Automated Malware Analysis Report for Rim of The

Home , Google Safe Browsing

ID: 186148 Sample Name: Rim of the World Unified School District Shared Docs.docx Cookbook: defaultwindowsofficecookbook.jbs Time: 23:21:35 Date: 29/10/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report Rim of the World Unified School District Shared Docs.docx 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Phishing: 7 Software Vulnerabilities: 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 HIPS / PFW / Operating System Protection Evasion: 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 11 Sigma Overview 11 Joe Sandbox View / Context 11 IPs 12 Domains 12 ASN 13 JA3 Fingerprints 15 Dropped Files 17 Screenshots 17 Thumbnails 17 Startup 18 Created / dropped Files 18 Domains and IPs 29 Contacted Domains 29 URLs from Memory and Binaries 29 Contacted IPs 35 Public 35 Static File Info 35 General 35 File Icon 36 Network Behavior 36 Network Port Distribution 36 TCP Packets 36 UDP Packets 38 ICMP Packets 39 DNS Queries 39 Copyright Joe Security LLC 2019 Page 2 of 47 DNS Answers 39 HTTPS Packets 40 Code Manipulations 43 Statistics 43 Behavior 43 System Behavior 43 Analysis Process: WINWORD.EXE PID: 4588 Parent PID: 696 43 General 43 File Activities 44 File Created 44 File Deleted 44 File Written 44 File Read 44 Registry Activities 44 Key Created 44 Key Value Created 45 Key Value Modified 46 Analysis Process: iexplore.exe PID: 4924 Parent PID: 696 46 General 46 File Activities 46 Registry Activities 47 Analysis Process: iexplore.exe PID: 3436 Parent PID: 4924 47 General 47 File Activities 47 Registry Activities 47 Disassembly 47 Code Analysis 47

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 186148 Start date: 29.10.2019 Start time: 23:21:35 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 9m 12s Hypervisor based Inspection enabled: false Report type: light Sample file name: Rim of the World Unified School District Shared Docs.docx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal60.phis.winDOCX@4/40@7/3 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Browse link: https://escapespa mnow.ml/col/index.php Scroll down Close Viewer

Copyright Joe Security LLC 2019 Page 4 of 47 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.107.5.88, 13.107.3.128, 52.114.128.9, 23.0.174.185, 23.0.174.200, 8.248.125.254, 67.26.75.254, 8.253.204.120, 8.248.141.254, 8.248.113.254, 104.83.120.32, 152.199.19.161, 13.107.4.50, 67.27.157.126, 8.248.129.254, 8.253.207.120, 67.26.137.254 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, client-office365-tas.msedge.net, afdo-tas- offload.trafficmanager.net, ie9comview.vo.msecnd.net, s-0001.s-msedge.net, mobile.pipe.aria.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, e- 0009.e-msedge.net, a767.dscg3.akamai.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, prd.col.aria.mobile.skypedata.akadns.net, go.microsoft.com, au.au-msedge.net, pipe.skype.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, pipe.prd.skypedata.akadns.net, au.c-0001.c- msedge.net, auto.au.download.windowsupdate.com.c.footprint.n et, config.edge.skype.com, pipe.cloudapp.aria.akadns.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target WINWORD.EXE, PID 4588 because there are no executed function Execution Graph export aborted for target iexplore.exe, PID 3436 because it is empty Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 60 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Exploitation for Winlogon Process Process Credential Process Application Data from Local Data Standard Client Helper DLL Injection 1 Injection 1 Dumping Discovery 1 Deployment System Encrypted 1 Cryptographic Execution 1 Software Protocol 2 Replication Service Port Monitors Accessibility Binary Padding Network Security Remote Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Software Services Removable Other Network Application Removable Discovery 1 Media Medium Layer Media Protocol 2

Copyright Joe Security LLC 2019 Page 6 of 47 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Drive-by Windows Accessibility Path Rootkit Input File and Windows Data from Automated Standard Compromise Management Features Interception Capture Directory Remote Network Shared Exfiltration Application Instrumentation Discovery 1 Management Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials System Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Files or in Files Information Communication Application Information Discovery 1

Signature Overview

• AV Detection • Phishing • Software Vulnerabilities • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Antivirus or Machine Learning detection for dropped file

Phishing:

Phishing site detected (based on logo template match)

HTML body contains low number of good links

No HTML title found

Suspicious form URL found

META author tag missing

META copyright tag missing

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Networking:

Domain name seen in connection with other malware

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Spawns processes

Found graphical window changes (likely an installer)

Checks if Microsoft Office is installed

Uses new MSVCR Dlls

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 186148 Process Sample: Rim of the World Unified Sc... Startdate: 29/10/2019 Signature Architecture: WINDOWS Created File Score: 60 DNS/IP Info Is Dropped

escapespamnow.ml Is Windows Process

Number of created Registry Values started started Number of created Files Antivirus or Machine Phishing site detected Antivirus detection Learning detection for (based on logo template for URL or domain Visual Basic dropped file match) Delphi

Java

iexplore.exe WINWORD.E.XNEet C# or VB.NET

C, C++ or other language

6 85 96 54 Is malicious

started Internet

iexplore.exe

2 63

escapespamnow.ml urlvalidation.com

206.217.139.112, 443, 49751, 49752 138.201.253.2, 443, 49762, 49763 2 other IPs or domains dropped unknown unknown United States Germany

C:\Users\user\AppData\Local\...\index[1].htm, HTML

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link Rim of the World Unified School District Shared Docs.docx 0% Virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3PRWWXOM\index[1].htm 100% Avira HTML/Infected.WebPage. Gen

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link lancheck.net 3% Virustotal Browse escapespamnow.ml 100% Google Safe phishing Browsing rules.similardeals.net 0% Virustotal Browse

