ID: Sample Name: 1letter.exe Cookbook: default.jbs Time: 07:33:28 Date: 05/04/2018 Version:

Size: px

Start display at page:

Download "ID: Sample Name: 1letter.exe Cookbook: default.jbs Time: 07:33:28 Date: 05/04/2018 Version:"

Nathaniel Goodwin
5 years ago
Views:

1 ID: Sample Name: 1letter.exe Cookbook: default.jbs Time: 07:33:28 Date: 05/04/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Software Vulnerabilities: Networking: Boot Survival: Remote Access Functionality: Stealing of Sensitive Information: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static PE Info General Entrypoint Preview Copyright Joe Security LLC 2018 Page 2 of 347

3 Data Directories Sections Resources Imports Possible Origin Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets SMTP Packets Code Manipulations Statistics Behavior System Behavior Analysis Process: 1letter.exe PID: 3424 Parent PID: 3012 General File Activities File Created File Deleted File Written File Read Registry Activities Key Created Key Value Created Analysis Process: services.exe PID: 3436 Parent PID: 3424 General File Activities File Created File Written File Read Registry Activities Key Value Created Key Value Modified Analysis Process: explorer.exe PID: 3520 Parent PID: 2984 General Analysis Process: explorer.exe PID: 3536 Parent PID: 2984 General Analysis Process: explorer.exe PID: 3560 Parent PID: 548 General File Activities Analysis Process: explorer.exe PID: 3624 Parent PID: 548 General File Activities Analysis Process: java.exe PID: 3636 Parent PID: 3560 General File Activities File Created File Deleted File Written File Read Registry Activities Analysis Process: services.exe PID: 3672 Parent PID: 3624 General Analysis Process: services.exe PID: 3724 Parent PID: 3636 General Analysis Process: WerFault.exe PID: 3764 Parent PID: 3424 General Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 347

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 07:33:28 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 6m 57s light 1letter.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 13 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal88.evad.expl.troj.winexe@15/91@236/18 HCA Information: Successful, ratio: 72% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 71.4% HDC Information: Successful, ratio: 90.6% (good quality ratio 67.3%) Quality average: 52% Quality standard deviation: 38.7% Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Adjusted system time to: 2/1/1970 Found application associated with file extension:.exe Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 347

Strategy Score Range Reporting Detection Threshold 88

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 347

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious

non existing, likely the sample is no longer working Sample drops PE files which have not been started,

not found any clickable buttons, likely more UI automation may extend behavior Sample monitors Window

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Signature Overview Vulnerabilities Software Networking Survival Boot Access Functionality Remote of Sensitive Information Stealing Persistence and Installation Behavior Copyright Joe Security LLC 2018 Page 6 of 347

7 Data Obfuscation Spreading System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Software Vulnerabilities: Exploit detected, runtime environment starts unknown processes Networking: Detected TCP or UDP traffic on non-standard ports Domain name seen in connection with other malware Tries to resolve many domain names, but no domain seems valid Connects to many different domains IP address seen in connection with other malware Internet Provider seen in connection with other malware Uses a known web browser user agent for HTTP communication Contains functionality to download additional files from the internet Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data Boot Survival: Creates an autostart registry key pointing to binary in C:\Windows Creates autostart registry keys to launch java Creates multiple autostart registry keys Creates an autostart registry key Remote Access Functionality: Contains functionality to open a port and listen for incoming connection (possibly a backdoor) Stealing of Sensitive Information: Contains functionality to search for IE or Outlook window (often done to steal information) Searches for user specific document files Persistence and Installation Behavior: Copyright Joe Security LLC 2018 Page 7 of 347

8 Drops executables to the windows directory (C:\Windows) and starts them Exploit detected, runtime environment dropped PE file Drops PE files Drops PE files to the windows directory (C:\Windows) May use bcdedit to modify the Windows boot settings Data Obfuscation: Contains functionality to dynamically determine API calls PE file contains sections with non-standard names Uses code obfuscation techniques (call, push, ret) Sample is packed with UPX Spreading: Enumerates the file system Contains functionality to enumerate / list files inside a directory System Summary: Dropped file seen in connection with other malware Creates files inside the system directory Creates mutexes Deletes Windows files Detected potential crypto function One or more processes crash PE file contains strange resources Reads the hosts file Sample file is different than original file name gathered from version info Sample reads its own file content Classification label Creates files inside the user directory Creates temporary files Launches a second explorer.exe instance Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Checks if the current process is being debugged Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Enables debug privileges Malware Analysis System Evasion: Copyright Joe Security LLC 2018 Page 8 of 347

Found evasive API chain (may stop execution after checking mutex) Found stalling execution ending in API Sleep call Enumerates the file system Found a high number of Window / User specific system

9 Found evasive API chain (may stop execution after checking mutex) Found stalling execution ending in API Sleep call Enumerates the file system Found a high number of Window / User specific system calls (may be a loop to detect user behavior) Found decision node followed by non-executed suspicious APIs Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis Sample execution stops while process was sleeping (likely an evasion) Contains functionality to enumerate / list files inside a directory May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Program exit points Queries a list of all running processes Hooking and other Techniques for Hiding and Protection: Creates PE files with a name equal or similiar to existing files in Windows Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query time zone information Queries the cryptographic machine GUID Behavior Graph Hide Legend Behavior Graph ID: Sample: 1letter.exe Startdate: 05/04/2018 Architecture: WINDOWS Score: 88 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Dropped file seen in connection with other malware Domain name seen in connection with other malware Tries to resolve many domain names, but no domain seems valid Detected TCP or UDP traffic on non-standard ports started started started Number of created Registry Values 1letter.exe explorer.exe explorer.exe Number of created Files other processes Visual Basic wie-wie.com vdmfk.lol.li 64 other IPs or domains dropped dropped dropped Delphi C:\Windows\services.exe, PE32 C:\Windows\java.exe, PE32 C:\Windows\java.exe:Zone.Identifier, ASCII started started started started Java Tries to resolve many domain names, but no domain seems valid Found evasive API chain (may stop execution after checking mutex) Found stalling execution ending in API Sleep call Creates autostart registry keys to launch java 2 other signatures Drops executables to the windows directory (C:\Windows) and starts them.net C# or VB.NET C, C++ or other language services.exe WerFault.exe java.exe services.exe Is malicious , 1034, COMCAST-7922-ComcastCableCommunicationsLLCUS United States rocketmail.com , 25, YAHOO-3-YahooUS United States theriver.com , 25, VOXEL-DOT-NET-VoxelDotNetIncUS United States 14 other IPs or domains dropped dropped dropped dropped C:\Users\HERBBL~1\AppData\...\tmp546F.tmp, PE32 C:\Users\HERBBL~1\AppData\...\tmp4F89.tmp, PE32 C:\Users\HERBBL~1\AppData\...\tmp4D5.tmp, PE32 12 other files (none is malicious) started Detected TCP or UDP traffic on non-standard ports Found evasive API chain (may stop execution after checking mutex) Found stalling execution ending in API Sleep call Exploit detected, runtime environment starts unknown processes Exploit detected, runtime environment dropped PE file services.exe Creates multiple autostart registry keys Copyright Joe Security LLC 2018 Page 9 of 347

10 Simulations Behavior and APIs Time Type Description 07:33:43 API Interceptor 2x Sleep call for process: 1letter.exe modified 07:33:43 API Interceptor 3x Sleep call for process: services.exe modified 07:33:46 API Interceptor 14x Sleep call for process: explorer.exe modified 07:33:46 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM C:\Windows\java.exe 07:33:46 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Windows\services.exe 07:33:47 API Interceptor 293x Sleep call for process: java.exe modified 07:33:57 API Interceptor 3x Sleep call for process: WerFault.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link smtp.northcoast.com 0% virustotal Browse search.yahoo.com 0% virustotal Browse northcoast.com 0% virustotal Browse rocketmail.com 0% virustotal Browse 0% virustotal Browse 0% virustotal Browse aol.com 0% virustotal Browse mail.theriver.com 0% virustotal Browse ipv4.google.com 0% virustotal Browse smtp.pobox.com 0% virustotal Browse theriver.com 0% virustotal Browse onlineconnections.com.au 0% virustotal Browse mail.northcoast.com 0% virustotal Browse .arizona.edu 0% virustotal Browse mail.onlineconnections.com.au 0% virustotal Browse mail.pobox.com 0% virustotal Browse mail.cl.cam.ac.uk 0% virustotal Browse search.lycos.com 0% virustotal Browse pobox.com 0% virustotal Browse mx.northcoast.com 0% virustotal Browse mx.cl.cam.ac.uk 0% virustotal Browse mail.src.dec.com 0% virustotal Browse mx.src.dec.com 0% virustotal Browse atwola.com 0% virustotal Browse worldnet.att.net 0% virustotal Browse flex-radio.biz 0% virustotal Browse src.dec.com 0% virustotal Browse mx.onlineconnections.com.au 0% virustotal Browse ams.org 0% virustotal Browse uts.amdahl.com 0% virustotal Browse openoffice.org 0% virustotal Browse Copyright Joe Security LLC 2018 Page 10 of 347

11 Source Detection Scanner Label Link smtp.src.dec.com 0% virustotal Browse unicode.org 0% virustotal Browse sprintmail.com 0% virustotal Browse skypoint.com 0% virustotal Browse trib.com 0% virustotal Browse o-netcom.com 0% virustotal Browse mx.theriver.com 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context transcrip.exe b46d88f13c2bee9528 malicious 51153aa1ef9414f2e2390bb61cbd d3bb documen.exe 23.htm.exe.exe 41youtube.exe 47attachmen.exe 21youtube@youtube.ex e 1lette.exe de8a2298b9753d681fba9102d19f malicious 0181f89c3439f3aae09e55bb712c 87d2fc66 f163e26c830254fac729850ecc35 malicious f c0005b4f0af0a4bd86 2f712e dbfdec1dd29eba310c8bf43a malicious 37be9a45eff85b005d2f613761dc d6a769e6 7e987fe510ac441a3d5f3f7d4f7e9 malicious ab7607d76e23dd941f9ab c b14aceb5493e9ef74392a1e4dc malicious 85d32cdea5d081c651c9f006f0da de13d77a1 7ffffe6b9e9c23a07411dfe malicious e93ff5a8248b abb8a4630 f339b2c 79ee05ec5e0b4e7400bc84a2f24 malicious 21583d1027c dac d1eaa8d4b Browse Browse Browse Browse Browse Browse Browse Browse Copyright Joe Security LLC 2018 Page 11 of 347

