ID: Cookbook: browseurl.jbs Time: 09:46:57 Date: 19/10/2018 Version: Fire Opal

Transcription

1 ID: Cookbook: browseurl.jbs Time: 09:46:57 Date: 19/10/2018 Version: Fire Opal

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Phishing: Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains Contacted URLs URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior Copyright Joe Security LLC 2018 Page 2 of

3 System Behavior Analysis iexplore.exe PID: 3232 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3284 Parent PID: 3232 General File Activities Registry Activities Analysis ssvagent.exe PID: 3340 Parent PID: 3284 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 31

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Fire Opal Start date: Start time: 09:46:57 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 3m 56s light browseurl.jbs lux-motors.com/nnngg/nngbbgh/fffee Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout MAL EGA enabled mal52.phis.win@5/30@4/2 Adjust boot time Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Copyright Joe Security LLC 2018 Page 4 of 31

5 Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample will exhibit less behavior Signature Overview Copyright Joe Security LLC 2018 Page 5 of 31

6 AV Detection Phishing Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section AV Detection: Antivirus detection for URL or domain Phishing: Phishing site detected (based on logo template match) HTML body contains number of good links HTML title does not match URL None HTTPS page querying sensitive user data (password, username or ) META author tag missing META copyright tag missing Networking: Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Copyright Joe Security LLC 2018 Page 6 of 31

7 Behavior Graph Behavior Graph ID: URL: Startdate: 19/10/2018 Architecture: WINDOWS Score: 52 lux-motors.com Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values Antivirus detection for URL or domain Phishing site detected (based on logo template match) Number of created Files Visual Basic Delphi iexplore.exe started Java.Net C# or VB.NET C, C++ or other language Is malicious iexplore.exe 2 36 lux-motors.com img.secureserver.net , 49161, 49162, AS GO-DADDY-COM-LLC-GoDaddycomLLCUS , 49179, 49180, 80 AS GO-DADDY-COM-LLC-GoDaddycomLLCUS 5 other IPs or domains started United States United States ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 09:47:43 API Interceptor 90x Sleep call for process: iexplore.exe modified 09:47:43 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 7 of 31

8 Source Detection Scanner Label Link lux-motors.com 0% virustotal Browse URLs Source Detection Scanner Label Link lux-motors.com/nnngg/nngbbgh/fffee/ 0% virustotal Browse lux-motors.com/nnngg/nngbbgh/fffee/ 100% Avira URL Cloud phishing lux-motors.com/favicon.ico 0% Avira URL Cloud safe lux-motors.com/nnngg/nngbbgh/fffee/root 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee/images/onedrive.png 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee/nnngg/nngbbgh/fffee/root 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee/images/landing-devices-bg.jpg 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee/images/mail.png 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee/images/office.png 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee/css/style.css 100% Avira URL Cloud phishing lux-motors.com/nnngg/nngbbgh/fffee 100% Avira URL Cloud phishing Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 2018 Page 8 of 31

9 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Startup System is w7 cleanup iexplore.exe (PID: 3232 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3284 cmdline: '' SCODEF:3232 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3340 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Copyright Joe Security LLC 2018 Page 9 of 31

10 Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\Cab9A70.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 54E559CEF8146FE9AA8B5BA30CA4F6AA 8C53968F786B3D343D375C4B77AEAB85EE464A02 9C086D962C942CFF645DBD48B700191E96E3371B3D006E4EB3C7AC3C842057C9 19FEA345B90D5F6871CFA912483D1D2E3DFD251BE3F9B3DAE89BDCD70318D80B6EAC7502A4F618AC8CB0A219E 331F2EBBF0AD9E8DAA5418F9F78BBD6C78F9966 C:\Users\HERBBL~1\AppData\Local\Temp\Cab9A86.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 54E559CEF8146FE9AA8B5BA30CA4F6AA 8C53968F786B3D343D375C4B77AEAB85EE464A02 9C086D962C942CFF645DBD48B700191E96E3371B3D006E4EB3C7AC3C842057C9 19FEA345B90D5F6871CFA912483D1D2E3DFD251BE3F9B3DAE89BDCD70318D80B6EAC7502A4F618AC8CB0A219E 331F2EBBF0AD9E8DAA5418F9F78BBD6C78F9966 C:\Users\HERBBL~1\AppData\Local\Temp\Cab9AC4.tmp Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, bytes, 1 file true 54E559CEF8146FE9AA8B5BA30CA4F6AA 8C53968F786B3D343D375C4B77AEAB85EE464A02 9C086D962C942CFF645DBD48B700191E96E3371B3D006E4EB3C7AC3C842057C9 19FEA345B90D5F6871CFA912483D1D2E3DFD251BE3F9B3DAE89BDCD70318D80B6EAC7502A4F618AC8CB0A219E 331F2EBBF0AD9E8DAA5418F9F78BBD6C78F9966 C:\Users\HERBBL~1\AppData\Local\Temp\Tar9A71.tmp data Size (bytes): Entropy (8bit): C291922EA080071ABC B5FA8A2 2BA43A BAE5EA58C84D03AAF45EAF 64CCC7D80A289F07AFE30CF437A23F0D685E7EDF30AF E4DA4D47D B5418FDFFC0230C8354B6A3E21CD8843DB12DE361EFDEA3CAD94B5439CBC7EE009D8DFC49E86F6060C60D7 D54C72F9A3E27B B8FFE908048B29121 C:\Users\HERBBL~1\AppData\Local\Temp\Tar9A87.tmp data Size (bytes): Entropy (8bit): C291922EA080071ABC B5FA8A2 2BA43A BAE5EA58C84D03AAF45EAF Copyright Joe Security LLC 2018 Page 10 of 31