URLs

Source Detection Scanner Label Link www.mercadolivre.com.br/ 0% Virustotal Browse www.mercadolivre.com.br/ 0% Avira URL Cloud safe https://escapespamnow.ml/col/index.phpbe.urlconfig 100% Google Safe phishing Browsing www.merlin.com.pl/favicon.ico 0% Virustotal Browse www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.dailymail.co.uk/ 0% Virustotal Browse www.dailymail.co.uk/ 0% URL Reputation safe https://escapespamnow.ml/col/index.phpu 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpt 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpr 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpq 100% Google Safe phishing Browsing https://escapespamnow.ml/col/files/email- 100% Google Safe phishing validation.jshttps://escapespamnow.ml/col/files/5cfd9308c50 Browsing https://escapespamnow.ml/col/files/5cfd9308c50e4f8ae9.jsC: 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpn 100% Google Safe phishing Browsing https://lancheck.net/optout/get? 0% Avira URL Cloud safe jsonp=__twb_cb_194729492&key=5cfd9308c50e4f8ae9&t=1572416634992 https://lancheck.net/metric/?mid=&wid=49499&sid=&tid=1487&rid=OPTOUT_RESPONSE_OK4 0% Avira URL Cloud safe https://escapespamnow.ml/col/index.phpV 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpU 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpS 100% Google Safe phishing Browsing

Copyright Joe Security LLC 2019 Page 9 of 47 Source Detection Scanner Label Link https://escapespamnow.ml/col/index.phpR 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpP 100% Google Safe phishing Browsing schemas.#-E 0% Avira URL Cloud safe https://escapespamnow.ml/col/index.phpl 100% Google Safe phishing Browsing https://escapespamnow.ml/col/files/e.jpg 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpg 100% Google Safe phishing Browsing https://escapespamnow.ml/favicon.ico?9? 100% Google Safe phishing Browsing busca.igbusca.com.br//app/static/images/favicon.ico 0% Virustotal Browse busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe https://escapespamnow.ml/col/index.phpc 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpa 100% Google Safe phishing Browsing https://escapespamnow.ml/col/index.phpRMicrosml/col/index.phpRoot 100% Google Safe phishing Browsing https://lancheck.net/addons/lnkr5.min.jsU 0% Avira URL Cloud safe www.etmall.com.tw/favicon.ico 0% Virustotal Browse www.etmall.com.tw/favicon.ico 0% URL Reputation safe it.search.dada.net/favicon.ico 0% Virustotal Browse it.search.dada.net/favicon.ico 0% URL Reputation safe cps.letsencrypt.org0 0% URL Reputation safe search.hanafos.com/favicon.ico 0% Virustotal Browse search.hanafos.com/favicon.ico 0% URL Reputation safe cgi.search.biglobe.ne.jp/favicon.ico 0% Virustotal Browse cgi.search.biglobe.ne.jp/favicon.ico 0% Avira URL Cloud safe search.msn.co.jp/results.aspx?q= 0% Virustotal Browse search.msn.co.jp/results.aspx?q= 0% URL Reputation safe buscar.ozu.es/ 0% Virustotal Browse buscar.ozu.es/ 0% Avira URL Cloud safe www.microsoft.coy7 0% Avira URL Cloud safe https://escapespamnow.ml/col/index.php 100% Google Safe phishing Browsing https://escapespamnow.ml/favicon.ico 100% Google Safe phishing Browsing https://escapespamnow.ml/col/files/p.jpgTP 100% Google Safe phishing Browsing https://lancheck.net/optout/set/strtm? 0% Avira URL Cloud safe jsonp=__twb_cb_235039011&key=5cfd9308c50e4f8ae9&cv=1572416635& search.auction.co.kr/ 0% Virustotal Browse search.auction.co.kr/ 0% URL Reputation safe 100% Google Safe phishing https://escapespamnow.ml/col/index.phpjsonp=__twb_cb_938910744&key=5cfd9308c50e4f8ae9&cv=23 Browsing &t=157241 https://escapespamnow.ml/col/files/lnkr5.jsC: 100% Google Safe phishing Browsing https://escapespamnow.ml/col/files/wrdd.png 100% Google Safe phishing Browsing www.pchome.com.tw/favicon.ico 0% Virustotal Browse www.pchome.com.tw/favicon.ico 0% Avira URL Cloud safe browse.guardian.co.uk/favicon.ico 0% Virustotal Browse browse.guardian.co.uk/favicon.ico 0% URL Reputation safe https://escapespamnow.ml/col/files/whoami 100% Google Safe phishing Browsing google.pchome.com.tw/ 0% Virustotal Browse google.pchome.com.tw/ 0% Avira URL Cloud safe https://lancheck.net/addons/lnkr5.min.js- 0% Avira URL Cloud safe https://escapespamnow.ml/col/files/email-validation.jsS 100% Google Safe phishing Browsing www.ozu.es/favicon.ico 0% Virustotal Browse www.ozu.es/favicon.ico 0% Avira URL Cloud safe https://escapespamnow.ml/col/mm.jpgs 100% Google Safe phishing Browsing search.yahoo.co.jp/favicon.ico 0% Virustotal Browse search.yahoo.co.jp/favicon.ico 0% URL Reputation safe Copyright Joe Security LLC 2019 Page 10 of 47 Source Detection Scanner Label Link www.gmarket.co.kr/ 0% Virustotal Browse www.gmarket.co.kr/ 0% URL Reputation safe 100% Google Safe phishing https://escapespamnow.ml/col/index.phphttps://escapespamnow.ml/col/index.php//lancheck.net/addons/l Browsing n www.founder.com.cn/cn/bThe 0% Virustotal Browse www.founder.com.cn/cn/bThe 0% URL Reputation safe https://lancheck.net/metric/?mid=&wid=49499&sid=&tid=1487&rid=BEFORE_OPTOUT_REQ 0% Avira URL Cloud safe https://escapespamnow.ml/col/index.phpvp 100% Google Safe phishing Browsing https://escapespamnow.ml/col/files/bac.jpgP 100% Google Safe phishing Browsing crt.co 0% Virustotal Browse crt.co 0% Avira URL Cloud safe search.orange.co.uk/favicon.ico 0% Virustotal Browse search.orange.co.uk/favicon.ico 0% Avira URL Cloud safe www.iask.com/ 0% Virustotal Browse www.iask.com/ 0% Avira URL Cloud safe https://escapespamnow.ml/col/files/email-validation.js. 100% Google Safe phishing Browsing https://lancheck.net/metric/? 0% Avira URL Cloud safe mid=&wid=49499&sid=&tid=1487&rid=BEFORE_OPTOUT_REQ&t=1572416634983 service2.bfast.com/ 0% Virustotal Browse service2.bfast.com/ 0% URL Reputation safe www.news.com.au/favicon.ico 0% Virustotal Browse www.news.com.au/favicon.ico 0% Avira URL Cloud safe https://lancheck.net/optout/get? 0% Avira URL Cloud safe jsonp=__twb_cb_194729492&key=5cfd9308c50e4f8ae9&t=1572416634992https