12 Match Associated Sample Name / URL SHA 256 Detection Link Context 23messag.exe 31.htm.exe 7fDChtBKf4K.exe 11Xo78ZJStxr.exe 35mai.exe 1tex.exe 1attachmen.exe 5XWZmuQvvPQ.exe 34messag.exe.exe 21john@youtube.exe 69fil.exe c7052eaadef0f46e5a fc7 malicious 6f063dd1f2bc595b839b9581d55c aee cd da6c2ed3dd09f70b malicious 616b9bfed356f18f9ad3d7f6a3295 0a9885db 78e4c9e0a5b41aaa4fadf14e3bce malicious 9891c8e8ad1bc285ca551c7ecc1 8340bcb4a c62a280fefafa22092ed96fa8fc35 malicious 73569f659c322acc926fde3b4202 f70eb3b b3386c1a55c88acb5bb8552b8dc malicious 43b8a0b884cf8df35da38a08114f 02a8e2934 4eb89a8e59baf2ca5d9d40a3d60 malicious e7cbdef fdce147dcd f970 0ec1d6e18fe1b17a2a502f37e244 malicious 4f5f516eb188aebbf64c54df9e707 ebb55c4 f4cb503dccf44e4d92e99ade1bd7 malicious 72693a161bbf1f8d9866ba5f859b 46da9eae 6ff ea75224bc794c malicious 623a69e6b38ae1218cc3b5d5df5 bfae038cd fe4dfb729c7ac533e575e874fbd7 malicious e122658e501283a73c1724f2d2fd 11abe185 f908de57c039ba24b260e c4dac7f9fcfe0cd4e4040a1579aa 697f35d10 malicious 60755f4e8aad552fa06add07c321 malicious e51f337361c18932e cf93 91f83a transcrip.exe b46d88f13c2bee9528 malicious 51153aa1ef9414f2e2390bb61cbd d3bb text.exe 60wangzhihuiurb@azei te.exe 65Fil.exe 5messag.exe 1fil.exe 18lette.exe 64transcript.exe 13documen.exe 28mai.exe 19Fk42jFQUOd.exe 21fil.exe 47james@nadi.exe 25ogqh.exe 24a87613e32bec42fefc058dd48e malicious b569a764b6184c61175a57d f11627d ab25ea2b8eccb6ad5e5ae malicious 72a302e7ec44f262f479654dca c71 1d16d df11398e81e88a malicious 2ef619a70e05b4beb2d31c061eb c c904440ec594490c062e malicious 9c8c4d25045c7b21a372e1a af99bfa9 f2158cb984966f66f1635f64948ec malicious 0293e54e5d960c427efe30d2b71f 0fcca75 22af3330a59bae1e70b7a malicious aa2260c d1cecabd49b fe8d8516b0 47aeb17c a35e901c3b malicious a9837ac82e2dca e8f1 3b423dbf42 de8a2298b9753d681fba9102d19f malicious 0181f89c3439f3aae09e55bb712c 87d2fc66 c1c853ffc1c09ecaa10b795159ffb malicious 47b694adc71d393021d c ee ef1aac a113e1dff80 malicious 9694e51f2b4a2f64047db3a187f0 c7d65192 d7ae7d45815beeb26ae2a72a448 malicious a45fa06d58bf742f141b2f ad35bbee c4d3a e2cf2c7f malicious eedcf3bb50b6ad9988d51e6d225 a80a464d4 3638b3f772093feb6cfe5809a9fca malicious 9e9a635fd4070aed601913ccdc6 9d9b4dfe Copyright Joe Security LLC 2018 Page 12 of 347 Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse

13 Match Associated Sample Name / URL SHA 256 Detection Link Context 23hotmia.exe 58messag.exe 23Documen.exe.exe.exe 69tex.exe b e111ba6e9c660 malicious b4633e dd8ae72e35c4b 5195d5b8c5 703fb16a dea2fd76245e malicious 4282cb02970c554ace1ad99b374 dc637de7e 83f00b af8a dc42 malicious 89963c5808c125f67921a1499ba 2e5a ebfe455375bf53153c0a8ec58d malicious fa2742d14cb2bf8a 84a31d4e f163e26c830254fac729850ecc35 malicious f c0005b4f0af0a4bd86 2f712e bd28e c786 malicious 7ca99b32e55cbdc97efa793f3bbd 21ea2914b exemplo@exempl.exe c09f21a75e9ee453e2e2fbe778fb malicious 01fe4297c79cf0c2c14a478914eb 6165c2f9 19sales@zd.exe.exe 47MESSAG.exe 47documen.exe.exe 47documen.exe 45attachment.exe 13AEX9Sf8sGp.exe 19.txt 45lette.exe.exe 37lx3J3t3Dna.exe 3provedo.exe 25mnfp.exe 25mai.exe.exe 31gr.exe.exe.exe 57j20Qv4LHv2.exe 0956ccc0541d42e88ee0ae79263 malicious 7b76947aaf1c7245b18cf1d5d87c e39fabf ad415d b9b166bc34 malicious 719a09b49b36b5dba597f50089a 810fae97bf b14215eb8adb e4c7654e malicious 42b33b5cf7f80eb36b c58 12f96ca7c 8f7d80b0b79320b6b78ba13bb61f malicious 4a07a39ad260b297ce0caced39e 2650ddd0d 4a70ccaa e malicious c7ae9799e192d4d46d0805a44d4 78ad952da efe777c5f806c3ba13dcbc0 malicious 017bef98abdfa1c0e fc14 7f1067a9 c0b88d3b3e f08d5fe malicious 4c401b67ac5b0e8444ae578aa56 494dee462 0e6bd4ef107c8a78aad4c4ebef96 malicious c84fcb38133baa1568a3ff4fbd9f1 26c332e b8614f2af6d12849e4d31a6e8b96 malicious c1bc0aa20ea928ac8685b2ce215 0cc75dac9 e694d988b f1167fcaaab4 malicious 17ae4d39dfa3d7bcb955651dd00 c1fcc9c33 c35e888c6505ef163fd6d14bb67c malicious 83997afc6c0791e0848a672f4eea 1f4e678b 99645a48433dd80fb a7a malicious b28e60a f457c5ed02e ad4f136fe0 1fc59d5c34f873a604b65de29439 malicious dead75cd922c2eff62a94f2390d4 826cf3f5 06eb6f7caffa77f1d1ab90d7a4fd6 malicious 1813bd4008a26f3b2cd94ed3410 4ccc629a f2ec0b466da7a8a177f6cbbf2e6f0 malicious 0d24ee723f709fe0ce29451ce40f 6e7a16c fb431d42bd1cad4248a87d838c5 malicious f9495c4cab5f396b6cf5 1d39151eb cad64b48e2d a2aafb286 malicious 9ca4527f165c22aff691d8ac d669b cfd873f2a49ac3da939a4f31 malicious cd00ce822010ba6f d e e9d5fa8133f635ad897 malicious d501ad3be a351bbd28 5d2537ff5 Copyright Joe Security LLC 2018 Page 13 of 347 Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse

14 Domains Match Associated Sample Name / URL SHA 256 Detection Link Context search.yahoo.com 39transcrip.exe b46d88f13c2bee9528 malicious Browse aa1ef9414f2e2390bb61cbd d3bb35799.exe.exe 17yeH6QNgQKp.exe 13documen.exe 64jfUryj8MeC.exe 28F2rC1LTQPp.exe.exe 19Fk42jFQUOd.exe 30fil.exe 49mai.exe 37Gmhqgmhb5K.exe 53README.EXE 41tex.exe 23system@noemai.exe 27transcript.exe 23yjdyAES7Tg.exe 13VJqrYOV9R1.exe 19AtzMjox5BB.exe ba e7f7eff0fc93908 malicious Browse da187dd510bd48ab58dc2166bb 30e2a03b 5e9d193d8dd6da1c48ea59268df malicious Browse b1158c44a0ef39d68b221544c4b 7cc8bac68f 5f050a73c2a21bbaefb28b malicious Browse c36ac8c29e edec3 05dcb9553 de8a2298b9753d681fba9102d19f malicious Browse f89c3439f3aae09e55bb712c 87d2fc66 8c6c a93b28f77556c161 malicious Browse e517c583fef7fa012b6689 8ac66e3da a3cf6c0200af00abc6312f22e08e malicious Browse ffbb0852e ff1a12df 887fa57 ff5f a7a malicious Browse ebfb7cac196505e07c4454ab658 15eb20aeb ef1aac a113e1dff80 malicious Browse e51f2b4a2f64047db3a187f0 c7d65192 b24e50bd1f35f de61d malicious Browse b86defc5e41dc0305ef6aba5d 2fab31b9 bf346db1cfd24c3bb8b8b51fa159 malicious Browse bf6d503b4dca05303b713ff21e68f c58c42e c5e749d027812dfe8b075916c9f5 malicious Browse b0be5557ce0e32de0b953b0b7f4 8238d5bfa 107b b5fbafcfe721e7caf2 malicious Browse a0410a4d3ed027a92b5bf4a1c8 e78ab160 a197e22f1fb732f13d97b malicious Browse f154bb13cfb9d d7bc d7942cb1 5802c38dffd1caea47ab2b0ad91f malicious Browse a94bcdc0e5c10d5e9a2bfeed5b0 4d63f92e8 806d b1ff8305a97d4664 malicious Browse b158dcd107ba67ea776efcd70c7 31adc bc6027af852b6d b2f7 malicious Browse cdb2b1dc6a100d7324b246ef2d 21f5b db283a008edd34d375eb279 malicious Browse c4141aeadbfd0e584dc154d892f4 640b0dfa5 afb31d0e7d8e c4e1b0 malicious Browse a9b0ecb36dcf8204feedad1db1 01aa05562 smtp.northcoast.com.exe 4a70ccaa e malicious Browse c7ae9799e192d4d46d0805a44d4 78ad952da3 47documen.exe 13AEX9Sf8sGp.exe 45lette.exe 25mnfp.exe 25mai.exe 90420efe777c5f806c3ba13dcbc0 malicious Browse bef98abdfa1c0e fc14 7f1067a9 0e6bd4ef107c8a78aad4c4ebef96 malicious Browse c84fcb38133baa1568a3ff4fbd9f1 26c332e e694d988b f1167fcaaab4 malicious Browse ae4d39dfa3d7bcb955651dd00 c1fcc9c33 1fc59d5c34f873a604b65de29439 malicious Browse dead75cd922c2eff62a94f2390d4 826cf3f5 06eb6f7caffa77f1d1ab90d7a4fd6 malicious Browse bd4008a26f3b2cd94ed3410 4ccc629a Copyright Joe Security LLC 2018 Page 14 of 347

