security LLC 2018 Page 26 of 484