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

Match Associated Sample Name / URL SHA 256 Detection Link Context 138.201.253.2 The Southern Alberta Institute of Technology Shared Get hash malicious Browse Document.pdf noname.pdf Get hash malicious Browse https://defibthis.enrollware.com/schedule? Get hash malicious Browse location\=6650 Get hash malicious Browse https://adtdoor.com/oauth2/data/ff787c4ca2f35e704030e1812 d2d06bf/3kmw75o8x8w1st54hoya2p2q.php? rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid= 1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.12528996 42&fid.1&fav.1&email=&loginpage=&.rand=13InboxLight.aspx ?n=1774256418&fid=4#n=1252899642&fid=1&fav=1 Colorado Mesa University Document.pdf Get hash malicious Browse Palomar Health Secured Doc..pdf Get hash malicious Browse 206.217.139.112 Rim of the World Unified School District Shared Docs.docx Get hash malicious Browse 64.58.121.60 promclickapp.biz/1e6ab715a3a95d4603.js Get hash malicious Browse promclicka pp.biz/1e6 ab715a3a95 d4603.js promclickapp.biz/1e6ab715a3a95d4603.js Get hash malicious Browse promclicka pp.biz/1e6 ab715a3a95 d4603.js minisrclink.cool/optout/get? Get hash malicious Browse minisrclin jsonp=__mtz_cb_382943028&key=1e40c8bd4601a5a5a4&t= k.cool/fav 1570817583219 icon.ico sourcelog.cool/metric/? Get hash malicious Browse sourcelog. mid=6a131&wid=52319&sid=&tid=7431&rid=MNTZ_LOADED cool/favicon.ico &t=1547642778849 minisrclink.cool/metric/? Get hash malicious Browse minisrclin mid=&wid=52345&sid=&tid=7744&rid=LAUNCHED&t=157082 k.cool/fav 0856209 icon.ico makesource.cool/metric/? Get hash malicious Browse makesource mid=&wid=51151&sid=&tid=4654&rid=FINISHED&custom1=s .cool/favicon.ico cheduler.swmed.edu&t=1570824004250 outsource.cool/optout/get? Get hash malicious Browse outsource. jsonp=__mtz_cb_523805918&key=19e6526a49428031dd&t= cool/favicon.ico 1568886942618 sourcebig.cool/2141de32067c671938.js Get hash malicious Browse sourcebig. cool/2141d e32067c671 938.js Brock University Shared Document.pdf Get hash malicious Browse lancheck.n et/metric/? mid=cd1d2 &wid=49499 &sid=&tid= 1487&rid=M NTZ_LOADED &t=1560304 914933

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context lancheck.net The Southern Alberta Institute of Technology Shared Get hash malicious Browse 64.58.121.60 Document.pdf noname.pdf Get hash malicious Browse 64.58.121.60 Akron Children's Hospital shared document .pdf Get hash malicious Browse 64.58.121.60 Brock University Shared Document.pdf Get hash malicious Browse 64.58.121.60 Colorado Mesa University Document.pdf Get hash malicious Browse 217.23.4.32 Palomar Health Secured Doc..pdf Get hash malicious Browse 217.23.4.32 https://corpfacilities.com.br/manfi/scan.html Get hash malicious Browse 104.27.182.160 https://info-users.ca/fiman/scan.html Get hash malicious Browse 104.27.183.160 AECOM Meeting Agenda..pdf Get hash malicious Browse 104.27.182.160 ihack.my.id/cgi-bni/extrine Get hash malicious Browse 104.27.182.160 ihack.my.id/cgi-bni/extrine Get hash malicious Browse 104.27.183.160 bit.ly/2FOcV1A Get hash malicious Browse 104.27.183.160 https://indimetalsac.com/aah/scan.html Get hash malicious Browse 104.27.182.160 https://kireymoveis.com.br/khealth/scan.html Get hash malicious Browse 104.27.183.160 urlvalidation.com The Southern Alberta Institute of Technology Shared Get hash malicious Browse 138.201.253.2 Document.pdf

Copyright Joe Security LLC 2019 Page 12 of 47 Match Associated Sample Name / URL SHA 256 Detection Link Context noname.pdf Get hash malicious Browse 138.201.253.2 Akron Children's Hospital shared document .pdf Get hash malicious Browse 138.201.253.3 Brock University Shared Document.pdf Get hash malicious Browse 138.201.253.3 Colorado Mesa University Document.pdf Get hash malicious Browse 138.201.253.2 Palomar Health Secured Doc..pdf Get hash malicious Browse 138.201.253.2 https://corpfacilities.com.br/manfi/scan.html Get hash malicious Browse 104.27.139.193 https://info-users.ca/fiman/scan.html Get hash malicious Browse 104.27.139.193 AECOM Meeting Agenda..pdf Get hash malicious Browse 104.27.138.193 ihack.my.id/cgi-bni/extrine Get hash malicious Browse 104.27.139.193 ihack.my.id/cgi-bni/extrine Get hash malicious Browse 104.27.138.193 bit.ly/2FOcV1A Get hash malicious Browse 104.27.139.193 https://indimetalsac.com/aah/scan.html Get hash malicious Browse 104.27.138.193 https://kireymoveis.com.br/khealth/scan.html Get hash malicious Browse 104.27.138.193