15 Match Associated Sample Name / URL SHA 256 Detection Link Context.exe f2ec0b466da7a8a177f6cbbf2e6f0 malicious Browse d24ee723f709fe0ce29451ce40f 6e7a16c 31gr.exe.exe 69transcript.exe 63Tex.exe 45tex.exe 1SEyLW9NZsr.exe 7btang@jihu.exe 11Xo78ZJStxr.exe 33ATTACHMEN.exe.exe.exe.exe 51mai.exe fb431d42bd1cad4248a87d838c5 malicious Browse f9495c4cab5f396b6cf5 1d39151eb cad64b48e2d a2aafb286 malicious Browse ca4527f165c22aff691d8ac d669b86 c9c d409b3fc15ef35acd malicious Browse c167c6d7d768b973e70bc c7b3c5b e999a96b96eec4a42195c3a2390 malicious Browse c24c9c589ff72341c98b00a90a 5aa54ded7 ca66bcbcc6f3a6e5783b5d534b3 malicious Browse e74d4e28b3cfc9bbf6ffb3ca85 4fb9c1bf c99dbab0202a092f556d2 c59ca9066a896bf990ccb4c7adc 24a98b06b9 malicious Browse ddfe c0b2079a9d2ed75 malicious Browse f7b255bdf0cf88e6e6ad4487ae b199997aa c62a280fefafa22092ed96fa8fc35 malicious Browse f659c322acc926fde3b4202 f70eb3b b2163a796de5bf8b513a261fb39d malicious Browse eefe e10e7585b c270eeb57 b923d602390b9f4470d07559d72 malicious Browse ac2e7cd6b1efbc87eccca1f81ae 1e33ff3c5 f1d625a1b399c30132b3f83ee6d4 malicious Browse e9172e8a542ea1a b1e 7eff4744f 0e aabc59da287f9d7c46 malicious Browse d75a5e fbc2fdd927f2 6875cb7be 5ff9b289b2f946bab e7a2 malicious Browse cb6dffba514dc80f04b29db7b2 4d1b1d9f northcoast.com 21gjj.exe 1f6a51b1f854974b68c3b1f913f7e malicious Browse d6d1dc52ae4555e4d53144dcab a36ff8e2 ASN Match Associated Sample Name / URL SHA 256 Detection Link Context LEVEL3-Level3CommunicationsIncUS 39transcrip.exe b46d88f13c2bee9528 malicious Browse aa1ef9414f2e2390bb61cbd d3bb text.exe 60wangzhihuiurb@azei te.exe 65Fil.exe kovter.exe 5messag.exe.exe 1fil.exe 18lette.exe 24a87613e32bec42fefc058dd48e malicious Browse b569a764b6184c61175a57d f11627d ab25ea2b8eccb6ad5e5ae malicious Browse a302e7ec44f262f479654dca c71 1d16d df11398e81e88a malicious Browse ef619a70e05b4beb2d31c061eb c d0a07d32295b94fd665ac39d47 malicious Browse a00381c6b06c2b4a6aeffa0 344ac956a c904440ec594490c062e malicious Browse c8c4d25045c7b21a372e1a af99bfa9 ba e7f7eff0fc93908 malicious Browse da187dd510bd48ab58dc2166bb 30e2a03b f2158cb984966f66f1635f64948ec malicious Browse e54e5d960c427efe30d2b71f 0fcca75 22af3330a59bae1e70b7a malicious Browse aa2260c d1cecabd49b fe8d8516b0 Copyright Joe Security LLC 2018 Page 15 of 347

16 Match Associated Sample Name / URL SHA 256 Detection Link Context 64transcript.exe 13documen.exe 64jfUryj8MeC.exe 28mai.exe 19Fk42jFQUOd.exe 21fil.exe 47james@nadi.exe 25ogqh.exe 23hotmia.exe 58messag.exe 23Documen.exe 47aeb17c a35e901c3b malicious Browse a9837ac82e2dca e8f1 3b423dbf42 de8a2298b9753d681fba9102d19f malicious Browse f89c3439f3aae09e55bb712c 87d2fc66 8c6c a93b28f77556c161 malicious Browse e517c583fef7fa012b6689 8ac66e3da c1c853ffc1c09ecaa10b795159ffb malicious Browse b694adc71d393021d c ee ef1aac a113e1dff80 malicious Browse e51f2b4a2f64047db3a187f0 c7d65192 d7ae7d45815beeb26ae2a72a448 malicious Browse a45fa06d58bf742f141b2f ad35bbee c4d3a e2cf2c7f malicious Browse eedcf3bb50b6ad9988d51e6d225 a80a464d4 3638b3f772093feb6cfe5809a9fca malicious Browse e9a635fd4070aed601913ccdc6 9d9b4dfe b e111ba6e9c660 malicious Browse b4633e dd8ae72e35c4b 5195d5b8c5 703fb16a dea2fd76245e malicious Browse cb02970c554ace1ad99b374 dc637de7e 83f00b af8a dc42 malicious Browse c5808c125f67921a1499ba 2e5a82813 LEVEL3-Level3CommunicationsIncUS 39transcrip.exe b46d88f13c2bee9528 malicious Browse aa1ef9414f2e2390bb61cbd d3bb text.exe 60wangzhihuiurb@azei te.exe 65Fil.exe kovter.exe 5messag.exe.exe 1fil.exe 18lette.exe 64transcript.exe 13documen.exe 64jfUryj8MeC.exe 28mai.exe 19Fk42jFQUOd.exe 21fil.exe 24a87613e32bec42fefc058dd48e malicious Browse b569a764b6184c61175a57d f11627d ab25ea2b8eccb6ad5e5ae malicious Browse a302e7ec44f262f479654dca c71 1d16d df11398e81e88a malicious Browse ef619a70e05b4beb2d31c061eb c d0a07d32295b94fd665ac39d47 malicious Browse a00381c6b06c2b4a6aeffa0 344ac956a c904440ec594490c062e malicious Browse c8c4d25045c7b21a372e1a af99bfa9 ba e7f7eff0fc93908 malicious Browse da187dd510bd48ab58dc2166bb 30e2a03b f2158cb984966f66f1635f64948ec malicious Browse e54e5d960c427efe30d2b71f 0fcca75 22af3330a59bae1e70b7a malicious Browse aa2260c d1cecabd49b fe8d8516b0 47aeb17c a35e901c3b malicious Browse a9837ac82e2dca e8f1 3b423dbf42 de8a2298b9753d681fba9102d19f malicious Browse f89c3439f3aae09e55bb712c 87d2fc66 8c6c a93b28f77556c161 malicious Browse e517c583fef7fa012b6689 8ac66e3da c1c853ffc1c09ecaa10b795159ffb malicious Browse b694adc71d393021d c ee ef1aac a113e1dff80 malicious Browse e51f2b4a2f64047db3a187f0 c7d65192 d7ae7d45815beeb26ae2a72a448 malicious Browse a45fa06d58bf742f141b2f ad35bbee Copyright Joe Security LLC 2018 Page 16 of 347

17 Match CONFLUENCE-NETWORK-INC- ConfluenceNetworksIncVG Associated Sample Name / URL SHA 256 Detection Link Context 47james@nadi.exe 25ogqh.exe 23hotmia.exe 58messag.exe 23Documen.exe ZKDB9uZV2.exe 13HSFO specification.exe SB.PDF.exe 59PO.exe 37Addedon.exe c4d3a e2cf2c7f malicious Browse eedcf3bb50b6ad9988d51e6d225 a80a464d4 3638b3f772093feb6cfe5809a9fca malicious Browse e9a635fd4070aed601913ccdc6 9d9b4dfe b e111ba6e9c660 malicious Browse b4633e dd8ae72e35c4b 5195d5b8c5 703fb16a dea2fd76245e malicious Browse cb02970c554ace1ad99b374 dc637de7e 83f00b af8a dc42 malicious Browse c5808c125f67921a1499ba 2e5a d038d e687476f2365 malicious Browse a9d5d34fa6b ea41f46 1f6ec824a 4b8eabdc3f25cf0a2d797a6dc18f malicious Browse cc8e2ed58e7df4763f48daff3 bd717d3 e856d0c9d44daa2c3472e1242da malicious Browse b021a0cba2c7d201a44 cd979f2f0a 507e4f8472c81ef61d4aeb243fba malicious Browse e bc9f42237dca8f8e b93 dacd9cd8d242da1294e9b92aafa malicious Browse b926572dd3e4f42e97fe c10a exemplo@exempl.exe c09f21a75e9ee453e2e2fbe778fb malicious Browse fe4297c79cf0c2c14a478914eb 6165c2f9 19sales@zd.exe.exe 41Purchase Order No exe 47MESSAG.exe 47documen.exe.exe 0956ccc0541d42e88ee0ae79263 malicious Browse b76947aaf1c7245b18cf1d5d87c e39fabf ad415d b9b166bc34 malicious Browse a09b49b36b5dba597f50089a 810fae97bf 9b47b3a478a43e8bbc malicious Browse a561ab7cb4f7218b488d815dd66 accd57086d b14215eb8adb e4c7654e malicious Browse b33b5cf7f80eb36b c58 12f96ca7c 8f7d80b0b79320b6b78ba13bb61f malicious Browse a07a39ad260b297ce0caced39e 2650ddd0d 4a70ccaa e malicious Browse c7ae9799e192d4d46d0805a44d4 78ad952da3 fwdssp.com malicious Browse documen.exe 45attachment.exe 28SCAN-113-PDF.exe 13AEX9Sf8sGp.exe 19.txt.exe 23documen.exe 45lette.exe 90420efe777c5f806c3ba13dcbc0 malicious Browse bef98abdfa1c0e fc14 7f1067a9 c0b88d3b3e f08d5fe malicious Browse c401b67ac5b0e8444ae578aa56 494dee462 e0bcba9ab565cdd6aa46df67d12 malicious Browse b13fd6dd010eafedeb9a9d8d2bd eb29b2434 0e6bd4ef107c8a78aad4c4ebef96 malicious Browse c84fcb38133baa1568a3ff4fbd9f1 26c332e b8614f2af6d12849e4d31a6e8b96 malicious Browse c1bc0aa20ea928ac8685b2ce215 0cc75dac f2b6ce775959fbb93020fa1 malicious Browse f040431da7985db3cec d e694d988b f1167fcaaab4 malicious Browse ae4d39dfa3d7bcb955651dd00 c1fcc9c33 Dropped Files Copyright Joe Security LLC 2018 Page 17 of 347