11 C:\Users\HERBBL~1\AppData\Local\Temp\Tar9A87.tmp 64CCC7D80A289F07AFE30CF437A23F0D685E7EDF30AF E4DA4D47D B5418FDFFC0230C8354B6A3E21CD8843DB12DE361EFDEA3CAD94B5439CBC7EE009D8DFC49E86F6060C60D7 D54C72F9A3E27B B8FFE908048B29121 C:\Users\HERBBL~1\AppData\Local\Temp\Tar9AC5.tmp data Size (bytes): Entropy (8bit): C291922EA080071ABC B5FA8A2 2BA43A BAE5EA58C84D03AAF45EAF 64CCC7D80A289F07AFE30CF437A23F0D685E7EDF30AF E4DA4D47D B5418FDFFC0230C8354B6A3E21CD8843DB12DE361EFDEA3CAD94B5439CBC7EE009D8DFC49E86F6060C60D7 D54C72F9A3E27B B8FFE908048B29121 C:\Users\HERBBL~1\AppData\Local\Temp\~DF1CDE6145B1A73A03.TMP data Size (bytes): Entropy (8bit): DFD3471DC6CD5F03FD7E4599B8C0EBB5 B622746D211E330A2745ABCA01C48D4119CE720F 08E44035B888FB4F6B049E99963D58F6984D5A613F3E8CA4EBB CF5DDF 1F2A8CAEF0A5ED51D4CC6EC12463AB7785CB82316E26A9B71F69AA5B9CCA1405C0996DF4D6B12A114ED65DA34 261C3B7C38260E09ACFF0390E8D25CF6F9EBE49 C:\Users\HERBBL~1\AppData\Local\Temp\~DF7D946541CD7CDF21.TMP data Size (bytes): Entropy (8bit): CC283CB623943D5A8D67475E21F25F07 4E9FFAAC30ED100580D2482C8BE866550CAAD873 76A28C3D9E74F35C0DF43C020C3CDAB0FC6E6D0E3616D5EC236587AC4D2436D2 6A CE94FE1FBEFAB9DB516E46E470DA94113A680B07905DEF6D549B6EDF42A09D60C46B8C0CA436F2FF2 529DF881C1DC786864FFD9B44FA93AB158BD77 C:\Users\HERBBL~1\AppData\Local\Temp\~DFE5303CE7AE TMP data Size (bytes): Entropy (8bit): F90AC3CAB320CEAA A7A0F739 AA7CCDA96306D8D A1870CC1ECF6186AA 61BAE2C736EC48CA2E14D47E296987EDB57A6EAFB4382D5F88C2F7AE551C55FF F14586FDC3D2292B D59EC016D999DEEF8EFB455197C3D7EE910410B656BE82B5F80DEEA7C3150C5EDE2 64FA5E7DF68550C1EC33DFDD6F23E11972CE17 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Microsoft Cabinet archive data, bytes, 1 file Size (bytes): Copyright Joe Security LLC 2018 Page 11 of 31

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F Entropy (8bit): true B51576C0C9A4E3689E10B2995D89C3E5 5F290AB EB621A481B3C75A924C7C0BFA F C0F5A D764E7C76C19F566F4A9F774BB1D0ADE134FEB C886801B727312F2B6F22687C9C44EEBD46430FA4BB296A43C3E8310BD8F9F4B3854DBA8DAA31EE3D924C6A2 7583EC439364AB6D2CCE29777BDBD3D3DD30A8 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F data Size (bytes): 1650 Entropy (8bit): A854345B3E313A1D4B2C B19 C9C AD29469B92641B235D3E66FC0EE8 F8139C7D6826D C BD13FF96A88A9D91630D8F6 E0949F5D842CA3A7162DEC96FA1B642DDB3C561C2DC F F CB5D066DA5F29C2C2F5 7FB7676BD5549F EF976EFAF2F0AFC8 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{41C41C21-D373-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): AE8D95F674FF7B9B63FE4EC91C49486C FB33CE5FC42B62BD4A4CDB317A17655D6050E8D0 4B93FF5F881E A8CE96FF930C20C81D6F89C2B2FB83A182CC3426F2C6B 5AAEAF77ED1EC70C88156F2BF2C212B1279DB0618BECD36B5EA5FBBBB F10017F2B28E82088BCE8807D A87A8909B0A733C98BD8F62D08A A5D C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{41C41C23-D373-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): DD08704D37AC48E1AB0FF8B89112A DB4873F7B A1930D367FFBA6DF 678D FCDEE590D865EE6DDE09E574B28173CFED5D92667A182E8AAD6 3F1D193999FDDC367F8BCD45BF76EB001BE4CB73F7537DFFC5BA1D4CE1AF897E50BB1F92EB57B6CFB8E3523D AE0BF4C1F2EDC16F23DECB0780D9422E2BFED7AB Copyright Joe Security LLC 2018 Page 12 of 31