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown efax_document675724_17.doc Get hash malicious Browse 104.28.7.253 Rim of the World Unified School District Shared Docs.docx Get hash malicious Browse 206.217.13 9.112 Invoice for Service.doc Get hash malicious Browse 139.59.46.165 Invoice for Service.doc Get hash malicious Browse 18.188.62.163 Invoice for Service.doc Get hash malicious Browse 139.59.46.165 https://mvpvtiti.org/fileonedrives/onedri/one/index.php Get hash malicious Browse 173.208.173.98 WO-2197 Medical report p2.doc Get hash malicious Browse 151.106.27.169 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 40.71.240.21 url=https%3A%2F%2Fmicrosofaetp79nyou9rblz.z13.web.core .windows.net%2Findex.php%3Fc%3Dttt010at04at2t08at08atttt 014at015at0t010at03at3t013at02at09at1t02a.t3t013at04a&dat a=01%7C01%7CNGill%40stanfordhealthcare.org%7C30fbf654 e95c45ecc1f708d75a28a88b%7C9866b506dc9d48ddb7203a5 0db77a1cc%7C0&sdata=6q0NMP2SLFU1wpNTaIOsfisfgEc0p isENexUhmH9EIc%3D&reserved=0 https://b24-kb31ji.bitrix24.com/~NfhSr Get hash malicious Browse 173.194.15 1.123 Get hash malicious Browse 40.71.240.21 https://microsofgl810nq4ey9ztv7.z13.web.core.windows.net/in dex.htm? c=eee07ae0e015ae2e1.e014ae07ae1e1e08ae014aeeee00ae0 13ae3e015ae05ae1e013a.e01ae3e09a nWFPvOTUTF.pdf Get hash malicious Browse 54.228.234.68 Get hash malicious Browse 40.71.240.21 https://officemuag7t22nefqgmeko.z13.web.core.windows.net/i ndex.php? c=ooo07ao0o015ao2o1.o014ao07ao1o1o08ao014aoooo00ao0 13ao3o015ao05ao1o013a.o01ao3o09a www.kazzuestore.com/wp-content/sasha-lee1.php Get hash malicious Browse 166.62.110.90 centos.msi Get hash malicious Browse 85.204.116.139 FileZilla_3.45.1_win64_sponsored-setup.exe Get hash malicious Browse 136.243.15 4.122 centos.msi Get hash malicious Browse 104.20.17.242 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 151.101.12.157 url=https%3A%2F%2Fapp.smartsheet.com%2Fb%2Fhome% 3Flx%3DYh3NYb30nMw1- nbxs6cBOOWXr8gl2ToQqmkGaGa2Lj4%26mtb%3D48&data= 01%7C01%7Cgraffhuang%40stanfordhealthcare.org%7C3cd8 44df448b4c9c547908d75c9e43ef%7C9866b506dc9d48ddb720 3a50db77a1cc%7C0&sdata=H8eX8emut%2BGgMFsjuYI3Mpt FSPoRfls59A%2FfKj5SG4g%3D&reserved=0 www.justpreschoolthemes.com Get hash malicious Browse 207.204.50.171 Get hash malicious Browse 192.254.235.39 https://cardeansolutions.com/Voice%20mail%20iphone/iphone Get hash malicious Browse 192.254.235.39 https://cardeansolutions.com/Voice%20mail%20iphone/iphone unknown efax_document675724_17.doc Get hash malicious Browse 104.28.7.253 Rim of the World Unified School District Shared Docs.docx Get hash malicious Browse 206.217.13 9.112 Invoice for Service.doc Get hash malicious Browse 139.59.46.165 Invoice for Service.doc Get hash malicious Browse 18.188.62.163 Invoice for Service.doc Get hash malicious Browse 139.59.46.165 https://mvpvtiti.org/fileonedrives/onedri/one/index.php Get hash malicious Browse 173.208.173.98 WO-2197 Medical report p2.doc Get hash malicious Browse 151.106.27.169

Copyright Joe Security LLC 2019 Page 13 of 47 Match Associated Sample Name / URL SHA 256 Detection Link Context https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 40.71.240.21 url=https%3A%2F%2Fmicrosofaetp79nyou9rblz.z13.web.core .windows.net%2Findex.php%3Fc%3Dttt010at04at2t08at08atttt 014at015at0t010at03at3t013at02at09at1t02a.t3t013at04a&dat a=01%7C01%7CNGill%40stanfordhealthcare.org%7C30fbf654 e95c45ecc1f708d75a28a88b%7C9866b506dc9d48ddb7203a5 0db77a1cc%7C0&sdata=6q0NMP2SLFU1wpNTaIOsfisfgEc0p isENexUhmH9EIc%3D&reserved=0 https://b24-kb31ji.bitrix24.com/~NfhSr Get hash malicious Browse 173.194.15 1.123 Get hash malicious Browse 40.71.240.21 https://microsofgl810nq4ey9ztv7.z13.web.core.windows.net/in dex.htm? c=eee07ae0e015ae2e1.e014ae07ae1e1e08ae014aeeee00ae0 13ae3e015ae05ae1e013a.e01ae3e09a nWFPvOTUTF.pdf Get hash malicious Browse 54.228.234.68 Get hash malicious Browse 40.71.240.21 https://officemuag7t22nefqgmeko.z13.web.core.windows.net/i ndex.php? c=ooo07ao0o015ao2o1.o014ao07ao1o1o08ao014aoooo00ao0 13ao3o015ao05ao1o013a.o01ao3o09a www.kazzuestore.com/wp-content/sasha-lee1.php Get hash malicious Browse 166.62.110.90 centos.msi Get hash malicious Browse 85.204.116.139 FileZilla_3.45.1_win64_sponsored-setup.exe Get hash malicious Browse 136.243.15 4.122 centos.msi Get hash malicious Browse 104.20.17.242 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 151.101.12.157 url=https%3A%2F%2Fapp.smartsheet.com%2Fb%2Fhome% 3Flx%3DYh3NYb30nMw1- nbxs6cBOOWXr8gl2ToQqmkGaGa2Lj4%26mtb%3D48&data= 01%7C01%7Cgraffhuang%40stanfordhealthcare.org%7C3cd8 44df448b4c9c547908d75c9e43ef%7C9866b506dc9d48ddb720 3a50db77a1cc%7C0&sdata=H8eX8emut%2BGgMFsjuYI3Mpt FSPoRfls59A%2FfKj5SG4g%3D&reserved=0 www.justpreschoolthemes.com Get hash malicious Browse 207.204.50.171 Get hash malicious Browse 192.254.235.39 https://cardeansolutions.com/Voice%20mail%20iphone/iphone Get hash malicious Browse 192.254.235.39 https://cardeansolutions.com/Voice%20mail%20iphone/iphone unknown efax_document675724_17.doc Get hash malicious Browse 104.28.7.253 Rim of the World Unified School District Shared Docs.docx Get hash malicious Browse 206.217.13 9.112 Invoice for Service.doc Get hash malicious Browse 139.59.46.165 Invoice for Service.doc Get hash malicious Browse 18.188.62.163 Invoice for Service.doc Get hash malicious Browse 139.59.46.165 https://mvpvtiti.org/fileonedrives/onedri/one/index.php Get hash malicious Browse 173.208.173.98 WO-2197 Medical report p2.doc Get hash malicious Browse 151.106.27.169 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 40.71.240.21 url=https%3A%2F%2Fmicrosofaetp79nyou9rblz.z13.web.core .windows.net%2Findex.php%3Fc%3Dttt010at04at2t08at08atttt 014at015at0t010at03at3t013at02at09at1t02a.t3t013at04a&dat a=01%7C01%7CNGill%40stanfordhealthcare.org%7C30fbf654 e95c45ecc1f708d75a28a88b%7C9866b506dc9d48ddb7203a5 0db77a1cc%7C0&sdata=6q0NMP2SLFU1wpNTaIOsfisfgEc0p isENexUhmH9EIc%3D&reserved=0 https://b24-kb31ji.bitrix24.com/~NfhSr Get hash malicious Browse 173.194.15 1.123 Get hash malicious Browse 40.71.240.21 https://microsofgl810nq4ey9ztv7.z13.web.core.windows.net/in dex.htm? c=eee07ae0e015ae2e1.e014ae07ae1e1e08ae014aeeee00ae0 13ae3e015ae05ae1e013a.e01ae3e09a nWFPvOTUTF.pdf Get hash malicious Browse 54.228.234.68 Get hash malicious Browse 40.71.240.21 https://officemuag7t22nefqgmeko.z13.web.core.windows.net/i ndex.php? c=ooo07ao0o015ao2o1.o014ao07ao1o1o08ao014aoooo00ao0 13ao3o015ao05ao1o013a.o01ao3o09a www.kazzuestore.com/wp-content/sasha-lee1.php Get hash malicious Browse 166.62.110.90 centos.msi Get hash malicious Browse 85.204.116.139 FileZilla_3.45.1_win64_sponsored-setup.exe Get hash malicious Browse 136.243.15 4.122 centos.msi Get hash malicious Browse 104.20.17.242