18 Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Windows\services.exe lxy006@qisheng.com 1d0ccba6ff ac f9 malicious bfed9ad444c7a0a951487c6dbab 9276f1976 C:\Users\HERBBL~1\AppData\Local\Temp\service s.exe qisheng.com yu@etfd.com esun@esunchina.com Instruction.scr insurance@safecompar e.com document.exe jll072@qisheng.com caigou7@zhendongshoe s.com.exe.exe lr039@qisheng.com qisheng.com elamrani@smesi.com.com service_yido@xx0091. maiphone.com zhendongshoes.com.com.exe yj075@qisheng.com lxy006@qisheng.com qisheng.com yu@etfd.com esun@esunchina.com Instruction.scr insurance@safecompar e.com e82d346d3eb66cbfb44d09dac90 malicious b60f0cc41ace676d576b42a3d8e bd749ba784 a c3c7d9ee66b malicious 04b7b253b484327fd2a077a c30a720 94efc6bc9f77cb492f5a7a7194fad malicious cd5f9d647e54d443a49b0db7d04 6ca8aefc 1d6a5b9dc61690c60d84eee5b65 malicious 3e183ad042cc3a7bcaedcbe6887 fb d 34e0e2a3025e3567f732daf0b64e malicious cf3330ad2832a4aa6c1bf5130f97 a bb5987f ee3a24c6c3 malicious e1d88bc050e748367f4fbf0da723 eb8c287e8 864fef76686cb587bbf1ec4c13da malicious 3d73f7c85f5269bec2f5a aa613d50 de3849fdc6df1699f74c3c0acef98 malicious 63cfbcb544a ad1a8f 5fff2a7 48e5f246378a925817d143981dbf malicious a11d2a1a d7bde5a79 bc6daaa43 0e690136eddb85b26328d0a5d9c malicious 3b b44fef01f0e3fe7d17e bf9bcd5b 185e849ae1384dc1880bd7ed97c malicious f aaac58364d78bbcfa d496d8ff4 515b51b2e146031d30bc33cc496 malicious ccfe108a0fe612aea19d18dffe8f8 d794fbc0 94df01c17d98705e663b255782a malicious d2e278da5bdb0cf5e e d9b031c75f 4fa1ff0d074ca029cb4c1b malicious 9c6096c a fcef9 a c41cbcdabea8b55d61899de512e malicious 9afb83d91c11f18d76442f9a711a c27 9a3f d4d37fc60a15312 malicious eefcce2f500ccb46dd36ab915b11 4e9c77b9 e1bfba700aa2d61f4a1cb32d10b1 malicious a06c9f5b1a2e06425a20abb49aa 097d6d336 03e2389d5e7fc4416da9a249752f malicious e17205c58d62b31eb5fe393d64b 6be9af7ce 90a71178a3f00ab c4e malicious 549c71a7bdc0781e4fd221a acdca647 1d0ccba6ff ac f9 malicious bfed9ad444c7a0a951487c6dbab 9276f1976 e82d346d3eb66cbfb44d09dac90 malicious b60f0cc41ace676d576b42a3d8e bd749ba784 a c3c7d9ee66b malicious 04b7b253b484327fd2a077a c30a720 94efc6bc9f77cb492f5a7a7194fad malicious cd5f9d647e54d443a49b0db7d04 6ca8aefc 1d6a5b9dc61690c60d84eee5b65 malicious 3e183ad042cc3a7bcaedcbe6887 fb d 34e0e2a3025e3567f732daf0b64e malicious cf3330ad2832a4aa6c1bf5130f97 a Copyright Joe Security LLC 2018 Page 18 of 347 Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse

19 Match Associated Sample Name / URL SHA 256 Detection Link Context document.exe jll072@qisheng.com caigou7@zhendongshoe s.com.exe.exe lr039@qisheng.com qisheng.com elamrani@smesi.com.com service_yido@xx0091. maiphone.com zhendongshoes.com.com.exe yj075@qisheng.com 374bb5987f ee3a24c6c3 malicious e1d88bc050e748367f4fbf0da723 eb8c287e8 864fef76686cb587bbf1ec4c13da malicious 3d73f7c85f5269bec2f5a aa613d50 de3849fdc6df1699f74c3c0acef98 malicious 63cfbcb544a ad1a8f 5fff2a7 48e5f246378a925817d143981dbf malicious a11d2a1a d7bde5a79 bc6daaa43 0e690136eddb85b26328d0a5d9c malicious 3b b44fef01f0e3fe7d17e bf9bcd5b 185e849ae1384dc1880bd7ed97c malicious f aaac58364d78bbcfa d496d8ff4 515b51b2e146031d30bc33cc496 malicious ccfe108a0fe612aea19d18dffe8f8 d794fbc0 94df01c17d98705e663b255782a malicious d2e278da5bdb0cf5e e d9b031c75f 4fa1ff0d074ca029cb4c1b malicious 9c6096c a fcef9 a c41cbcdabea8b55d61899de512e malicious 9afb83d91c11f18d76442f9a711a c27 9a3f d4d37fc60a15312 malicious eefcce2f500ccb46dd36ab915b11 4e9c77b9 e1bfba700aa2d61f4a1cb32d10b1 malicious a06c9f5b1a2e06425a20abb49aa 097d6d336 03e2389d5e7fc4416da9a249752f malicious e17205c58d62b31eb5fe393d64b 6be9af7ce 90a71178a3f00ab c4e malicious 549c71a7bdc0781e4fd221a acdca647 Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Screenshots Copyright Joe Security LLC 2018 Page 19 of 347

$Startup System is w7 1letter.exe (PID: 3424 cmdline: 'C:\Users\user\Desktop\1letter.exe' MD5: 65FBEFD898F42F054C3872D2C6C45DC9) services.exe (PID: 3436 cmdline: C:\Windows\services.$

20 Startup System is w7 1letter.exe (PID: 3424 cmdline: 'C:\Users\user\Desktop\1letter.exe' MD5: 65FBEFD898F42F054C3872D2C6C45DC9) services.exe (PID: 3436 cmdline: C:\Windows\services.exe MD5: B0FE74719B1B647E F4A) WerFault.exe (PID: 3764 cmdline: C:\Windows\system32\WerFault.exe -u -p s 552 MD5: 5FEAB868CAEDBBD1B7A145CA8261E4AA) explorer.exe (PID: 3520 cmdline: explorer.exe C:\Windows\java.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3536 cmdline: explorer.exe C:\Windows\services.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3560 cmdline: C:\Windows\explorer.exe /factory,{75dff2b c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) java.exe (PID: 3636 cmdline: 'C:\Windows\java.exe' MD5: 65FBEFD898F42F054C3872D2C6C45DC9) services.exe (PID: 3724 cmdline: C:\Users\HERBBL~1\AppData\Local\Temp\services.exe MD5: B0FE74719B1B647E F4A) explorer.exe (PID: 3624 cmdline: C:\Windows\explorer.exe /factory,{75dff2b c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) services.exe (PID: 3672 cmdline: 'C:\Windows\services.exe' MD5: B0FE74719B1B647E F4A) cleanup Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\bphca.log Process: C:\Windows\services.exe File Type: data Size (bytes): Entropy (8bit): Encrypted: MD5: C FA2BDD8908FFC SHA1: CE7D7A4ABC39D CC51C0AF09E50630D3A5 Copyright Joe Security LLC 2018 Page 20 of 347

21 C:\Users\HERBBL~1\AppData\Local\Temp\bphca.log SHA-256: SHA-512: Malicious: Reputation: 10AD2F BC5CA8F416C41AC5CAAE01CE87EB4C6D382ABE C33 A55C7F815AB091E7E916E2E77E809786A5493E2483BE080C1FFE F400E81A2626F03F74F1EC7CFE69B 6A1762EED2E595FA116A1F1D20EEBC8AEC1E low C:\Users\HERBBL~1\AppData\Local\Temp\services.exe Process: File Type: Size (bytes): 8192 C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Joe Sandbox View: Reputation: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed B0FE74719B1B647E F4A E858C206D2D1542A79936CB00D85DA853BFC95E2 BF316F51D0C345D61EAEE B64E81F676E3BCA42BAD BEE6653C 9C82E D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E F98B1FD1FEBFF 620A5DED6DD493227F00D7D2E74B AA8655F921C2 Filename: Detection: malicious, Browse Filename: qisheng.com, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: Instruction.scr, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: document.exe, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: Detection: malicious, Browse Filename:.exe, Detection: malicious, Browse Filename:.exe, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: qisheng.com, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename:.com, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: zhendongshoes.com, Detection: malicious, Browse Filename:.com, Detection: malicious, Browse Filename:.exe, Detection: malicious, Browse Filename: Detection: malicious, Browse high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp29C.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed BEB E1EA0C1EA26ABA4299C6 E088F5EF77D33E94DD7EFA2C7D1389DB7E4F BB0A83DBDCA55FEB1DBFCD1D7ADCA08360BF6C354DE1B56F917B5BECB88 81E6C6B CBAB483E30543B06D909DAD900E158BD678A0573CB50FD2DFED3F5A5B8C6E4799D670AEC6D DF678CEB1B73D430476D114BA731AF3DC835A8C low C:\Users\HERBBL~1\AppData\Local\Temp\tmp29C.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp2A7.tmp Process: C:\Windows\java.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Copyright Joe Security LLC 2018 Page 21 of 347

22 C:\Users\HERBBL~1\AppData\Local\Temp\tmp2A7.tmp Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: BEB E1EA0C1EA26ABA4299C6 E088F5EF77D33E94DD7EFA2C7D1389DB7E4F BB0A83DBDCA55FEB1DBFCD1D7ADCA08360BF6C354DE1B56F917B5BECB88 81E6C6B CBAB483E30543B06D909DAD900E158BD678A0573CB50FD2DFED3F5A5B8C6E4799D670AEC6D DF678CEB1B73D430476D114BA731AF3DC835A8C low C:\Users\HERBBL~1\AppData\Local\Temp\tmp2A7.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp2BC.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 535D274E4C66488C7A7546CEC093C C24E139D19B989F7D4B C45370AD 518BAC9E9917B3709C3B6671C1D7A5D82BEC457318E2D48D4D59DFD B1BECFDA E018AA71FB1EDA82FA0988C3F78406D17B8FCDD5C6FC23ADFD10DEDCAC754E943EA4F0 564C8AD97F16D7C12E4B6AA F4267A9ED4 low C:\Users\HERBBL~1\AppData\Local\Temp\tmp2D1.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: Zip archive data, at least v1.0 to extract D425AF3420E43B18515CC EF82 B4818AE9C4FB1D24C0FF9094BBF88A57EFABF53D 63AB E C08E7652E2523AA66022B55257B45F B478BA0402BEDC2F3C0345A6BFA445CF95B E8FF8B8BE00242A061C F40731FF6DE8925A4C501A 892B08D89389A708B06AD1E6B70B8B27D1ABE low C:\Users\HERBBL~1\AppData\Local\Temp\tmp318.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed BEB E1EA0C1EA26ABA4299C6 E088F5EF77D33E94DD7EFA2C7D1389DB7E4F BB0A83DBDCA55FEB1DBFCD1D7ADCA08360BF6C354DE1B56F917B5BECB88 81E6C6B CBAB483E30543B06D909DAD900E158BD678A0573CB50FD2DFED3F5A5B8C6E4799D670AEC6D DF678CEB1B73D430476D114BA731AF3DC835A8C low Copyright Joe Security LLC 2018 Page 22 of 347