13 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{543147F0-D373-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): AC EB9F56B9226BEF8B FD23BAF799413A0EF15B355491B0D 41CF6EB4D2C79B A652CE30D9C734B4EBAF46BC DC0 9432E091D6C0C F6FE53CE2DCE2A4C3D6041AE62A9376E76B1B4DDB3C0C C3647CB775FF CDB6A D7F2F37BCD20F CADF9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\fffee[1].htm Size (bytes): 2634 Entropy (8bit): HTML document, ASCII text, with very long lines, with CRLF line terminators B F895CED74257F4771A2883EB BDFA5AF0C1EFB7C0F578D253BA7B1ABE8455AD13 A2759B1679DA9A2160AAC56C19DF6A068C27AB6D29D92D36F1175C A02B4412F63C1C7CDA7F7CFD036481FE90478EEA A474A338F36244C B07267E E DE9D4882AB5B531F6B3E4962C6E0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\landing-devices-bg[1].jpg [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1200x800, frames 3 Size (bytes): Entropy (8bit): FBEAF13996D872780BDA8CA2AD A777BACF00665A0A69229DBD971A2BB6F5F44ED9 E8F80990BADD44FD6D05B66B116D0AE7CBA88CCAEAE CE272937B7 AC266795BC35F EF1DA79A114EE057404EAE57C9E8C1EF9E1EA95361CDBD44F72FBF78BFAF5273B14 94F81A648097E14AAA217BEBDD73B39C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\mem5YaGs126MiZpBA-UNirkOUuhv[1].woff Web Open Font Format, TrueType, length 18296, version 1.1 Size (bytes): Entropy (8bit): CD5320F8937D337B61D5117CF9D7B EF7AC55BA93AAA033FEFDB7CA4D57DA44AD E19B28AD1AAFCB23735D02CBEC4E2697EBBF7D608CF47FB8F8565DEF01B28C2A 9DBD69E362FE4144C686ADC1C53E0D55EFE9AA173C E14A4ED505A00FC6D5AC95B1E0259D26EFB9B 846C E1D EA5CE89D300D9008 Copyright Joe Security LLC 2018 Page 13 of 31

14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\mem5YaGs126MiZpBA-UNirkOUuhv[1].woff C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\office[1].png Size (bytes): 1421 Entropy (8bit): PNG image data, 22 x 22, 8-bit/color RGBA, non-interlaced 4DFCF DCD89E8E562B A8CD8E480E0FC03D4B15ACF0B C616E6A 685F77342CA77F562BB319CF666966EBD283BA9AD568148BF4D6F66D5FA08EB5 C81BED24AA61D265494CA E2A51805F B6FA44E BB9337CD3D961E51A3B6BD0D6A7603FD5 37D6798AE0622A8BED77D28C6485FCB50BEE7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\oneDrive[1].png Size (bytes): Entropy (8bit): PNG image data, 170 x 114, 8-bit/color RGBA, non-interlaced 0687A1330A816D19C12CB00682BFE01D A F3C56F8B53A8ACE C010EDA9AB4AD066A43D0B7FD4FE7F2BE2E849AF38DB2E0B4AF109EA7BCD5593 BB85701F310055F8BDD0C1CB9AF544D6B B7FFE71603F658479AAC4BC2F42ECED9EA E34EA654B 988C FCCF BE5F643EAD37DBB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\css[1].css Size (bytes): 245 ASCII text Entropy (8bit): F07348E571841B7EDEA81B127E87AAB3 D6A20E61333CEA773EA27CF0EF5D6A3F70A79CB9 B30A3CD9C14F28F4F D894C38A2CBD9BB49D8BEF E6D02577A 91648C83E744CF0DBD876EF9B6C670E997F412DFD61EF DC B895E84E1EE5FBEA50DA79FA5F41 4B273C6F16AEF9F2A5A057CDB55A8A A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\event[1].gif GIF image data, version 89a, 1 x 1 Size (bytes): 43 Entropy (8bit): FFF40B5DD495ACA2AC4E1C3FBC60AA E8AC224BA9EE97E87670ED6F3A2F0128B7AF9FE4 A065920DF8CC4016D67C3A464BE90099C9D28FFE7C9E6EE3A18F257EFC58CBD7 49B8DAF1F5BA868BC8C6B224C787A75025CA36513EF8633D1D8F34E48EE0B578F466FCC104A7BED553404DDC5F 9FAFF3FEF5F894B31CD57F32245E550FAD656A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\fffee[1].htm HTML document, ASCII text Size (bytes): 250 Entropy (8bit): AE375074A321207C C10C6A31 Copyright Joe Security LLC 2018 Page 14 of 31

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\fffee[1].htm F04F4CBEF3FA5336AB833B659A7A7E0FA6A1B171 77E4F2B807F1CC8095B CB3AE58023D7876E9BD3C518FB0E66012E2C 0911A E18E9B1E89C6E4DC5BAB1A1DD7EF50566E FBBB2ADBA A3EAE5A1D08CACA3 343E7DC5B9B06B061C020930F77FC5C3C92BC59 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\tcc_l.combined min[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): EE887A633917E8B3D698620C323D28BA F5E E664DF50B2F560AD AA5C1EC4D2EA00EB517EADEB3B65E55B577B7A5ED42D7C2611D15D9050C18350 D189DDC3C8E098C6C505E5A826DF3B0F40C015D861AAFFE6D1C8D1DA3D8FE2F43EF8E6F1C03BEEF3EEEA3F7B E84A00480F1A62DEB0BCE0E4BCD D118C1 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\mail[1].png Size (bytes): 1694 Entropy (8bit): PNG image data, 22 x 22, 8-bit/color RGBA, non-interlaced 34C474722FC5046A7F984C D 1995EDB41E576CEB3C8A1ECED59C1D8813F5108E A2B00DC7E4FF8539CF742BF8D295C111DEA08ACF D E70A 53636BF7C605F133BAB85DF11BDC90229FEE29ADC E01E1B2F6671B9115B775F08FDFFD98918E901BAED BEF1EEEED0CFFF39A506FEC276BD84F1252BBD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\style[1].css Size (bytes): 6919 ASCII text, with CRLF line terminators Entropy (8bit): B99A DF728C87F751D8417B6E 96CF04CDCDDA8F2D1D2420A6B5FFC657470F14E8 697C5C68EFF0AC91A4BFF701F334F82C45CE9712B9DB549E7E04242DC7FF39FA 99215AF01FA6D77063F4CE5A43832CB7111D3C308CD C1238C21E7DB027BD27C95E BDFBE416FE B2D187931D6E07DD261B59B6C095BDF57C649 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\BEYHEISB.txt ASCII text Copyright Joe Security LLC 2018 Page 15 of 31

16 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\BEYHEISB.txt Size (bytes): 224 Entropy (8bit): C492AD7E A70B69676BA9 B09573A6A340192B481D464DBC45E0F15A7E8D5C A40D81DED77A41B8AEB40EFE220E029FCD06A61D58697D063AC0635BF432B668 32E20D90F66BB B1F762D C301CC4006CF378D80A75D2DE7D3BA4B D44C4AEB FE 3E21AC19C0A E959D5236F6CB3BAC8F C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KVX59TSW.txt Size (bytes): 113 ASCII text Entropy (8bit): B16BB4DD08D765206C5C069F46FA4E02 8C149FEF9E1AB6DB9FB3C3DFA984A235B77343CB 092CDE8CB8EF673724C4D51A5D3C8548AC14EA881DBC300C49DF7B D FFE67E6ABCE2E96572EAB15193DBE4222EC723EA43759D8C4029FE84E0A3826F34694FCB36FBAAF5EC0 E39E6CEE7717C89A479FD596FDAF6E77E63DDED Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation lux-motors.com true 0%, virustotal, Browse unknown img.secureserver.net true high cds.d2s7q6s2.hwcdn.net true high au.downloa true high img1.wsimg.com unknown unknown high Contacted URLs Name Malicious Antivirus Detection Reputation lux-motors.com/nnngg/nngbbgh/fffee/ true 0%, virustotal, Browse Avira URL Cloud: phishing unknown lux-motors.com/favicon.ico Avira URL Cloud: safe unknown lux-motors.com/nnngg/nngbbgh/fffee/images/onedrive.png true Avira URL Cloud: phishing unknown lux-motors.com/nnngg/nngbbgh/fffee/images/landing-devices-bg.jpg true Avira URL Cloud: phishing unknown img.secureserver.net/t/1/tl/event? cts= &tce= &tcs= &tdc= &tdclee = &tdcles= &tdi= &tdl= &tdle= &tdls= &tfs= &tns= &trqs= &tre= &trps= &tles= &tlee= &ht=perf&dh=luxmotors.com&ua=Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20Trident%2F7.0%3B%2 0SLCC2%3B%20.NET%20CLR% %3B%20.NET%20CLR% %3B%20. NET%20CLR% %3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B %20.NET4.0E%3B%20rv%3A11.0)%20like%20Gecko&vci= &cv=1.0.6&z= &vg=202ec23d b601-09cf9b95e3bf&vtg=202ec23d b601-09cf9b95e3bf&ap=cpsh&trfd=%7B%22cts%22%3A %2C%22tccl.baseHost%2 2%3A%22secureserver.net%22%2C%22ap%22%3A%22cpsh%22%2C%22server%22%3A% 22a2plcpnl0386%22%7D&dp=%2Fnnngg%2Fnngbbgh%2Ffffee high lux-motors.com/nnngg/nngbbgh/fffee/images/mail.png true Avira URL Cloud: phishing unknown lux-motors.com/nnngg/nngbbgh/fffee/images/office.png true Avira URL Cloud: phishing unknown lux-motors.com/nnngg/nngbbgh/fffee/css/style.css true Avira URL Cloud: phishing unknown lux-motors.com/nnngg/nngbbgh/fffee true Avira URL Cloud: phishing unknown URLs from Memory and Binaries Copyright Joe Security LLC 2018 Page 16 of 31

17 Name Source Malicious Antivirus Detection Reputation lux-motors.com/nnngg/nngbbgh/fffee/root luxmotors.com/nnngg/nngbbgh/fffee/nnngg/nngbbgh/fffee/root {41C41C23-D373-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr {41C41C23-D373-11E8-B7AC-B2C27 6BF9C88}.dat.0.dr true Avira URL Cloud: phishing unknown true Avira URL Cloud: phishing unknown fffee[1].htm0.1.dr high Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States AS GO-DADDY-COM-LLC- GoDaddycomLLCUS United States AS GO-DADDY-COM-LLC- GoDaddycomLLCUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 17 of 31

18 TCP Packets Timestamp Source Port Dest Port Source IP Dest IP 09:47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: Copyright Joe Security LLC 2018 Page 18 of 31

19 Timestamp Source Port Dest Port Source IP Dest IP 09:47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: :48: UDP Packets Timestamp Source Port Dest Port Source IP Dest IP 09:47: :47: :47: :47: Copyright Joe Security LLC 2018 Page 19 of 31

20 Timestamp Source Port Dest Port Source IP Dest IP 09:47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :47: :48: :48: :48: :48: :48: :48: DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class 09:47: x4795 Standard query (0) 09:47: x9145 Standard query (0) 09:48: x4216 Standard query (0) 09:48: x1319 Standard query (0) lux-motors.com A (IP address) IN (0x0001) img1.wsimg.com A (IP address) IN (0x0001) img.secure server.net A (IP address) IN (0x0001) lux-motors.com A (IP address) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class x4795 No error (0) lux-motors.com A (IP address) IN (0x0001) 09:47: x9145 No error (0) img1.wsimg.com img1.wsimg.com.akadns. 09:47: net 09:47: x315f No error (0) auto.au.do wnload.win dowsupdate.com.c.foo tprint.net 09:47: x315f No error (0) au.downloa au.downloapd ate.com. CNAME (Canonical name) CNAME (Canonical name) IN (0x0001) IN (0x0001) A (IP address) IN (0x0001) Copyright Joe Security LLC 2018 Page 20 of 31

21 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class 09:47: :47: :47: :47: :47: x315f No error (0) au.downloa x315f No error (0) au.downloa x315f No error (0) au.downloa x315f No error (0) au.downloa xba3e No error (0) au.downloa hwcdn.net xba3e No error (0) cds.d2s7q6 09:47: s2.hwcdn.net xba3e No error (0) cds.d2s7q6 09:47: s2.hwcdn.net 09:47: x6b2e No error (0) auto.au.do wnload.win dowsupdate.com.c.foo tprint.net 09:47: :47: :47: :47: :47: x6b2e No error (0) au.downloa x6b2e No error (0) au.downloa x6b2e No error (0) au.downloa x6b2e No error (0) au.downloa x6b2e No error (0) au.downloa 09:47: x961a No error (0) auto.au.do wnload.win dowsupdate.com.c.foo tprint.net 09:47: :47: :47: :47: :47: x961a No error (0) au.downloa x961a No error (0) au.downloa x961a No error (0) au.downloa x961a No error (0) au.downloa x961a No error (0) au.downloa 09:47: xa557 No error (0) auto.au.do wnload.win dowsupdate.com.c.foo tprint.net cds.d2s7q6s2.hwcdn.net au.downloapd ate.com. au.downloapd ate.com. au.downloapd ate.com A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) Copyright Joe Security LLC 2018 Page 21 of 31

22 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class 09:47: :47: :47: :47: :47: xa557 No error (0) au.downloa xa557 No error (0) au.downloa xa557 No error (0) au.downloa xa557 No error (0) au.downloa xa557 No error (0) au.downloa x32b2 No error (0) ie9comview 09:48: vo.msecnd.net x4216 No error (0) img.secure 09:48: server.net cs9.wpc.v0cdn.net A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) x1319 No error (0) lux-motors.com A (IP address) IN (0x0001) 09:48: HTTP Request Dependency Graph lux-motors.com img.secureserver.net HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data 09:47: OUT GET /nnngg/nngbbgh/fffee HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lux-motors.com DNT: 1 09:47: IN HTTP/ Moved Permanently Date: Fri, 19 Oct :47:33 GMT Server: Apache Location: Content-Length: 250 Keep-Alive: timeout=5 Content-Type: text/html; charset=iso Data Raw: 3c f d 4c c d 2f 2f f 2f d 4c e 30 2f 2f 45 4e 22 3e 0a 3c d 6c 3e 3c e 0a 3c c 65 3e d 6f d 61 6e 65 6e 74 6c 79 3c 2f c 65 3e 0a 3c 2f e 3c 62 6f e 0a 3c e 4d 6f d 61 6e 65 6e 74 6c 79 3c 2f e 0a 3c 70 3e f d 65 6e d 6f c d a 2f 2f 6c d 6d 6f 74 6f e 63 6f 6d 2f 6e 6e 6e f 6e 6e f f 22 3e c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f e 3c 2f d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanent ly</title></head><body><h1>moved Permanently</h1><p>The document has moved <a href=" g/nngbbgh/fffee/">here</a>.</p></body></html> 09:47: OUT GET /nnngg/nngbbgh/fffee/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lux-motors.com DNT: 1 Copyright Joe Security LLC 2018 Page 22 of 31

23 Timestamp kbytes transferred Direction Data 09:47: IN HTTP/ OK Date: Fri, 19 Oct :47:33 GMT Server: Apache X-Powered-By: PHP/7.2.6 Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 1160 Keep-Alive: timeout=5 Content-Type: text/html; charset=utf-8 Data Raw: 1f 8b ad 56 5b 6f db e 6e 80 fc d aa 4b 2e 5b ac 59 b e9 c3 30 0c 05 2d b 8a ca 9e 97 e6 bf ef 90 ba d9 4e 36 f4 a1 06 2c 1d 9d 2b cf 47 7e 24 8f 8f 66 2f af 6f df de ff f1 fb 2f 50 d9 9a cf 8f 8f 66 ee 0d 5e a0 a4 70 ef 9a 5a b4 a1 36 0b 3e de bf 8b df 04 4e 6f 99 e5 74 7e 2b 28 5c 6b b6 a6 f0 96 cb a6 80 6b ee e5 2c 6d fd b1 02 4d a bb e5 d a 50 9a 96 d4 e a ab cc 65 9a c a5 5c 72 4a e eb e6 a7 92 d4 8c 6f b3 5b 45 c5 eb 3b 22 cc e5 c5 c9 49 b8 97 3e 18 d3 07 6d d af 4d 50 f2 a3 37 b9 66 ca a2 04 f8 23 9c 6a 3b c 14 7c 0b 5c 2e d b3 15 6c 65 a3 81 c c a 0c cf 9d bd 9a e 61 ce da a5 07 bb b 2c fd db a6 9f c9 9a b4 5a 5f ff 65 1c 1f 1f 95 8d c8 2d d da d2 68 1e c c9 1b 2f e7 e8 3f ec 1f 1a dc 39 1a 94 2d b1 8d 69 7d d 0e f 85 ad 22 a8 28 5b a 7c f4 e0 db c 9c c4 a7 53 af 6b 2d f8 6b 0d 30 c1 e4 94 8a c cf a6 f1 a4 97 ae bc e7 e b 3d 9b c8 eb 87 3c ed 10 7c a2 41 dc cd b4 26 ba e7 40 6e 30 d e b9 c5 24 0c f1 df f0 ba a5 30 ea 70 f2 fa 4e f6 fa 1e 36 6f d8 c1 d0 1b 47 f8 bc 79 fc f4 56 0f ea 8d 2d e4 6d ba 0d e9 41 6f 8b d a1 d dd ff f6 10 7a 8d 97 bc ae 45 c3 2b bb d e3 f9 fe 9a 4a 3b 46 a2 b8 90 c5 d6 a9 0a b6 86 9c b2 c0 af da 78 a3 89 0a fc aa 7e 6a 73 cc 76 b6 17 fb c6 1b b9 94 c8 e2 60 3e 4b 51 db da f7 1c 4a 29 6d cc c5 2a 98 df 4b fc a8 a1 b af e 31 4a cb 35 2b a e5 38 a7 37 9e f 35 a3 1b 30 b8 3f d0 02 4a 86 a4 84 be b4 5b 38 8e 1a bb e5 11 bd 7e 6c 1e 92 c d ba c 1a 74 6c d3 a a ea 2d 41 9f c8 b0 a c0 ef 8a e6 2b 5a cc 67 9c e0 c8 a0 94 7a 48 d1 d7 c4 b0 f9 1d fa c3 7b 31 4b bd 9b 03 e6 c5 41 cd b3 6f ab d9 b8 06 0e 6a 9d 3d 53 eb a3 ea 6b 8d 8d 3e cc f3 9e 65 bb f6 ae 3f 37 cf a3 03 c0 28 ed 3a 2f b5 6c d4 ae 1b 9a 17 8d b5 b e 0b 2b e2 f fc d9 8a c a af b2 60 d8 bd c2 db f a3 50 c8 ff 7b 9c e3 96 1d 85 a7 fe f9 c3 f0 9c 06 f3 9b 71 eb bd f5 55 e0 fc e2 c7 59 da 0e 6c 67 b0 bb eb e5 7b b 5b 3f df d8 fd f7 6b cc f f 69 ec 80 0c 95 7e c2 85 c3 fe 47 ba fe 8a e7 ab 3b ad 38 6f 59 e9 b8 66 a0 d4 b b6 1b 1c 06 c5 5e 9d 0c 05 5d 23 da 11 ca 45 cb 4c c7 f1 ba 1d 30 da a e 47 bd cf d6 11 b8 df fb c 05 5e f6 f8 3d c8 bd 34 bc 5d b f b7 cd 75 7b 60 d8 88 Data Ascii: V[o6~nS=T6K.[P$Y)2 0-QkdIN6,+G~$f/o/Pf^pZyE6>Not~+(\kk750,m03MyTZPUJYXYeRX,\rJ3I.47o[E;" I>mSMP7f#j;VL \.le5ahqhjx$tt$^athu4,z_e-tbhadg/p?pf9-i}ii]a"([vvz e%ldsk-k0gh=< A&@n0V8g$0pN6oGyV2YpmGAo!rm! PzE+iBX4J;Fcx~jsv`>KQJ)m*KD87tX(dEH21J5+87WH50?J[8~lX`E tl`2aj-a+zgzh{1kaoj=sk>epe?7(:/lu+ v3acy,hs`wvp{quylg{v[?khoi~g;8oyf"^]#el0@gc7^f=4]csou{` 09:47: OUT GET /nnngg/nngbbgh/fffee/css/style.css HTTP/1.1 Accept: text/css, */* Referer: Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lux-motors.com DNT: 1 09:47: IN HTTP/ OK Date: Fri, 19 Oct :47:34 GMT Server: Apache Last-Modified: Tue, 22 May :23:44 GMT ETag: "60c009f-1b07-56ccdd78d2400-gzip" Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 1807 Keep-Alive: timeout=5 Content-Type: text/css Data Raw: 1f 8b bd f e e de 05 f6 3f a 1c b0 1c 9d b6 23 a3 0f 71 b2 6e 1f da 2e d0 3e 2d 8a 3e d b a d fd ef 1d 1e ba 2c c9 71 da a0 36 1c 48 3c e6 f8 e6 9b b 16 ee f6 9f 3e 7e d8 e0 3c a6 a9 6f ce e cb fd f3 09 9e 44 b3 40 0c ac 70 f0 18 e7 6c 9b 86 3e da e6 c9 e5 78 7c c5 4d 82 d3 90 a6 b a 90 c2 58 c5 e3 bf b3 18 5d a c9 08 e b b1 94 fb 13 d d bd dc 58 6e f6 82 2e be f e0 b4 b f0 d e fc fd d3 c7 eb 91 8f 23 d8 3a f d9 af d8 8b 51 d0 6f a0 cf 5f b1 3c 24 b b0 70 1c e7 11 7d d1 eb eb 77 bd c f f e7 73 bc 4a ef 5e be be ae 96 ae c c2 52 bc 57 c0 d0 74 0d 46 f f 1c 1c 0f 58 8e a9 9f b c 8d e7 1c da 67 1a f2 b5 6f 99 e6 0f f3 1a 68 bc e5 4c bd be 18 6a b d9 8b 1c 82 bd 6b 42 e d5 58 c6 0a 2a 95 e d 4f c b 1c b2 67 5f c1 8a 2c c 94 c7 2b 7c 69 8e c4 77 6c bb d c ad db 2b 85 b7 36 7b cd d7 6c 6d 50 f9 5a d b b6 9c c8 41 1c 0a 32 f8 b c 57 ea 4a 1f 1a 2c 3a 37 cd e9 ec 61 da d1 8b c6 05 8d bd 8d fa a6 b f ba e2 ea ca b f5 dc 6b ac f1 4c 56 8f 94 1b 3c 07 da 01 4b 36 7e ce 38 e6 e4 eb a b 50 3e 20 fd 39 ba a fc 8b c 27 5a d0 15 4d 28 df f9 6b 1a d 8a 3a be aa a 01 df dd a 8a 45 c f0 1c c0 b2 1e 16 ce a1 b1 08 4f 86 c6 c1 9a 04 8f 02 e b5 7b d f0 8a ab 2d bb cd b b5 d d4 00 e2 db b6 ce f 86 0a bd a d1 d0 2c f0 9a 4b 45 a2 88 1c b1 64 2a cc 1b 5e d2 54 c0 68 c8 7c 57 1c d a 11 c9 05 f4 a1 a d 4b 0f 90 de d7 f5 34 8a a d b b4 1d ec db 75 c0 71 bd e1 3a d0 2b a8 3a ed 4a e2 f5 cf 76 d2 c0 28 f8 2e 21 7e c5 4f c4 70 c2 de 44 e8 5d f6 bd 2f e d4 51 1a 5c 5d d af 26 e6 f0 8e e3 64 a3 69 b6 e5 af 12 b1 5d eb da f1 6a b e 53 a4 82 5f e6 53 e5 a9 24 a4 5d d c b f f 59 bd 6d cf 1b 95 bf b b4 eb cf c f0 5d 46 7e 3c cb c 83 8a b3 bf aa 14 2c 48 b0 cd a 68 0e 0d b0 c5 8b fe f e 63 3c 6f 65 ad 65 1f 0b a7 46 af d4 09 f8 07 ad 50 6a d4 ca b6 e5 f5 42 7b 24 a7 06 6b c2 bf Data Ascii: XYo6~?#qn.>->%EAx,q6H<2+>~<o9`D@pl>x C78&M'X]9( )'DXn.d$E(HN#X#:W$b9Qo_<$#p$}w1`q1i%xsJH w^x<rwtf9'/x9eth,ggohljg{kb555x*$mo $$kg_,l+ iwlw#gvf+6{7ilmpzwka2p",wj,:7ascxq)&$)6g gklv<k6~853cp> 9$p@'ZM(k$m:e6:%4jE&O2{CHH$s-&!Tc2P%DOSH3,KEd*^Th WEFbCs()]K4T=hYXuq:P+2a:Jv(.!~(OpD]/uw)Q\](TU&di] ja#ns_s$]iet[ewhtoymu5hsl]f~<pq<,he!hchpc<oeedfhrpjb{$k Copyright Joe Security LLC 2018 Page 23 of 31

24 Session ID Source IP Source Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data 09:47: OUT GET /nnngg/nngbbgh/fffee/images/landing-devices-bg.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Referer: Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lux-motors.com DNT: 1 09:48: IN HTTP/ OK Date: Fri, 19 Oct :48:00 GMT Server: Apache Last-Modified: Tue, 22 May :23:44 GMT ETag: "60c00b4-30cca-56ccdd78d2400" Accept-Ranges: bytes Content-Length: Keep-Alive: timeout=5 Content-Type: image/jpeg Data Raw: ff d8 ff e a ff ec b c ff e a 2f 2f 6e 73 2e f e 63 6f 6d 2f f 31 2e 30 2f 00 3c 3f b e 3d 22 ef bb bf d d 30 4d a a 4e a 6b f 3e 20 3c 78 3a 78 6d 70 6d d 6c 6e 73 3a 78 3d f a 6e 73 3a 6d f a 78 6d b 3d f d f e 36 2d e c f f d a a e 20 3c a d 6c 6e 73 3a d a 2f 2f e e 6f f f f d d e d 6e e 20 3c a f 6e a f d d 6c 6e 73 3a 78 6d 70 4d 4d 3d a 2f 2f 6e 73 2e f e 63 6f 6d 2f f 31 2e 30 2f 6d 6d 2f d 6c 6e 73 3a d a 2f 2f 6e 73 2e f e 63 6f 6d 2f f 31 2e 30 2f f f d 6c 6e 73 3a 78 6d 70 3d a 2f 2f 6e 73 2e f e 63 6f 6d 2f f 31 2e 30 2f d 6c 6e 73 3a d a 2f 2f c 2e 6f f f 65 6c 65 6d 65 6e f 31 2e 31 2f d 70 4d 4d 3a 4f e 61 6c 44 6f d 65 6e d d 70 2e a d d d d d 70 4d 4d 3a 44 6f d 65 6e d d 70 2e a d 70 4d 4d 3a 49 6e e d d 70 2e a d 70 3a f f 6f 6c 3d f f 74 6f f e 64 6f e 20 3c 78 6d 70 4d 4d 3a f 6d a 69 6e e d d 70 2e a d d d d a 64 6f d 65 6e d f a 64 6f a f 74 6f f 70 3a d d d d Data Ascii: ExifII*Ducky< begin="" id="w5m0mpcehihzreszntczkc9d"?> <x:xmp meta xmlns:x="adobe:ns:meta/" x:xmptk="adobe XMP Core 5.6-c , 2015/03/30-23:40:42 "> <rdf:rdf xmlns:rdf=" <rdf:description rdf:about="" xmlns:xmpmm=" om/xap/1.0/mm/" xmlns:stref=" xmlns:xmp=" p/1.0/" xmlns:dc=" xmpmm:originaldocumentid="xmp.did:dcedf537-cb f0-864e6dd971c7" xmpmm:documentid="xmp.did:d884a07a712411e5a33de487d427d079" xmpmm:instanceid="xmp.iid: D884A E5A33DE487D427D079" xmp:creatortool="adobe Photoshop CC 2015 (Windows)"> <xmpmm:derive dfrom stref:instanceid="xmp.iid: b-4b42-9fc2-1f8dc " stref:documentid="adobe:docid:photoshop: 6a2783c4-769c-11e5-a6d7-a667b 09:48: OUT GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: lux-motors.com DNT: 1 Copyright Joe Security LLC 2018 Page 24 of 31