Copyright Joe Security LLC 2019 Page 14 of 47 Match Associated Sample Name / URL SHA 256 Detection Link Context https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 151.101.12.157 url=https%3A%2F%2Fapp.smartsheet.com%2Fb%2Fhome% 3Flx%3DYh3NYb30nMw1- nbxs6cBOOWXr8gl2ToQqmkGaGa2Lj4%26mtb%3D48&data= 01%7C01%7Cgraffhuang%40stanfordhealthcare.org%7C3cd8 44df448b4c9c547908d75c9e43ef%7C9866b506dc9d48ddb720 3a50db77a1cc%7C0&sdata=H8eX8emut%2BGgMFsjuYI3Mpt FSPoRfls59A%2FfKj5SG4g%3D&reserved=0 www.justpreschoolthemes.com Get hash malicious Browse 207.204.50.171 Get hash malicious Browse 192.254.235.39 https://cardeansolutions.com/Voice%20mail%20iphone/iphone Get hash malicious Browse 192.254.235.39 https://cardeansolutions.com/Voice%20mail%20iphone/iphone

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 9e10692f1b7f78228b2d4e424db3a98c https://mvpvtiti.org/fileonedrives/onedri/one/index.php Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 https://b24-kb31ji.bitrix24.com/~NfhSr Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 nWFPvOTUTF.pdf Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 138.201.253.2 url=https%3A%2F%2Fapp.smartsheet.com%2Fb%2Fhome% 206.217.13 3Flx%3DYh3NYb30nMw1- 9.112 nbxs6cBOOWXr8gl2ToQqmkGaGa2Lj4%26mtb%3D48&data= 64.58.121.60 01%7C01%7Cgraffhuang%40stanfordhealthcare.org%7C3cd8 44df448b4c9c547908d75c9e43ef%7C9866b506dc9d48ddb720 3a50db77a1cc%7C0&sdata=H8eX8emut%2BGgMFsjuYI3Mpt FSPoRfls59A%2FfKj5SG4g%3D&reserved=0 www.justpreschoolthemes.com Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 Get hash malicious Browse 138.201.253.2 https://cardeansolutions.com/Voice%20mail%20iphone/iphone 206.217.13 9.112 64.58.121.60 Get hash malicious Browse 138.201.253.2 https://cardeansolutions.com/Voice%20mail%20iphone/iphone 206.217.13 9.112 64.58.121.60 Get hash malicious Browse 138.201.253.2 https://demo.seafile.com/d/ab64a86a4c674180a86f/files/? 206.217.13 p=%2FPROJECT.pdf 9.112 64.58.121.60 https://cc.elsuperwedeservebetter.net/wp- Get hash malicious Browse 138.201.253.2 admin/DocumentFile.php 206.217.13 9.112 64.58.121.60 https://urldefense.proofpoint.com/v2/url?u=https- Get hash malicious Browse 138.201.253.2 3A__coulbourneconsulting-2Dmy.sharepoint.com-3A443_- 206.217.13 3Ab- 9.112 3A_p_admin_ERqYMQitcLlLkX847kr5MIsBS2hAL1QJlKd8uX 64.58.121.60 D4jEEzBg-3Fe-3D4-253aTh7JOX-26at- 3D9&d=DwMFAg&c=0ia8zh_eZtQM1JEjWgVLZg&r=zJIaBgeo SBzFfg7bza33cAHy_bjzcUdBvZxH5WqxbFk&m=xdOH0adK- 7GSYdg- JFiDDYflDgGmgjlKBFEWq8aXATo&s=Tm6PniggZx2FEwoorD K7Za7q8Qp2_0DBDSgG2ZX8aYU&e= https://dendmanphesur1983.blogspot.si/ Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 https://prepinagly1970.blogspot.in/ Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60