23 C:\Users\HERBBL~1\AppData\Local\Temp\tmp318.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp355.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: F5BC978B6E56E05E25048F2DACD4C63A FFF015394AD E1683B7E2B19E0E266C9EE E7E30351B59B90F1552A790564CA53B35A1E7C4A FF1470A38B8BC D461D40964D52C41F5090C6BF2A5670AEA47109CF110EEC58FFA61A2D71E90A12026ACE9F4C9331B6FE6BDA1B7 A51C60F6407EA066127B30AD3B98F63700AD1C low C:\Users\HERBBL~1\AppData\Local\Temp\tmp360.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 66D99A1F95713ABADA064FB65FF91165 B F01C010190A4F0647B557F3BAD00F E6BAE8AFDD7E69F592AF BD6E2FD1FEF2DB1409DA956199F1C45EFF10 939F978936A791B545AECE67E976E047FB2259E439ED4A2139DEE9B3B747E8C B4EB863F201E C 83EE0E0B6EA92612D8F6E F863D710 low C:\Users\HERBBL~1\AppData\Local\Temp\tmp3ECA.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC low C:\Users\HERBBL~1\AppData\Local\Temp\tmp3ECA.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E Copyright Joe Security LLC 2018 Page 23 of 347

24 C:\Users\HERBBL~1\AppData\Local\Temp\tmp3ECA.tmp:Zone.Identifier Malicious: Reputation: high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F39.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC low C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F39.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp3FEE.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 8266CD3EB8808D41D387AA32FD8D3987 BF238AFBCDFF EA877B F7CE9C C5F941DDB18AE484FC8050AA9EBE60B EAB8FEA4929BB849B03807D CF519E71F59C07E8AD73C2F071ADAD9D34FA9EA5C6CA368F095A98C69A436116EA496C827246A42E28E391E 0D8E67DE3F064FFE3A4315BC27E0F9A740D680 low C:\Users\HERBBL~1\AppData\Local\Temp\tmp408F.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: Zip archive data, at least v1.0 to extract 608FC39435FA6D6773B22D64FED0BF1A C A7B42A1EB4988B5802C6CD F30018E5C8652A5545BF154F382E26DAC98BE007BD E755AABE474EB 918DCF8715D4F5D6B2975C648214D2FE14682CB6D8A16A9E30894DDC1A3B8ED80A7BCEC46897D BC3A0 E719EDA055BE8411EB9B530B77DF303D9B7A9E low C:\Users\HERBBL~1\AppData\Local\Temp\tmp442A.tmp Process: C:\Windows\java.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Size (bytes): Entropy (8bit): Encrypted: MD5: F1D0555C7BEC2F967D1DA64 Copyright Joe Security LLC 2018 Page 24 of 347

25 C:\Users\HERBBL~1\AppData\Local\Temp\tmp442A.tmp SHA1: SHA-256: SHA-512: Malicious: Reputation: EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC low C:\Users\HERBBL~1\AppData\Local\Temp\tmp442A.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp4435.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC low C:\Users\HERBBL~1\AppData\Local\Temp\tmp4435.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E high, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\tmp444A.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: A7D2A4F6B254BE206505E EDC36BDB2824B1653CF8A6390D2DBBD D3720F582FE1C70107A904290AA8639EFB9C3BC38AA200DFF75BADB9A95C19B9 97B7B7B3051AB1491E38F1F2672DF830AF33502B983E65B79F9D50D62AF0ACB97455B3E7C4954E319B9B098E58B EE9C9BE1200AA43D0C65C92CE257E5E703B0B low C:\Users\HERBBL~1\AppData\Local\Temp\tmp445F.tmp Process: C:\Windows\java.exe File Type: Zip archive data, at least v1.0 to extract Copyright Joe Security LLC 2018 Page 25 of 347

26 C:\Users\HERBBL~1\AppData\Local\Temp\tmp445F.tmp Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 8983C443A8C424C75CC328150B7D0BE1 C01CA2BB307877B9646A5DC5867BADB838C100CB 634D4CD73AA3F7A37957FA3902F1ADEE79117DAB8D F18DFC9A0B57F21 47A12D B0C D1508C4C7CE8B06E7ED3EAC90DFCC B734F7F806972DE CB D90A835645FD459AAA6C6B37CCFC629DF6BB4 C:\Users\HERBBL~1\AppData\Local\Temp\tmp4492.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC C:\Users\HERBBL~1\AppData\Local\Temp\tmp4492.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp4B43.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC C:\Users\HERBBL~1\AppData\Local\Temp\tmp4B43.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp4B62.tmp Process: C:\Windows\java.exe File Type: Zip archive data, at least v1.0 to extract Size (bytes): Copyright Joe Security LLC 2018 Page 26 of 347

27 C:\Users\HERBBL~1\AppData\Local\Temp\tmp4B62.tmp Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 1FF3941FC46DDD8F4B EDE7B84 920B4E2EBD2CA91016BA9B45A9B199A3F064DBD8 71B4BD902C64AF7A7D4B4C98FA9AE669C07B4E5751D2E20F1697EB994CD737BF CCEC6B3D9BAB8998AB0207A41E91AF4F0FEEAE9598DD CCB6431B528D5CDF3EFCC0DAB5 F6770ABE53FAE8C25B771C05C980A624982B5EE C:\Users\HERBBL~1\AppData\Local\Temp\tmp4BF.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed BEB E1EA0C1EA26ABA4299C6 E088F5EF77D33E94DD7EFA2C7D1389DB7E4F BB0A83DBDCA55FEB1DBFCD1D7ADCA08360BF6C354DE1B56F917B5BECB88 81E6C6B CBAB483E30543B06D909DAD900E158BD678A0573CB50FD2DFED3F5A5B8C6E4799D670AEC6D DF678CEB1B73D430476D114BA731AF3DC835A8C C:\Users\HERBBL~1\AppData\Local\Temp\tmp4BF.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp4D4.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed BEB E1EA0C1EA26ABA4299C6 E088F5EF77D33E94DD7EFA2C7D1389DB7E4F BB0A83DBDCA55FEB1DBFCD1D7ADCA08360BF6C354DE1B56F917B5BECB88 81E6C6B CBAB483E30543B06D909DAD900E158BD678A0573CB50FD2DFED3F5A5B8C6E4799D670AEC6D DF678CEB1B73D430476D114BA731AF3DC835A8C C:\Users\HERBBL~1\AppData\Local\Temp\tmp4D4.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp4D5.tmp Process: C:\Windows\java.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Size (bytes): Entropy (8bit): Copyright Joe Security LLC 2018 Page 27 of 347

28 C:\Users\HERBBL~1\AppData\Local\Temp\tmp4D5.tmp Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: BEB E1EA0C1EA26ABA4299C6 E088F5EF77D33E94DD7EFA2C7D1389DB7E4F BB0A83DBDCA55FEB1DBFCD1D7ADCA08360BF6C354DE1B56F917B5BECB88 81E6C6B CBAB483E30543B06D909DAD900E158BD678A0573CB50FD2DFED3F5A5B8C6E4799D670AEC6D DF678CEB1B73D430476D114BA731AF3DC835A8C C:\Users\HERBBL~1\AppData\Local\Temp\tmp4D5.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp4F89.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC C:\Users\HERBBL~1\AppData\Local\Temp\tmp4F89.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp4F9E.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 547F D3A8D27CC158C915F78B9 6F8F71285C0D3179D197D407D35E6F9F75964D37 AE881BD52B076FEF15CA332013FDDDE57FB2166E070C95CFE842317A68DFB2AD 2EBFBED77D A062CF0549EBA370C16B017C86C363E66964FD6BB4B37CDB860733F43961F31B D22A8F013D197F7F707AA0B5C2D FA C:\Users\HERBBL~1\AppData\Local\Temp\tmp546F.tmp Process: C:\Windows\java.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Size (bytes): Entropy (8bit): Encrypted: Copyright Joe Security LLC 2018 Page 28 of 347

29 C:\Users\HERBBL~1\AppData\Local\Temp\tmp546F.tmp MD5: SHA1: SHA-256: SHA-512: Malicious: F1D0555C7BEC2F967D1DA64 EEBADAD771C03950C96A5F10930EF1847C34D B4082C506A AFB631D08274FAD7FAE794F6108B1742B D 16686B58117BE16CC1A7C6A46F55997D04B527D686955F6F8A4A CB0E72DC868603E3D05EACD74E8D06F D385D02A523FC7C A03889B39120CC C:\Users\HERBBL~1\AppData\Local\Temp\tmp546F.tmp:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Windows\java.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E C:\Users\HERBBL~1\AppData\Local\Temp\tmp5E5.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: DB4028C8AEC DC371A2CF7ACD1 2489B88870FE4DFFFCB407A915F7B7518C983D47 D59EEC9F0BE2D576DB5102B AE074577D960E3B50E4E44015BA8CB CE4EE282EC F3994F52D85487D0853A1B5776E BDB444323B31493A4253CE7E9B2B538 B190632F2262E0BD728D736C97A C:\Users\HERBBL~1\AppData\Local\Temp\tmp6AE.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: E20FBA305BB3485F428E2E0A96C46794 AC8E346CEFAF7458E968A9C0DCE70D4E366A7B62 DC039AE DFE724024EDE2FE2E94EB89ECC9AA5B11901D936B94B56BF68 7B9E BD64CA92146AEC E713F51182DB5DD2F791D46ECE91BC7F059EBB3DCC81C20AF0812FBC 27FFE9FC4B53ED6FBA757E6166C3B0EDD664D2 C:\Users\HERBBL~1\AppData\Local\Temp\tmp6AF.tmp Process: File Type: Size (bytes): C:\Windows\java.exe Zip archive data, at least v1.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 5DE37B3103D65756F32E3A9DACBD837D F8996DFE1314D6AF5636C989CF7BCEAF7FDD87B1 1ACD5CAB6E296F77A9433FC5FEC09A4E49CD69DF67299C9DFF8EA70F22B11E5A 6714E83A D07A0BE98561D09009DF97CDE697544B BDC991441CDBE919DD6B47F6E528E1 F4AD5C5DC FF06E4F73B E80 C:\Users\HERBBL~1\AppData\Local\Temp\tmp778.tmp Process: C:\Windows\java.exe File Type: Zip archive data, at least v1.0 to extract Size (bytes): Entropy (8bit): Encrypted: MD5: C C44E592D11CFB162FA734F9 Copyright Joe Security LLC 2018 Page 29 of 347