59glh.tatasifiul.ro/? Get hash malicious Browse 138.201.253.2 l=_ZXCB1_aPXC&ssddsssdds=kbra.com&sddsss=dchui 206.217.13 9.112 64.58.121.60

Copyright Joe Security LLC 2019 Page 15 of 47 Match Associated Sample Name / URL SHA 256 Detection Link Context announcement.smarttechresources.net/track.aspx? Get hash malicious Browse 138.201.253.2 6OxJvzbWgtyuD1z1ovZRjhA7oCeMofncfehKrR8LacCTunDd8l 206.217.13 lWUsge4AR9zTiorDL1aZ4kAoU= 9.112 64.58.121.60 #Ud83d#Udd0a VM Monday 10-28-2019_02oo22922.wav.htm Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 ks78pNuReS.pdf Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 https://jeo.egnyte.com/dl/tVM0WrHuy0 Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 https://vandampad.top/b/ZS? Get hash malicious Browse 138.201.253.2 [email protected] 206.217.13 9.112 64.58.121.60 brixdistillers.html Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 https://freedomforall.appspot.com/index.html Get hash malicious Browse 138.201.253.2 206.217.13 9.112 64.58.121.60 37f463bf4616ecd445d4a1937da06e19 https://mvpvtiti.org/fileonedrives/onedri/one/index.php Get hash malicious Browse 206.217.13 9.112 https://cc.elsuperwedeservebetter.net/wp- Get hash malicious Browse 206.217.13 admin/DocumentFile.php 9.112 ks78pNuReS.pdf Get hash malicious Browse 206.217.13 9.112 https://vandampad.top/b/ZS? Get hash malicious Browse 206.217.13 [email protected] 9.112 Get hash malicious Browse 206.217.13 https://mfdeqlprod.appspot.com/gea#ZGF2aWQuY3Jpc3RAY 9.112 nJvdGhlci5jb20= https://www.afipowder.com/inc/dib/ Get hash malicious Browse 206.217.13 9.112 Get hash malicious Browse 206.217.13 https://mfdeqlprod.appspot.com/gea#am9obnkuYnJhdm9AY2 9.112 FydG9vbm5ldHdvcmsuY28udWsucnUK https://hnkcsystems.com/secured/workplace/index.php Get hash malicious Browse 206.217.13 9.112 https://recycledcreations.org/xxx/scan.html Get hash malicious Browse 206.217.13 9.112 https://can01.safelinks.protection.outlook.com/? Get hash malicious Browse 206.217.13 url=https%3A%2F%2Fclick.icptrack.com%2Ficp%2Frelay.php 9.112 %3Fr%3D30000099%26msgid%3D6080008%26act%3DF00B %26c%3D1778479%26destination%3Dhttp%3A%2F%2Fgalizi a.ch%2Fssl%2F%3F0%40%3Ddantutcher%40centercoastcap .com&data=02%7C01%7CDan.Tutcher%40brookfield.com%7 C2e5ce776fbc54d57bfce08d759681e89%7Cdaf884b0be164f2 a8bbbdc6099a56844%7C0%7C1%7C637076176055748832&s data=lSfMr2pueECl7YbWRjqXtosJbD8znpOqI7OcIQTscgc%3 D&reserved=0 41#U0442.exe Get hash malicious Browse 206.217.13 9.112 Symbio.pdf Get hash malicious Browse 206.217.13 9.112 https://u3446753.ct.sendgrid.net/wf/click?upn=smp0- Get hash malicious Browse 206.217.13 2BUhTkseXhJKG9whoQ6ZCx0d-2Fp-2BLz- 9.112 2FtbQLXa2kKM98GXQkjvQVaW2k7eTXtZ5ch4SbSVHWPRI9 Gsq2ihXbg-3D-3D_O7ROD4svS-2BWtZVG4Rcp0Qi9t- 2FvFmW6RVwIOeJatN7aN1ERGWsP5WZcj- 2FyJoE8xT2vUBcaqvF9fl6vqP5cExOPO-2BhIPHcaitr- 2BCMEyNzKgzBeWmVvTiRCWMRLg1Hur- 2F8o4Iw0bLXTSw63ze3JnYnTJ-2B0QNa20AoNmNgmitCp- 2FVyjwoZ9Yd9pkeyBmdEXMxDsWlk9Dl0OXH72YPpmLxAVU lG0Hx6MalSrfo-2FWQ9lNpoVo-3D

Copyright Joe Security LLC 2019 Page 16 of 47 Match Associated Sample Name / URL SHA 256 Detection Link Context https://u13056879.ct.sendgrid.net/wf/click? Get hash malicious Browse 206.217.13 upn=LT0sWijExdbYzUMSzv4amb-2BmaLqmqmSLzK- 9.112 2BWJGLqCcDDVDmqSyPu3rzoGWYOG1Kmg1L6ReMclKQZ qBK-2F2wyvafvy6MQsF4ES1QMcZLvGJ1SvPbPdEyaM84- 2FOL9PDdayj_IdOfBFMia4RNOuN3bmCuIhidDjKesACoRY- 2FEq3yytpxNiEE-2B6UElBGabJsIYJEJOJIjSry- 2BMRFGoDwBBLD4RfCQ- 2Fe2vWHSun2mj8lDdTJ9WJvhyphw8hGDk- 2Bt8OULKzZ7VaHTfkeWxL7nyHw4hvWEJeTFDF3vYU2g1bp TW-2BNnFLfAqG-2BvkrrQ53ThvJLcddP6CEqXikfPVO-2BIP- 2B4ZsGrwLjhYQkzrLYA-2FYQKUD4Yc-2Fg-3D www.housedesignsrl.it Get hash malicious Browse 206.217.13 9.112 https://mnxzs.github.io/ncmax/ Get hash malicious Browse 206.217.13 9.112 https://nam05.safelinks.protection.outlook.com/? Get hash malicious Browse 206.217.13 url=https%3A%2F%2Fwww.acephotodigital.net%2Fm1soft%2 9.112 F%3Fmes1%3Djake.willman%40hdrinc.com&data=02%7C01 %7CBryan.Cook%40hdrinc.com%7C8e9d020c6a4845ecf19e0 8d758c9bdda%7C3667e201cbdc48b39b425d2d3f16e2a9%7C 0%7C0%7C637075495801229521&sdata=5qLJMnAvFz7kWp 81EHWUYEDZf2MmBVEgq5JzL9zFuRM%3D&reserved=0 https://thcstranphu.edu.vn/wp Get hash malicious Browse 206.217.13 9.112 Swift_MT103_-USD_550000_Settlement.xls Get hash malicious Browse 206.217.13 9.112

bonny (1).pdf Get hash malicious Browse 206.217.13 9.112

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 WINWORD.EXE (PID: 4588 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding MD5: EFDE23ECDF60D334C31AF2A041439360) iexplore.exe (PID: 4924 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 3436 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4924 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D1A53C8C-FADD-11E9-AADE-44C1B3FB757B}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 33368 Entropy (8bit): 1.881966418887137 Encrypted: false MD5: 0447B576782E272FB704F3CDD8C3EEBF SHA1: 69FE78421C14D04C94CD7482C69765252104F051 SHA-256: 3AE91C83486F420211AEE44DA5F638217652B7AEFEDAB32E7812882E2DF3FE3B SHA-512: 223D146672186D9D9E92F4A44501EAEBE5F36466A68D3B3B9A175ADEC767C2A6AC3BCBCA1A419B8AF701B8E182AC0B5FCDDFE80318E5B612D070D4C050A1A7 19 Malicious: false

Copyright Joe Security LLC 2019 Page 18 of 47 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D1A53C8C-FADD-11E9-AADE-44C1B3FB757B}.dat Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D1A53C8E-FADD-11E9-AADE-44C1B3FB757B}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 31666 Entropy (8bit): 1.8371905057629487 Encrypted: false MD5: A83E8AACD888A7003B1CCE46CADB66BE SHA1: DDEDEF9C7869823B8DA3A6C1FA0ABEC3C592EA63 SHA-256: DC8A5905AA64DB8D7E8B92CFD08C43EFDF31BFE0E082EFD3A4A558BFAC8DDF35 SHA-512: 7F0E98F611C7F058A5019DA4552C3EA2287F6C5C3B98A4E6D353A520986D64433B3AA9583090DB49795044E231C6EE09CD41FDC8C9A453A5BED459148B9459E1 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DBBD1B78-FADD-11E9-AADE-44C1B3FB757B}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.566657260465042 Encrypted: false MD5: ECFDD5A1B7214C12746802DA8CC70EC4 SHA1: 3F2CF002E7B0A0C9F71F4D31E7A90BE673B83DDA SHA-256: 6E8C5BD3685A384319963DCD6A450C3D0AE05CD4235D77E5EBB5F37D4C27511F SHA-512: 4CC32A7061E859C5335DFC48C2433086E625C312819EA39478D85A4B733F7C19DBB61902F0B118CF6B638B66EBAA132B8170D6F11FC7A0410C2D98910B89DE8E Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 665 Entropy (8bit): 5.075567095476603 Encrypted: false MD5: 15EAFB76CC3A9007105C126AA4BFB742 SHA1: 85963B213D23DA41178A8746EF7453500450C31F SHA-256: 26E7C6817B04C01EE5D8F7CB54CB808C36428240C3D6817C4C20ABE0E7211DC2 SHA-512: 36B9D1E83939F1801CF9A8F11B456270F6465285A9A6FE0B72A539714141DA9BEAC0A599A3029FB45E39F114653B27ABE142B602AA204F53A3AF9A9D103F625E Malicious: false Reputation: low Preview: ..0xbf194de0,0x01d58eea< accdate>0xbf194de0,0x01d58eea....0xbf194de0,0x01d58eea0 xbf194de0,0x01d58eea..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.097930210663009 Encrypted: false MD5: 9B806F391B0DEE3156B5FECA10C1F07F

Copyright Joe Security LLC 2019 Page 19 of 47 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml SHA1: FDFEFB887C39F5507B11854FD7F9F6D0D18820DA SHA-256: 97DC123D35DC23274673FB9641FF53C23AFD4762600FEFCB9ACBD7A09BC02969 SHA-512: 78F30DA64B86E02EAF0C4B45872D7F578910712B33C1079FFF0720F68BEB232EBF1167FA2CAA093BCD9DEDCE4A44AB3E16447E3AE82B83AAA322A47B837FCE 0B Malicious: false Reputation: low Preview: ..0xbeebf92f,0x01d58eea0xbeebf92f,0x01d58eea....0xbeebf92f,0x01d58eea 0xbeefc752,0x01d58eea..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 671 Entropy (8bit): 5.103517936444153 Encrypted: false MD5: 1505629352612F858E18A94A18617208 SHA1: A345A7B35295628AA64E1D67BCC9C0507C79A108 SHA-256: 360E92AAF33A4F38CF0458D5AB5F71BC7825122D05E18062DA9B86E5E500D70B SHA-512: D9AFF7DC39DAD970DC4C593003B9841F025284C693113E9A9C06D96E026469CA57680A4153D79904F83BABCBF68C6613409B929A5E9DAFA64A317204DD69742A Malicious: false Reputation: low Preview: ..0xbf1ba529,0x01d58eea 0xbf1ba529,0x01d58eea....0xbf1ba529,0x01d58eea0xbf1e07d0,0x01d58eea..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 419 Entropy (8bit): 5.196052312247706 Encrypted: false MD5: 9F76BDF4480D097D769A7E7C6B9E05CE SHA1: ADE4857445578BE17036235ADB9C90CE4BBD4F92 SHA-256: ADC36A6201041C169A7F158365DF3D0386D6588854C3A00F41CF39A9F0557C1D SHA-512: 910AE25C7AE268664F8E19F72F9B58A9137EB5AFF189EEC7B7B6798A0667355FAE1E4AD10752ABB51820CC40D640D4BE24C1161FB8D92D8D3999ADC892A7745 F Malicious: false Reputation: low Preview: ..0x48594ba7,0x01 d482630xbef85aa4,0x01d58eea\lowres.png..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.092878706017085 Encrypted: false MD5: A85F0C92435682EB5998C55D348005F5 SHA1: 64918FB450D3D3E8F07CC33A5184F042DA18ADAD SHA-256: 719B10C25A4118212D1C828FF6A2AA412D6403C4051BFD1D2B9591CB38CEF469 SHA-512: D8DDC0D6F7047CE508563B1B807DD5394F5734775DDC4224B7B4D7044D20AE286372A754B247A75BFDC5E11157016A80606C938220AD1A4399E4B7AB71544831 Malicious: false Reputation: low Preview: ..0xbf117321,0x01d58eea0xbf117321,0x01d58eea....0xbf117321,0x01d58eea0xbf117 321,0x01d58eea ..