30 C:\Users\HERBBL~1\AppData\Local\Temp\tmp778.tmp SHA1: SHA-256: SHA-512: Malicious: 7DE1CE5C545E7F D81DFC174A6E B9319DC8CE DF0407CB53571AC47775E47E2EC37DA4E169B2 3C7385A02C437E556394B4299AE420DC7AAC39A0C08A342A60D87454FB7A4B62B630709EBEEA5DDD4F D40E9270E4DD4DFBF11D64F36E7EC32A11A16 C:\Users\HERBBL~1\AppData\Local\Temp\zincite.log Process: File Type: C:\Users\user\AppData\Local\Temp\services.exe data Size (bytes): 1184 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: BCBF5BE6CFB28224CC2D B325A 725F55D203B2FCD856B6D482F2FD12C31C0A4934 F96F5220F7F76C9A168D B41E60EDA45C C6D DA61 4FE3319D5AFB4ABBCD6D7F50EB4F920D5D9B67BAD0B3538F41D167F05F6DA0B2D5ED78FD22C0A258AE041D956 F077DB413A876C3102ACD61D761D886AC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\QMYJACXF.htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines 61A97EE9E0BF681D46091F1CC4135E3A 4C79C96E E38E C 3C3A461B3536E8FD E443653A9C90C D02629EF7AF FA3C640DE95AB860B4F4D2E880686BC90E4295ADB529D3EBE0584E4DD33FB6DF4CAFA1C646AF6CFB56B9813 BA866F D6C4A16E6717F63D301EE397C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\X8XM4IPB.htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines 862F7178E3A19469B6DAA58D02A48356 C035E36FFABE6BB86D2A8A75DFD F A3EB80AA D0969FD4844A6A409CD EC08E8E8F140C31 E5FC64CBE1AD0C5A1EF8B9BFE6AEB6E6CFDA8B5C2481DC7E2F21C8B05F3A86577D59EF9309CB FF582 EF14E2603F080B79703A2EFA2BFDB12BCAF507E7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\results[1].htm Process: File Type: Size (bytes): 1443 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: FA486A2E2E647263A0AC BB1 19F4708F18FFF15B5542FD91A88DBD53BE3D0AF7 E2CA4B546A153D80AFA EFCA89EA9F4C5AED2DF D0BBB19C34CB E0F9BB FF3DDD026317B C28784CC32BA5500DB8C7A62CF4E4D973E5E7AE1692F391A89ED970D 5FD73573B96FFE004E9A1A770A0EBE C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\search[1].htm Process: C:\Windows\java.exe File Type: HTML document, ASCII text, with very long lines, with no line terminators Size (bytes): Entropy (8bit): Encrypted: MD5: DFAE7F61A104B76506D0701A641429E5 SHA1: 7BDEAB9797EF9C8CFD4DD4CB17A79909ECC0FA3A Copyright Joe Security LLC 2018 Page 30 of 347

31 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\search[1].htm SHA-256: SHA-512: Malicious: DC600E479A15AFC150D70BB8A971AF45AEF E691904BA DF87F A5D93B61C491D26D0ED5A312CDF803989D31AF6A9A6361B89C6227D83B E56E3F4AF39CD4295F4DD1321 4F9184EEC28A215B323D5DE55CB5505C472D6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\search[2].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 2ECE6496A7D0A40DA5A4F55AF5FC1887 E2F791293E92F1D368A7B6DE0BA2D47EF71568E6 7CF867107BB952A80921A30BF37069AD50007E46864E5D B6EF773FFF9 A231BC640E E78FAB AFC0A169E3C4C40A2C24760ACE612E74180B D6EDC900E ED940D0AADF05D9CDDCB8CA0B44D2400AA7E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\search[3].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, UTF-8 Unicode text, with very long lines, with no line terminators AA1E D25B4C6664D668 0A5B2C6A0834EFC6B2EF096EA5DD F33 1ACBF3294B749BC21C8E664034BD806DF20CE319783ACA5F FA321 7E0C8334AC3EA3BD D619C2A4D313879BFA132A68AE250EF89EAB0DDEBBCC075C3EE739F5B3DC9C EA A4E4A4AF7A9B545D3FC19FC0D3F01D6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\search[4].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators FD7F3C780815A139517DE5CCF9 5FF378A172E A9D5011BEFC7BE78219A0C D00CEA2DFE624B5B6DCFA9DD7B2C34D6FAA4990D71637FD850AD26485BBCBA6F 5B677B0F8F2BFFD54C37A5452C4E1C5281F19A662DC2DEDA35391CF5D1F1447E2BF295B643B855F53401DC2377 D7832FE34D85967E F6907A7AF94CEE7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\search[5].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators B3F382F8C98C856FD769EA4957F87850 E35917E7EB90FDC6F708EF677441BA4B7B2B4DD1 ED92A DD4B12767D89D B0398CA77043DF7F1D4DC7503BF3 9D3B8C4BFE6BBB71F0712CE35BB ED85174DED9C0F8E3F251E0CF D120D23E5E6E2286BB 02844A9553D1550D2AE684F14A6F67AE68400E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\A8V2NG6D.htm Process: C:\Windows\java.exe File Type: HTML document, ASCII text, with very long lines Size (bytes): Entropy (8bit): Encrypted: MD5: E89BD136CBBEAD84778F7C3E722BAAA8 SHA1: 62B28257D62BC70C6C9F71F AEDC SHA-256: 281D813F5AE ABD83039C AC7177D2B075969E058A3A1E19BBB Copyright Joe Security LLC 2018 Page 31 of 347

32 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\A8V2NG6D.htm SHA-512: Malicious: B01F374B74E45CDF661921FE28D7C113CFEBD3B EB FC4C7BF42B2B4E0EC8BF660B9D2F50F 19FF7A A5F63D50155AA4CCA5BC5015 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\NET6ON69.htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines D4AD57EC3D8E4604D769E FA5D716ECC8065B5F31E546B123E2F E49 426C233F152FE A8D75FDE73F9FEC61E5D1B0CF780ADE03087CCFE8 FD73BCB1297C4F8C88F2A07F7D3D7BFEFE32AA7EE93F23C2D5EDA522EE6C0C01B8C4E857E58D41981EC2E31F FDADC11851AE288ACA313F873F6CB01BA41C627C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\results[1].htm Process: File Type: Size (bytes): 1443 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 1C8D672F676780DF7C72F55096F9E C9D85440F853A4F254B89EB2C8633CA644B 5FE4214E03D49EA86F1B553FFD99C7CC544A54390DDEE76A0CE0618EF000CD95 39C D5C78BE8E89E5A484456EBB1E38F662BE2046D AE2FDF7556F905A1BEA8D986978B9BA4F A915731FE81CB8F8C EE56E94D54 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\results[2].htm Process: File Type: Size (bytes): 1445 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 08D8A0D76E D1AA15C73FA8A7 1B53FD94D21FAA9AE6B0DC541A9EAA063362C2C4 2E35DE49CC9DBE304D C15E2D13D8FC96B6F94F59BBB461D1592A77EE4 9DDFE4A0CAF7047ADF13DF20F8A FECE05ABD93F60FBE718B1B3136B39D3322D49572C2688A2D FC7A5404A83E19DC02356ABFA9AB0C09F097 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\results[3].htm Process: File Type: Size (bytes): 1445 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 6D49A4E6B410D22C195A32DBA4AE58AE 27EF4BCA905109E3F97F82B4C8F28724DF1C7F0B 5BC71C8B90287A6A7C1E33591B50AB870AFB0E95C9384AF3C7F65764AAF4B45B 2F9403B5B3C317BE9FFEDF66A956EA2EB0E233A6B6B34D1E9BCA347DD3F542AE6EB DB7328B3580 F5296B FCA8B3E BBF0C52 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[1].htm Process: C:\Windows\java.exe File Type: HTML document, ASCII text, with very long lines, with no line terminators Size (bytes): Entropy (8bit): Encrypted: MD5: 8A0D51219C97F0B6F85937AA2B SHA1: F C08CB044CBAE44E B7C SHA-256: 72B76376EA49347D196AA6F2D D30AF2814B8C58A0871B32F3C83D6C Copyright Joe Security LLC 2018 Page 32 of 347

33 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[1].htm SHA-512: Malicious: 7226A44B8B4CE B02FC36EEA64A3B43BBB1B7B09175D1E83C5B63BCC3EE6B4EB724798D2F760E071 B337E8DD36A2599D D75BF427B36DDD61 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[2].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 1354FD18D724F18F8745E D 1909D38F CE4070D1E693FF94F7C E406B6DC201465C17DA3E1DD CA879A4D1FE428ADD36D6EA1DF6DFC 91D978A749B A5CA25E B3ED358A8DC493CE4EBDD47D59A1E320702EE628859E0B34462E75D583 D43032E4103D8EA3BE3DF4480C93EBFD3EAEE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[3].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 6C3AFD8FCD039C1DC93F3A415092AF86 46BB7A0AD27336C092950F02F89D90158E C2B91173BD75F284BE154F4C4DCCD79C166581F92E3A EBC5C621DFD0 690BD9C933DFD4DE2118BEF15D402806A3283F7A60E1F7EE4638F6D8FBCED51E792C14BBA2214F413FF056DE19 425B5E4EB4238ECE1D6CBEF4A2A21FE29BE6F1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[4].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 84BE3C024F4EF53D9A1060DC56A156BA BFC71D4D2A246A AC52A55C6945CB609 7C FFFF98C6976E735E8D53F3999A497382D90ACBFA631C205CACE3D37 142DFED6402F56E3E193AA431FA02CC803AA C8DB2889B E A34BAD873B2188C4BFD EEB77DE4F7024C5A068F E9B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\770Y1RCW.htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines 47590F46ED42B8C7FA2F6E94F D9B426331D790D7C29C121EB9B9DA94B444D75AF F9EF7BCB E64968B92A08EC160EF CAEDED4CEE79522D928E7 3EE5FEF3BDBBB2A02B944D2083D0C7DFC3468F3A359EEC371C54D6CE98D71E29B75B33EB52BFB1B41DEA6F11 E0E2AC050FFDDE7E5F7CE7A7694A087DF410B438 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\UZZLWOZS.htm Process: C:\Windows\java.exe File Type: HTML document, ASCII text, with very long lines Size (bytes): Entropy (8bit): Encrypted: MD5: E06057B4776CD73DF4680C0A5A45B790 SHA1: 32AC9B23E87D85730E283C3E898FDF9DA31336EC SHA-256: 33E9E9B00BEA6DD4AD316AFD665BFED3E46EC22E3EB671CCA37D483F250D29F2 Copyright Joe Security LLC 2018 Page 33 of 347