Copyright Joe Security LLC 2019 Page 20 of 47 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 665 Entropy (8bit): 5.113468641273171 Encrypted: false MD5: FCD75D5CDB71A80FD6A97839333553AA SHA1: 7052CCB116508E084BC5C64E3C76511F00CEDDFB SHA-256: F350E95709708BE5BF56233D665DC187BB439ADC135D528868E8F4C363CE6D00 SHA-512: B55C3631BFC96354F5D9C76955DC70461E5F24F891D4F44AE592095451E8901868BF77CCC4F706346000FA01724F961CFA018739182CA42637259AFFB8A2BEB2 Malicious: false Reputation: low Preview: ..0xbf2068ed,0x01d58eea< accdate>0xbf2068ed,0x01d58eea....0xbf2068ed,0x01d58eea0 xbf20c900,0x01d58eea ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.115175225373127 Encrypted: false MD5: EE60E79A6B9EB261071D14685E97D05A SHA1: 4810B80561BC9441F603F8E14C946F822EA28BB7 SHA-256: 4DCFF181F63A79465C83C7BB8721E086D8B84AA88F82B3F40658E133EA82E907 SHA-512: 95B016DBF58B42D921BE2214A8219508B7EC3D732C4D592E470AA192E7965E516A7277B51E08EE68BB504757C19FB02CCEB9B2C16B39A9B3E890BD92B51889D3 Malicious: false Reputation: low Preview: ..0xbf169365,0x01d58eea 0xbf169365,0x01d58eea....0xbf169365,0x01d58eea0xb f169365,0x01d58eea ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 665 Entropy (8bit): 5.094865112472522 Encrypted: false MD5: A49331F32F867B87E81F721805E36A0C SHA1: 7EE8A0B31D0FE109A93EDF6D0D6AD7AC2FCD7F6F SHA-256: A6C577D55ACDAD6B86407EB515FE01A41F525743F244A8AE34631B7339665F37 SHA-512: 42FB99760870FC92FE508F8FDDCD0D890E37FEB05BB9FECB2AFC5ABAF198978BD617A4B59ADF4806001BD629364BC8CD5AC78E1A1B2EB8067EE2EC2B111C8 FE9 Malicious: false Reputation: low Preview: ..0xbf13d1bf,0x01d58eea< accdate>0xbf13d1bf,0x01d58eea....0xbf13d1bf,0x01d58eea0 xbf13d1bf,0x01d58eea ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 668 Entropy (8bit): 5.0987483925990675 Encrypted: false MD5: BB84B3D7AA1A8672CBA5515541568D90 SHA1: FC7F9CFC75E78841648874F3C78E235BC35FFE31 SHA-256: E24ABAAD0D6766150192C208EAA814B5E3B3F7A31DDBB714543C25085E9BEF92 SHA-512: 22687FE8BA3E035DA2380C63D8DC98D962EF7C66F707E69ED6A36E302B0FDFEE16ABB51475877EB23782DF32DDCA1067726284464AF2FE2859A5CC54C337373D Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 21 of 47 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Preview: ..0xbf06db2c,0x01d58eea 0xbf06db2c,0x01d58eea....0xbf06db2c,0x01d58eea0xbf0bb386,0x01d58eea..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.065615338186342 Encrypted: false MD5: 4B44FB3BCC4945D2C12D39036791BF5E SHA1: D94CFA9B8E97FF9DA555F02C35164312A33BDF22 SHA-256: 8B34B216A96294776AFEAD7F3021AA7826E097B1C9286054780DB4B6155F1DE9 SHA-512: 6AE8C793D9C85C1DAAA998A707770EC6CD221D971306E580388FF7E6B152931464075128ADD82C4B47988E85A1C1E09F998AE0321DEEDC35CC15E459AE59356F Malicious: false Reputation: low Preview: ..0xbf0e1655,0x01d58eea 0xbf0e1655,0x01d58eea....0xbf0e1655,0x01d58eea0xb f0e1655,0x01d58eea ..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File Type: SQLite Write-Ahead Log, version 3007000 Size (bytes): 4152 Entropy (8bit): 1.1786453537680925 Encrypted: false MD5: B215ED636019F1F1A05E81D6CFACFBE5 SHA1: 99EF757E97F359FB9DA8A3D7020FBC90248F76F9 SHA-256: 1D73FE3626546F55128484E190E2651A689569A91A3B75D6DF49199F40B47948 SHA-512: 532BC7CF9F23D76495F3E56FB362F563CAF4495477AFD381B864521E2EE666E57777EFD326EC976B45742B795B0EF77738254F5D8A8137D55E981D85EF406ABB Malicious: false Reputation: low Preview: 7....-...... {...7;!.[...... j...... {...7;!.m...8.$ SQLite format 3...... @ ...... d....d.g......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session Process: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 12288 Entropy (8bit): 0.9278563879561604 Encrypted: false MD5: BFC0EB45C7B5976AAAAD5B946C1E65BD SHA1: 01CECF85DE80E494532C8D75D36E4DAE48AEFC74 SHA-256: 75E2A113FE39E894D99B8DE7EBAEB6CFEE447883C6082A6A145BBC186071C09E SHA-512: EA4BA39C8D064AC38F4EE3944CBA5254F3C3470938A855FDCF2FF3293EA2796D755E345E2DC193BB953A5D002B6EEEE820875EB9603516C67246A5CF24339BD E Malicious: false Reputation: moderate, very likely benign file Preview: SQLite format 3...... @ ...... d....d.g......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE File Type: data Size (bytes): 13360 Entropy (8bit): 0.905969724478051 Encrypted: false MD5: EA3B543A48A552CDCB8DE11978223FDA