34 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\UZZLWOZS.htm SHA-512: Malicious: DC F08E17B65C95F7E55D4A81569BBE7B6A57DECAC4DDE10E045BEC4A7BFE05040E1781CBBC203D54 A1884D9A1718DF736FF71B9804D F7AAB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\results[1].htm Process: File Type: Size (bytes): 1444 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: EDED9CE3E26EB694C68A34082D147E69 C3C1F91D CC E72BD46D629 EB4FEABE2F0F78FC45B03EBF86032D993AF741D381CB1B2A5606A858AA3CC735 3E9EECF DECBE57AE7B172DE977DAC59EC069CBCB40EE12D921E78A19610EBDBC1F5945EE0F5E3CB88 CFA7A6164CCED BEE05A082871BC22FAA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\results[2].htm Process: File Type: Size (bytes): 1444 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: AE7B69F0D1B262182CF0FBAFBB8C12FC 5EB3D00CDE40B9155CF85A11FD7A AC B9C EEB038C2D611082B8D563DF25910F389E83FE8D DD DD5E85D F714B3F00F DB3306FAF8EFE613BA867F85F F901B688D6AD7AFBA 7A9F9A6D7CD D54BA0ABD41D8D5888 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\search[1].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, UTF-8 Unicode text, with very long lines, with no line terminators 2F6E925CD18148F21A5CFBB37DE7BD F A7F3F823FE51A9760F289E E3C78FC46C EAEC BF006AD7C BD7A115 E974C3D59B44973FCAF4BD E01A583EE6680AE6D27ACC48B19E5C1F26134A423062A177A290193C38ACE0 246A530AC55C181A0CE80DBC9BE0F3BA125A8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\search[2].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 0B2891C6367CFD BAE45E2CBD 9C FC27BAD3BAF7E76B7E03AFABF2D6BF DEEB73C15590FB956330F42C83B05CF5F0901C40AC8482C3F807A27 9A0C14A624F9B873CF20919B9F4A3C50AAC3E5DA8011E14F1B5EA6B368679A8A20528B78A09FBD93FCD8D063FE 4B880C041078A1B6F4023DF840B7C04A7DE7FE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\search[3].htm Process: C:\Windows\java.exe File Type: HTML document, UTF-8 Unicode text, with very long lines, with no line terminators Size (bytes): Entropy (8bit): Encrypted: MD5: 8A69253E14518A1A9E CAB8FCC SHA1: AE3BCEFB55F83BE7450A3FBCAE67861BC4A81C78 SHA-256: 84694A298A744EB395537A2E4A79E6C6D88B76B4692C30399F5EE1E75DF9293B Copyright Joe Security LLC 2018 Page 34 of 347

35 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\search[3].htm SHA-512: Malicious: D3256E42795FA B9D49F6332A094757A0FD24DE5B863A352FC2468FE181D98A31CCE E8572B8EB BCDB40C4D56770A5D0BBFB95336C2605 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\search[4].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators F70F8492FF7A135C4F77C537946D4DA4 6D34C70DA9718D07AC105DC2B3DF A59AC11B92AEF3BCDCA54A9168C98EDF A081F EF8501 C37F6A2D386FC80FF1AD F25A2D56F212EAA0FCB74C7AB F40CF67EFE282F71FD88146B2D58E E9B2CBFAA44D92B5E9B3B688C986 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\results[1].htm Process: File Type: Size (bytes): 1445 C:\Windows\java.exe gzip compressed data, from Unix Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 500A1CC1D2055D1BEFDD08194CD1BDAB E0ADB4211E674B EA570251D EE E512701A BCF71365A3FD78C79AF55E5B1F5665 3ADC1DFE25A41C6FF3A94CE6EAAB71A8C844E7A5D2DE0DE6A5952CC2D3FCA06D02E1A17AA2E859F1141A C7336DA61114C0B4484EEFFB10CC15C2EEFED C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[1].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 4A902BD1B5F83B62CE17FD8F053E199C C99D BBC2F179E19FE0F37C524D260A2 CEEC9B2BB832A633DA8FFF92BEDD610237AB9E1824FDEC2FB2B14F E38 A3E645080C995FB6069A82113C88C015CDEE588A8F2CEE1E417F60CF792EAAFBBE1F8071D22D567F2F87EFDCB F90FE CBA694E5050E5E80CECF14AD0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[2].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 2804D57AB150C30BC91105A74FF56FF2 B51EF BBBA1C219B8DB731B32591C8BA4 9B05FCCB3FCAE42A4752F4E154C984F16D7795C51B07828D9C736537E DDCA758CFFAB84D9FD20BB8DAC1C0DA7F7AD8857BC0BCCA480BC125B74CDE1FFC60D4AC83B0F A0156F770ABEABB995C267D05DB8DEB CD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[3].htm Process: C:\Windows\java.exe File Type: HTML document, ASCII text, with very long lines, with no line terminators Size (bytes): Entropy (8bit): Encrypted: MD5: 495B7755D9A025E9BBA9E655BDCA5911 SHA1: 015BE6C50D5B1C2B7453B08EE0FDCEDEFE5A3A38 SHA-256: 15DA6D8CB C315AC21EF94F65768DDAB3CF7F24F07B6FED9CC4D62BFC Copyright Joe Security LLC 2018 Page 35 of 347

36 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[3].htm SHA-512: Malicious: CF1DBF9D C0131B5261DA05797D0B15DB3B378D919CBFCDAC6E63D988B7ED C6496DD2EF5B3 7B5650F23E0A24079EF09A A659BB5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[4].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 67D7E9357B239764ECAEC87E5AFE1EEE 54FF62BA8F667F97653FE01A480F3A43557C8138 1A20FCFB5695D4D74B770F25C7A3FB5785D6A6155B5D51E1C82FE3EFC FA27BF4B AAEBFB17B6863A4F5CCF60540D50C7AD29B3D6A373676DB1B1E53BD718D49AF4116DC99CE 769BBCAB9124B35A948C22C7B71297B202A35B1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[5].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators C786E5466CCFB2BF421B B 9F5DF1AF47163B9A94ADDE064A2EC258BB84BDC3 2803BF FAD3C55BB10958DEC215F1B87ECAF44401E61FAABE95ED4973A 8EBF048E723FDC4F38DD83B87FB4DC3CF4608F9BF48D043BEBF89012C4F73B53A3CB80CA7D4E9E6BC761AE78 C412708AADC564DCA A43E9A091FCC24D0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\search[6].htm Process: File Type: Size (bytes): C:\Windows\java.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: HTML document, ASCII text, with very long lines, with no line terminators 7CD683FCF8B34CB70A6CE F EDD5422C36C6AC9FDC316668A3830D4A2718E63D 1361E0D504AED8024F9EFF6B1799D0D397416D0F56E9B341F36332CB083583DC BBCF403C416D7C EB3B8EB74F4BF4DACDAAC00FF B9D15AA462CF211E05CF2E4C4C5C1 75E44792BE6FD10C7F61FE77471DEEEB5285A87 C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_1letter.exe_c414864e256628e24f0a496788d4e221dc6cb_0ed4d47 e\report.wer Process: File Type: C:\Windows\System32\WerFault.exe data Size (bytes): 8146 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: DE54D27D74F8331FE7B6E1C778BC9E3B 14238DBFB902DE5C6700F490D426E07C10F8987F A5BAF CC0EB381CC0D68B9E4757F5080DDC4B8960AF4AFC4EAFAB83A7 F354033A4512B30E494AFD8588CA4D6B7FE1DDDC376114D22FB9A8A223159EE2F F2E F613F1 3FE7BF5B179A266B4C5A82A2B035B748AEAE C:\Users\user\AppData\Local\Temp\WERD135.tmp.WERInternalMetadata.xml Process: C:\Windows\System32\WerFault.exe File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators Size (bytes): 3396 Entropy (8bit): Encrypted: MD5: 98A1E C88759F55A B1 SHA1: 475D FC9ABB1ED EC91D8E1B426F SHA-256: 279A6A7E623869CFEB49D453E81927D9473D0344F52BB B206131DA4B Copyright Joe Security LLC 2018 Page 36 of 347

37 C:\Users\user\AppData\Local\Temp\WERD135.tmp.WERInternalMetadata.xml SHA-512: Malicious: 14DAF65BEF9C456C962EDC9C02D8BED2E9BD27880F9412FBB472D929720D3C3A4E18F087772B9BF4D84B702DF C4B84144D19F96730F6DE3AD35327A147 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0DVTL3L7.txt Process: File Type: Size (bytes): 82 C:\Windows\java.exe ASCII text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 2FBA3EC216D7829B922C2A39E502C FB372E4033D4D06BFD67A73FC657BAB9D98D B5264DCA2B79430FE485630A8F F DC9D6D468EC6E6FB CEA9E12A8BA8E85D0D165255A4E04CF0448CCD47EFBE4C897B1A08652FF89D360BAD0449D04EF6 341A7A98AE77460DC416E17FCBD6424FDC192E C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LCRY1OD6.txt Process: File Type: Size (bytes): 82 C:\Windows\java.exe ASCII text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 483DD9235BC170941EAD4D223B4CD47A 55854E6E0A370465B8A85679A0A1388CAB13056C B291082D8C077AAFB75F901E93BD5E6D0DBFF1D017AD594CBD447D2CA4FE57F8 9EC9EB5C159C6C9FE6FFB8CA35CF51397CDD13B BF8EEAF567EAF15A65B51EC1065ACBBB3CED0D0C0 678C3CDBE4AFEF63051DFBB06AC3C8C0164D791E C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\NE22CSAN.txt Process: File Type: Size (bytes): 82 C:\Windows\java.exe ASCII text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 3C6306FEDEEA9EC8F3542D7F12099EDC AF8BF481B63C1D13A49F6BE0E7E0A59A8336A7DF C49633A2C CB268E02A515C098F5B52F5F5D39504E5B0B04D71391D289 9B5172C45A91C1A01172E9D846F95AAD6AF3792C0F8A424C8F83D1F666C CC CDB11B F6F59D3168F5ABE BA4895B838F C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PVLK180K.txt Process: File Type: Size (bytes): 83 C:\Windows\java.exe ASCII text Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 844FA8E87AAB1E16EB3AA35B70E73723 D1C586AA316274A72D2D52770F281CED02717E41 0DFA4589B4522E1AB6BC703E95A84259E6F C1432A6DD3C71CB31B49B 3639A08AA3A7D85CAE48B2BAFF58C7DA EB97DC DB9E93824BFD8155A3B94A47004C C6A78E32F141D93692C1FE0F3E76F811DD40 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RWPFV0J4.txt Process: C:\Windows\java.exe File Type: ASCII text Size (bytes): 83 Entropy (8bit): Encrypted: MD5: 8E1DA32724B5D8532E AA958AC SHA1: C5E8F45D98E6913BBE14F39071A FA3EA SHA-256: E06B5F5DBF25F2A6702AF82903F686B70C0AD F C01FF6EB3A53 Copyright Joe Security LLC 2018 Page 37 of 347

38 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RWPFV0J4.txt SHA-512: Malicious: 0009C40F039F3917DF5C9EA1AEB95B6F7F38258E8AA73BE370ABAFC43D FC381B46B2AAA3D87B4CCA76 24CF5B01C F3AC3A1D063377AFFA34246 C:\Windows\java.exe Process: File Type: Size (bytes): C:\Users\user\Desktop\1letter.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed 65FBEFD898F42F054C3872D2C6C45DC ACC3A9A1D00A967D206CB9997EB143D9D 02EC6DC3E0034A6D1D26C47F9EB68090DDD13ECE9F860FB ECDD2B3498 6B89CE990D874867A3CC63F F00D240CB039279A7087DF584C53CC3E461612CE70B33B64F75BE0CCD4E 8E CC67454E68F95D4059B7420FFBD true C:\Windows\java.exe:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Users\user\Desktop\1letter.exe ASCII text, with CRLF line terminators Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 187F488E27DB4AF347237FE461A079AD 6693BA299EC D A0D2CB21F8E64 255A65D30841AB4082BD9D0EEA79D49C5EE88F D8D6156AEF11C F237C0C051EBE784D A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E true C:\Windows\services.exe Process: File Type: Size (bytes): 8192 C:\Users\user\Desktop\1letter.exe Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Joe Sandbox View: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed B0FE74719B1B647E F4A E858C206D2D1542A79936CB00D85DA853BFC95E2 BF316F51D0C345D61EAEE B64E81F676E3BCA42BAD BEE6653C 9C82E D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E F98B1FD1FEBFF 620A5DED6DD493227F00D7D2E74B AA8655F921C2 true Filename: Detection: malicious, Browse Filename: qisheng.com, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: Instruction.scr, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: document.exe, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: Detection: malicious, Browse Filename:.exe, Detection: malicious, Browse Filename:.exe, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: qisheng.com, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename:.com, Detection: malicious, Browse Filename: Detection: malicious, Browse Filename: zhendongshoes.com, Detection: malicious, Browse Filename:.com, Detection: malicious, Browse Filename:.exe, Detection: malicious, Browse Filename: Detection: malicious, Browse Contacted Domains/Contacted IPs Contacted Domains Copyright Joe Security LLC 2018 Page 38 of 347

39 Name IP Active Malicious Antivirus Detection Reputation smtp.northcoast.com true 0%, virustotal, Browse low search.yahoo.com true 0%, virustotal, Browse high northcoast.com true true 0%, virustotal, Browse low rocketmail.com true true 0%, virustotal, Browse low true 0%, virustotal, Browse low true 0%, virustotal, Browse high aol.com true 0%, virustotal, Browse high mail.theriver.com true 0%, virustotal, Browse low ipv4.google.com true 0%, virustotal, Browse high smtp.pobox.com true 0%, virustotal, Browse high theriver.com true true 0%, virustotal, Browse low onlineconnections.com.au true true 0%, virustotal, Browse low mail.northcoast.com true 0%, virustotal, Browse low vdmfk.lol.li true true low .arizona.edu true 0%, virustotal, Browse high mail.onlineconnections.com.au true 0%, virustotal, Browse low mail.pobox.com true 0%, virustotal, Browse high mail.cl.cam.ac.uk true 0%, virustotal, Browse low search.lycos.com true 0%, virustotal, Browse high pobox.com true 0%, virustotal, Browse high mx.northcoast.com true 0%, virustotal, Browse low mx.cl.cam.ac.uk unknown unknown true 0%, virustotal, Browse low cscgpo.anu.edu.au unknown unknown true low mail.src.dec.com unknown unknown true 0%, virustotal, Browse low smtp.worldnet.att.net unknown unknown high mx.src.dec.com unknown unknown true 0%, virustotal, Browse low atwola.com unknown unknown 0%, virustotal, Browse high mail.uh01.colorado.edu unknown unknown high mx.uh01.colorado.edu unknown unknown high uh01.colorado.edu unknown unknown high worldnet.att.net unknown unknown 0%, virustotal, Browse high flex-radio.biz unknown unknown true 0%, virustotal, Browse low src.dec.com unknown unknown true 0%, virustotal, Browse low mx.worldnet.att.net unknown unknown high mx.onlineconnections.com.au unknown unknown true 0%, virustotal, Browse low ams.org unknown unknown 0%, virustotal, Browse high uts.amdahl.com unknown unknown true 0%, virustotal, Browse unknown openoffice.org unknown unknown 0%, virustotal, Browse high smtp.src.dec.com unknown unknown true 0%, virustotal, Browse low alv.umd.edu unknown unknown high unicode.org unknown unknown 0%, virustotal, Browse high smtp.uh01.colorado.edu unknown unknown high sprintmail.com unknown unknown true 0%, virustotal, Browse unknown skypoint.com unknown unknown true 0%, virustotal, Browse low trib.com unknown unknown 0%, virustotal, Browse high o-netcom.com unknown unknown true 0%, virustotal, Browse low mx.theriver.com unknown unknown true 0%, virustotal, Browse low mail.worldnet.att.net unknown unknown high netcom.com unknown unknown true low freebsd.org unknown unknown high guanfang.com unknown unknown true unknown wie-wie.com unknown unknown true unknown van-staveren-4.myweb.nl unknown unknown true low mailexcite.com unknown unknown true low gte.net unknown unknown true low van-beijnum.nl unknown unknown true unknown bryson.demon.co.uk unknown unknown true low austin.ibm.com unknown unknown high ix.netcom.com unknown unknown true low mx.pobox.com unknown unknown high smtp.onlineconnections.com.au unknown unknown true low cl.cam.ac.uk unknown unknown true low portofnewport.com unknown unknown true low nwg.nectec.or.th unknown unknown true low Copyright Joe Security LLC 2018 Page 39 of 347

40 Name IP Active Malicious Antivirus Detection Reputation usc.edu unknown unknown high Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States 3356 LEVEL3- Level3CommunicationsIncUS unknown unknown unknown Austria 5385 RUSSMEDIA-ITAT true United States 3356 LEVEL3- Level3CommunicationsIncUS United States CONFLUENCE-NETWORK-INC- ConfluenceNetworksIncVG United States UNIFIEDLAYER-AS-1- UnifiedLayerUS United States 3356 LEVEL3- Level3CommunicationsIncUS United States 1668 AOL-ATDN- AOLTransitDataNetworkUS true true United States YAHOO-GQ1-YahooUS United States GOOGLE-GoogleIncUS United States VOXEL-DOT-NET- VoxelDotNetIncUS true United States 6354 LYCOS-LycosIncUS United States 1706 UNIV-ARIZ-UniversityofArizonaUS United States YAHOO-3-YahooUS true United Kingdom 786 JANETJiscServicesLimitedGB United States GOOGLE-GoogleIncUS United States 7922 COMCAST ComcastCableCommunicationsLL CUS United States GOOGLE-GoogleIncUS true Static File Info General File type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Copyright Joe Security LLC 2018 Page 40 of 347

41 General Entropy (8bit): TrID: Win32 Executable (generic) a ( /4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: 1letter.exe 65fbefd898f42f054c3872d2c6c45dc acc3a9a1d00a967d206cb9997eb143d9d 02ec6dc3e0034a6d1d26c47f9eb68090ddd13ece9f860fb ecdd2b3498 6b89ce990d874867a3cc63f f00d240cb039279a 7087df584c53cc3e461612ce70b33b64f75be0ccd4e68e cc67454e68f95d4059b7420ffbd MZ...@...!..L.!Th is program cannot be run in DOS mode...$......pe..l......`... File Icon Static PE Info General Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: 0x50ed00 UPX1 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED Time Stamp: 0x0 [Thu Jan 1 00:00: UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 98cd465c2ab2841f9fd90d5e847563f4 Entrypoint Preview Instruction pushad mov esi, h lea edi, dword ptr [esi h] push edi or ebp, FFFFFFFFh jmp 00007EFC h nop nop nop nop nop nop mov al, byte ptr [esi] inc esi mov byte ptr [edi], al Copyright Joe Security LLC 2018 Page 41 of 347

42 Instruction inc edi add ebx, ebx jne 00007EFC h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jc 00007EFC Fh mov eax, h add ebx, ebx jne 00007EFC h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc eax, eax add ebx, ebx jnc 00007EFC h jne 00007EFC Bh mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jnc 00007EFC h xor ecx, ecx sub eax, 03h jc 00007EFC Fh shl eax, 08h mov al, byte ptr [esi] inc esi xor eax, FFFFFFFFh je 00007EFC703823A6h mov ebp, eax add ebx, ebx jne 00007EFC h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc ecx, ecx add ebx, ebx jne 00007EFC h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc ecx, ecx jne 00007EFC h inc ecx add ebx, ebx jne 00007EFC h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc ecx, ecx add ebx, ebx jnc 00007EFC h jne 00007EFC Bh mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jnc 00007EFC h add ecx, 02h cmp ebp, FFFFF300h adc ecx, 01h lea edx, dword ptr [edi+ebp] cmp ebp, FFFFFFFCh jbe 00007EFC h mov al, byte ptr [edx] Copyright Joe Security LLC 2018 Page 42 of 347

Instruction inc edx mov byte ptr [edi], al inc edi dec ecx jne 00007EFC70382329h jmp 00007EFC70382298h nop mov eax, dword ptr [edx] Data Directories Name Virtual Address Virtual Size Is in Section

43 Instruction inc edx mov byte ptr [edi], al inc edi dec ecx jne 00007EFC h jmp 00007EFC h nop mov eax, dword ptr [edx] Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xf514 0x130.rsrc IMAGE_DIRECTORY_ENTRY_RESOURCE 0xf000 0x514.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics UPX0 0x1000 0x8000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_MEM_READ UPX1 0x9000 0x6000 0x6000 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.rsrc 0xf000 0x1000 0x800 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0xf0d8 0x2e8 data English United States RT_ICON 0xf3c4 0x128 GLS_BINARY_LSB_FIRST English United States RT_GROUP_ICON 0xf4f0 0x22 MS Windows icon resource - 2 icons, 32x32, 16-colors English United States Imports DLL KERNEL32.DLL ADVAPI32.dll MSVCRT.dll USER32.dll WS2_32.dll Import LoadLibraryA, GetProcAddress, ExitProcess RegCloseKey memset wsprintfa gethostname Possible Origin Language of compilation system Country where language is spoken Map English United States Copyright Joe Security LLC 2018 Page 43 of 347

ID: Sample Name: 69file.scr Cookbook: default.jbs Time: 12:35:50 Date: 02/12/2017 Version:

ID: Sample Name: 69file.scr Cookbook: default.jbs Time: 12:35:50 Date: 02/12/2017 Version: ID: 38927 Sample Name: 69file.scr Cookbook: default.jbs Time: 12:35:50 Date: 02/12/2017 Version: 20.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification