ID: Cookbook: browseurl.jbs Time: 00:29:59 Date: 16/12/2017 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 00:29:59 Date: 16/12/2017 Version:"

Kristian Stewart
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 00:29:59 Date: 16/12/2017 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Data Obfuscation: System Summary: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Copyright Joe Security LLC 2017 Page 2 of 2

3 Behavior System Behavior Analysis Process: iexplore.exe PID: 3236 Parent PID: 54 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 32 Parent PID: 3236 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3340 Parent PID: 32 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 2

Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 40237 Start time: 00:29:59 Joe Sandbox Product: CloudBasic Start date: 16.12.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 00:29:59 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 3s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean3.win@5/22@4/3 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 5.2%) Quality average: 64.6% Quality standard deviation: 36.1% Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Copyright Joe Security LLC 2017 Page 4 of 2

Threshold 4 0-5 Confidence Classification

clean Exploiter Banker Spyware Trojan / Bot

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Copyright Joe Security LLC 2017 Page 5 of 2

6 Signature Overview Networking Data Obfuscation System Summary Anti Debugging Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Social media urls found in memory data Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) System Summary: Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Searches the installation path of Mozilla Firefox Anti Debugging: Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Copyright Joe Security LLC 2017 Page 6 of 2

Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query

7 Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Behavior Graph Behavior Graph ID: Sample: Startdate: 16/12/2017 Architecture: WINDOWS Score: 3 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe Number of created Files Visual Basic iexplore.exe started Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 23 Connected ips exeeded maximum capacity for this level. 4 connected ips have been hidden. maxcdn.bootstrapcdn.com , 0 AS-NETDNA-netDNAUS , 0 24SHELLS-24SHELLSUS bit.ly , 0 BITLY-AS-BitlyIncUS started United States United States United States ssvagent.exe 6 Simulations Behavior and APIs No simulations Antivirus Detection Copyright Joe Security LLC 2017 Page 7 of 2

8 Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Detection Cloud Link maxcdn.bootstrapcdn.com 0% virustotal Browse bit.ly 2% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2017 Page of 2

9 Startup System is w7 iexplore.exe (PID: 3236 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD66567E132D2946FB55750) iexplore.exe (PID: 32 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3236 CREDAT: /prefetch:2 CA1F703CD66567E132D2946FB55750) ssvagent.exe (PID: 3340 cmdline: 'C:\PROGRA~1\Java\JRE1~1.0_1\bin\ssvagent.exe' -new 0953A026479FD1E655B75B63B903B7) cleanup Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log ASCII text, with CRLF line terminators 6C7EF21575B6CA672DF92E31E619A2 D355AA2B3FF9A725ECD4D9F779074EBEF130B 70CE13DAF2C1235DB106FEB35EE46CE22FCEC1D750AD47A2ECE FF 491FF6CF71C3D3C366031A6F4DD204710BD5B94B15291E5D3E76E995DF20DDD7B15C70430EA235666EAF29F9 070ABAEEAD9A367FC2462B0603F3 C:\Users\HERBBL~1\AppData\Local\Temp\~DF3E0B1E7A94519FEE.TMP FoxPro FPT, blocks size 25, next free block index CDFCD7D506C9DE679639EF73B609F2A0 3E5ED6094E51B79293F0A9414A7230E45B517F Copyright Joe Security LLC 2017 Page 9 of 2

10 C:\Users\HERBBL~1\AppData\Local\Temp\~DF3E0B1E7A94519FEE.TMP 5F34ADF7C5EC961FBE0333BFC51224F0F ED9BC9151D9DEA2F50CD 79E D911A6C6E40432C712FC393D151A6C42B6070D072EC9FCEC0AF2B61CB96F14CF254DD50FD20FCD3 124A3A01B766A1EE4B F0500 C:\Users\HERBBL~1\AppData\Local\Temp\~DF77CDF0CE94A5135.TMP data CA0FD33F64566DFA975CDFC7109EB BD2E2153F396BDC49DD31A6A4EF3BFE7A9B 69A6BE195B69AF4F5E00BE032D19C30FC70C14D927E03E6AD399B221B F59394F02C1EADF9BCD3C2E4AEDE121A220B50ADAD30F62AC590DCDF4E6240A04DF7A2591C716339FC CEA4D6B43E400FF9D612A C:\Users\HERBBL~1\AppData\Local\Temp\~DFF0C0612BB202E6E.TMP FoxPro FPT, blocks size 25, next free block index D25ACFA2AED2D37B06DBDDA39E F1ECFF4A60965BE6626DBCB0A C1CA91 ABA2A9F6C066FDE00F966269FBFEADB7C5FFA644DF711244B76B7FA29AC59 BB4345E0DB6BC3F62120CC26CC0E1B21E735CDC0DF2D3F167E36C96A09F9BB5BFFDB970FF99D9AB429C1C953F1 61C77009F64E0C7D10ACDF6ADA90DBAA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E0 4 data B556CDA9CB7DD3505EFF20407FE6AFAA 9FF906CBEB2C5BFDCC9C1DFF27536E43C A2993EDF94DAA4D7206BDAADDD1A4BF61EF5E5E65CEB0B0212BAD1 6AD756739D92B490E20D4916BA6FB9C E07DDDFD9473EAFF7AC5635A7D D1EEE6CE1077CD 1ACCE3F92F01D700F775CDB5EEDB9E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57CEDB95DF3F0AD4EE2DC2BCFD4157 data D05C67DA191E1F3DD6C1BAD AF16164FFAD6549E6E137B2430B11415F4DA 94CD10B96997BCABFBE04E69FF2EBF33449C5624B51652FCE302A4CB1 7ED A7AAFED4A4EEB9E10320BE F5C3917BE796A995B991F2C64A3BF7019F955DDC414C03F045 FCA4F437BDB2E01D66B142C3F674B C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E04 data 1E62A149DBAF C7F00F7C E3EFB050AF6C535B5413D0A221F274 9CBAFA3C5570DF1B5F46FFD1E1523B377714B5151D5D3C15E6ACDD971C7 42A4B6F999B24043E6ECD70D13E7DA0F02B72EC5CFBA99393A372DE7C0B7DADF3AEBC37FAE657CA0265EEA D1E01D15B43346A FC5 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416BB2E3A}.ico PNG image data, 16 x 16, -bit/color RGBA, non-interlaced 5B1904E3BC E7AC4A4A 96607BA DF3A A5E3BA63D 507C6472EB17E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBCCBAD4CA240A2DDAD2DE73BFC434193A4F A EC92D99AA6B0C569C702FD155663DF 2916F74561CAE1FC73C0D9DD1A9FF7 Copyright Joe Security LLC 2017 Page 10 of 2

11 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators E6306BB52BF6F6D5D91B9D0B1E36F14 3F409FAE3E27D64695D977FF7B92AF3EE06024C4 1E096E9B5D61EF9203FEE7246B FE954DF36075FA0F2CE1B4677 0A913C7C1546F59CF1B173D65FDEA3DBBFE4D5B30909EDA1AA27CB4BC0ABDD1BD9A4D496515D633575D3EA5 50BDA06AE91D95FD654D7614C5CD C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9A54361-E1EF-11E7-B7AC-B2C276BF9C}.dat Microsoft Word Document CDD6D31130EDAE472D6F6B4AD9C A129AA3D7F051F9BA7A1BF6F4A5C1DAFB21 6FC590A2ADC17E1DEE5432CA F69E4FC09BD7DAF1F044C233B947 96B5B2FC55F7ECF3C5CB65A6D497E64BB26D1BCD6AB6557E73D773D345DAAD96315BE5D1D442B4ADEE4E370 E97DD54F36C02D7AD92CEFA363F05D7D C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9A54363-E1EF-11E7-B7AC-B2C276BF9C}.dat Microsoft Word Document FCD395F7749B0259E F3433 CD4736CE147C4645B596AFDC40FAC04AFB94 FC04DC4EFEB420BAB03032C19D3A7F6A1D45E2F53467BE44294F0F3F AEC71C16E5F4CA704604D917546FE7DAB44FC96EBF1762CAC601B7DF1CF74E1F5A0D1023D01207DBF5707C9B 23C4D45F92174CC4B5AE7C0B1C07A2 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0EA75C0-E1EF-11E7-B7AC-B2C276BF9C}.dat Microsoft Word Document 57D7BE30C62D12FB19A09CE45CFD 3F7C27496E7A0DA1A996966D771E3A12395B0 410D517C2C1C03EC54E30C30C0D9D5F2E51D56E369B0094CCFC1B3B9B9904 C29561EBEB9373BE6B0054CA7AB245D9C50F33551AE D29E74103F327DDE62E9705B5266E3C7040B07E0 DCDC70D0ECA9A071AC015AD922AFE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verACF1.tmp XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators E19AB74E16EFE96F142EB4 66B9CE117BACE50B09B4AB506C CD 2B25A9DD5C47DA01025E1BC93D512BE44359AF1003FE1B5390E93519C60A E01570FA713BAB17D4941A1D46605D5C0FB9635C E26F60A256F40D260B662CDAF2ED064D52CC57400DAD9B DB4FE1677D1559FBBF7B6406D2C75 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico PNG image data, 16 x 16, -bit/color RGBA, non-interlaced 5B1904E3BC E7AC4A4A 96607BA DF3A A5E3BA63D 507C6472EB17E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBCCBAD4CA240A2DDAD2DE73BFC434193A4F A EC92D99AA6B0C569C702FD155663DF 2916F74561CAE1FC73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\suspendedpage[1].htm HTML document, ASCII text, with very long lines BA2756CE2F1E01F3A753D7A0B2ECA5 A095E36BDFFB91141EA9DCA3B713C327C771B 17FA2F3324D45C27A31ED51DAB739C7F09B57315B769B955AD2C9AD1D7B BE312BF021CB69E5E5EFEEAEC1E9EFD4154C2591FF061CB217742CEE3A993A1DD59B96B30E7CF6B0F0CE7F44 C ECB00C9DF4335CA4B175F Copyright Joe Security LLC 2017 Page 11 of 2

12 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\suspendedpage[1].htm C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\fontawesome-webfont[1].eot Embedded OpenType (EOT) F7C2B4B747B1A225EBDEE034134A1B0 3E63FC9B3DE450F1F3BEC F755B0F167 CBB644D0EE730EA57DD5FBAE35EF5BA4A41D57A254A6B1215DE5C9FFA321C2D FB32EEC02C6A295931F39A3C1B63254F4D29CE97DED4C CB922D1770C445A1954AA6BCA27E12E C7D17C7361FA19CEEA1DB7E5491 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\2iRsCey[1].htm HTML document, ASCII text 9B1E9423F2BDC3DA4E94A32FAB A44AFDE9E146674A5BBFF C47F2E1 23C9963F6B793440CE90A5BF14BD01BCE3B61F5A7E9C9F1FF045F2C9A7E DCADA29C0BE21A6F54FA56A171DD4D659C1FB5ABCC51CB3E7D6A7C5CE393A4EC165C4C2CD51D6269D3DA5502D0 9C297B9A23E75335F9B3E5CC20C523 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\suspendedpage[1].htm HTML document, ASCII text, with very long lines BA2756CE2F1E01F3A753D7A0B2ECA5 A095E36BDFFB91141EA9DCA3B713C327C771B 17FA2F3324D45C27A31ED51DAB739C7F09B57315B769B955AD2C9AD1D7B BE312BF021CB69E5E5EFEEAEC1E9EFD4154C2591FF061CB217742CEE3A993A1DD59B96B30E7CF6B0F0CE7F44 C ECB00C9DF4335CA4B175F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\font-awesome.min[1].css ASCII text, with very long lines 04425BBDC6243FC6E54BF94FE50330 C15C6BD2C71E9EF1BB11CF24E502FE0751AC5 541AC5217AADE1A5E292A65A0661DC9DB7A49AE A4FBC6761AFD BCF90CAD4E BA5DB4ADEDF53E EF5F724DD5F3B1A03430B10A4A304A4A12419F26569AD9D50 9FF4F06FA100E72A5D3A063E0F5F5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\iecompatviewlist[1].xml XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators E6306BB52BF6F6D5D91B9D0B1E36F14 3F409FAE3E27D64695D977FF7B92AF3EE06024C4 1E096E9B5D61EF9203FEE7246B FE954DF36075FA0F2CE1B4677 0A913C7C1546F59CF1B173D65FDEA3DBBFE4D5B30909EDA1AA27CB4BC0ABDD1BD9A4D496515D633575D3EA5 50BDA06AE91D95FD654D7614C5CD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin data FA51E3DFAECA3A0E495460FD60C791 E4F30E D37267C0162FD4A093400C C4B4E5F3F9FD5A27E61C471B3EE126396B6D129499AA7 D21667F3FB01D39B57917E74E9BB1B6E9A97F C165729A5F177DC0ADADD90CD026C7A601D416665A1AC13 A69E49A6A2FE2FDD096793AA645C07 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\YEUSPCOO.txt ASCII text 642B2B12FF51956B0F4FACD1BBD21F F7D2FEB92D3CCA EA747BCF76FA65AD2D 3A9AE EEE349B1DEF7309C5F22DB51ADA06C50730FB55767EB1B5 Copyright Joe Security LLC 2017 Page 12 of 2

13 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\YEUSPCOO.txt B30D3DED1EB173F619916EF679A24D5A3796A5E57ED773BD B35EE41439C0DD2272A09C9BF29BC6C47454 B20EE5A9FB Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection maxcdn.bootstrapcdn.com true 0%, virustotal, Browse true bit.ly true 2%, virustotal, Browse divasclassicmakeup.ts5servicesltd.com true Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States AS-NETDNA-netDNAUS United States SHELLS-24SHELLSUS United States BITLY-AS-BitlyIncUS Static File Info No static file info Network Behavior Network Port Distribution Copyright Joe Security LLC 2017 Page 13 of 2

14 Total Packets: (HTTP) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Copyright Joe Security LLC 2017 Page 14 of 2

15 Timestamp Port Dest Port IP Dest IP Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Copyright Joe Security LLC 2017 Page 15 of 2

16 Timestamp Port Dest Port IP Dest IP Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Copyright Joe Security LLC 2017 Page 16 of 2

17 Timestamp Port Dest Port IP Dest IP Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET UDP Packets Timestamp Port Dest Port IP Dest IP Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Copyright Joe Security LLC 2017 Page 17 of 2

18 Timestamp Port Dest Port IP Dest IP Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :30: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET Dec 16, :31: CET DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Dec 16, :30: CET x7424 Standard query (0) bit.ly A (IP address) IN (0x0001) Dec 16, :30: CET x549 Standard query (0) Dec 16, :30: CET xdd Standard query (0) Dec 16, :30: CET x79fe Standard query (0) lassicmake up.ts5serv icesltd.com A (IP address) divasclass A (IP address) icmakeup.t s5servicesltd.com maxcdn.boo tstrapcdn.com A (IP address) IN (0x0001) IN (0x0001) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Dec 16, x7424 No error (0) bit.ly A (IP address) IN (0x0001) 00:30: CET Dec 16, :30: CET Dec 16, :30: CET x549 No error (0) lassicmake up.ts5serv icesltd.com xdd No error (0) divasclass icmakeup.t s5services ltd.com Dec 16, x79fe No error (0) maxcdn.boo 00:30: tstrapcdn.com CET A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) HTTP Request Dependency Graph bit.ly divasclassicmakeup.ts5servicesltd.com maxcdn.bootstrapcdn.com Copyright Joe Security LLC 2017 Page 1 of 2

19 HTTP Packets Timestamp Port Dest Port IP Dest IP Header Dec 16, :30: CET GET /2iRsCey HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: bit.ly DNT: 1 Connection: Keep-Alive Dec 16, :30: CET HTTP/ Moved Permanently Server: nginx Date: Fri, 15 Dec :30:45 GMT Content-Type: text/html; charset=utf- Content-Length: 13 Connection: keep-alive Cache-Control: private, max-age=90 Location: eicow/sotpie/button1.php?break=1y0fvx03pdwkd0f Set-Cookie: _bit=hbfnuj-ede214611cdaa296-00m; Do main=bit.ly; Expires=Wed, 13 Jun :30:45 GMT Data Raw: 3c d 6c 3e 0a 3c e 3c c 65 3e c 79 3c 2f c 65 3e 3c 2f e 0a 3c 62 6f e 3c d a 2f 2f e c d 61 6b e c e 63 6f 6d 2f 6a f 77 2f 73 6f f f 6e 31 2e f b 3d b e 6d 6f c 2f 61 3e 3c 2f 62 6f e 0a 3c 2f d 6c 3e Data Ascii: <html><head><title>bitly</title></head><body><a href=" w/sotpie/button1.php?break=1y0fvx03pdwkd0f">moved here</a></body></html> 1 Dec 16, :30: CET GET /jeicow/sotpie/button1.php?break=1y0fvx03pdwkd0f HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate DNT: 1 Connection: Keep-Alive Host: Dec 16, :30: CET HTTP/ Found Date: Fri, 15 Dec :30:46 GMT Server: Apache Location: ys/suspendedpage.cgi?break=1y0fvx03pdwkd0f Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-59-1 Data Raw: 3c f d 4c c d 2f 2f f 2f d 4c e 30 2f 2f 45 4e 22 3e 0a 3c d 6c 3e 3c e 0a 3c c 65 3e f 75 6e 64 3c 2f c 65 3e 0a 3c 2f e 3c 62 6f e 0a 3c e 46 6f 75 6e 64 3c 2f e 0a 3c 70 3e f d 65 6e d 6f c d a 2f 2f c d 61 6b e c e 63 6f 6d 2f d f e e f b 3d b e c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f e 3c 2f d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body> <h1>found</h1><p>the document has moved <a href=" edpage.cgi?break=1y0fvx03pdwkd0f">here</a>.</p></body> </html> 3 Dec 16, :30: CET GET /cgi-sys/suspendedpage.cgi?break=1y0fvx03pdwkd0f HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate DNT: 1 Host: divasclassicmakeup.ts5servicesltd.com Connection: Keep-Alive Total Bytes Transfered (KB) Copyright Joe Security LLC 2017 Page 19 of

20 Timestamp Port Dest Port IP Dest IP Header Total Bytes Transfered (KB) Dec 16, :30: CET HTTP/ OK Date: Fri, 15 Dec :30:47 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html Data Raw: d 0a 3c f d 6c 3e 0a 3c d 6c 3e 0a c e 0a c 6d d d f 6e e 74 2d f 6e e 74 3d f d 6c 3b d d e 0a c 6d d d d 63 6f 6e f 6c f 6e e 74 3d 22 6e 6f 2d e 0a c 6d d d d f 6e e 74 3d 22 6e 6f 2d e 0a c 6d d d f 6e e 74 3d e 0a c 6d e 61 6d 65 3d f f 6e e 74 3d d d c e c 2d c 65 3d 31 2e e 0a c c 65 3e f 75 6e e c 2f c 65 3e 0a c 6c 69 6e 6b c 3d c d 22 2f 2f 6d e 2e 62 6f 6f e 2e 63 6f 6d 2f 66 6f 6e 74 2d f 6d 65 2f 34 2e 33 2e 30 2f f 66 6f 6e 74 2d f 6d 65 2e 6d 69 6e 2e e 0a c c d f e 0a f b 0a f 6e 74 2d d 69 6c 79 3a c 2c c c e 73 2d b 0a f 6e 74 2d a 65 3a b 0a c 69 6e 65 2d a e b 0a b f 75 6e 64 2d 63 6f 6c 6f 72 3a b 0a f 6c 6f 72 3a b 0a e 67 3a b 0a d e 3a b 0a d 0a f 6e 20 7b 0a c a c 6f 63 6b 3b 0a e 67 3a b 0a d e 3a b 0a d 0a e 63 6f 6e e b 0a d e 2d 6c a f 3b 0a d e 2d a f 3b 0a e 67 3a b 0a d 0a e f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a b f 75 6e 64 2d a 20 6e 6f 2d b 0a b f 75 6e 64 2d 63 6f 6c 6f 72 3a b 0a f 6c 6f 72 3a b 0a d 0a e f 6e 61 6c 2d 69 6e 66 6f 2d d b 0a e 67 3a b 0a d 69 6e 2d a b 0a d 0a e 69 6e 66 6f 2d e b 0a f 6e 74 2d a 6 Data Ascii: 1c92<!DOCTYPE html><html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="pragma" content="no-cache"> <meta http-eq uiv="expires" content="0"> <meta name="viewport" content= "width=device-width, initial-scale=1.0"> <title>account S uspended</title> <link rel="stylesheet" href="//maxcdn.bo otstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> <style type="text/css"> body { font-fa mily: Arial, Helvetica, sans-serif; font-size: 14px; line-height: ; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section { display: block; padding: 0; ma rgin: 0; }.container { margin-left: auto; margin-right: auto; padding: 0 10px; }.additi Copyright Joe Security LLC 2017 onal-info { background-repeat: no-repeat; backgr Page 20 of 2

21 onal-info { background-repeat: no-repeat; backgr ound-color: #293A4A; color: #FFFFFF; }.addit ional-info-items { padding: 20px; min-height: 19 Dest 3px; }.info-heading { font-weight: Timestamp Port Port IP Dest IP Header Dec 16, :30: CET GET /font-awesome/4.3.0/css/font-awesome.min.css HTTP/1.1 Accept: text/css, */* Referer: s/suspendedpage.cgi?break=1y0fvx03pdwkd0f Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: maxcdn.bootstrapcdn.com DNT: 1 Connection: Keep-Alive Dec 16, :30: CET HTTP/ OK Date: Fri, 15 Dec :30:4 GMT Content-Type: text/css Transfer-Encoding: chunked Connection: keep-alive Last-Modified: Thu, 22 Jan :53:3 GMT ETag: W/"04425bbdc6243fc6e54bf94fe50330" Server: NetDNA-cache/2.2 Expires: Mon, 10 Dec :30:4 GMT Cache-Control: max-age= Vary: Accept-Encoding Access-Control-Al-Origin: * X-Hello-Human: Say hello on Twitter X-Cache: HIT Content-Encoding: gzip Data Raw: d 0a 1f b cd 5c 5b f db e df 5f e1 9d c6 6c e5 72 5d 5c 9 dd de 0b 06 6 a0 07 f3 d0 f3 b0 0f fb cd 94 2c 29 ba 94 ab 12 e4 bf cf e 2c 55 7d f4 66 d1 2f db 0 d0 65 e9 a4 c f e7 fa 51 9f fe f4 cf ff b4 fa d3 6a f5 97 a6 1e 56 ff 7e 32 7d ab eb ab cd d5 7a 95 bd ac 7e 2e f4 93 d9 eb ba ab c3 30 b4 bb 4f 9f 4a 92 d4 41 f0 ca fd e7 d9 15 df d6 af f 62 f 7c aa f fe 7b d7 e9 6e f5 db 2f bf ae fe f6 97 5f 57 ea 4a 7d 5c fd e7 6f bf ed 56 7f fd e5 ef d2 c 07 6a f1 93 ef e be f1 5f 47 5b bd ec de b9 e7 79 cc ef 1e fa 2e df d 5d f5 fe dd d5 95 1f 63 3f 1f bb a e1 df 9e fe ec 5f f0 dd 7 ff c3 33 3f da e7 7f 99 1e 5d 95 4d 77 d4 c3 fb 77 e a d2 b4 a6 1e 5e 5a f3 ee c3 c7 ff 7d 1 a7 a6 2c d3 f3 40 a6 d6 fc f5 1f 6e 21 d2 c0 0f 3d 3f 0c c e 46 f3 c3 2f d1 3f ed a5 9 9f 66 1 e cc 7e ac 74 f7 ee c3 f ed 97 ee 64 ec fe 30 ec 6a 37 7b 55 b d4 0f 2f 95 e1 2b df af 4a fd ad b0 7d 5b e9 97 9d ad 2b 5b 9b 24 ab 9a fc d1 b b2 d0 2a 3c 2d ff 53 d7 ed f3 27 e5 11 cc 60 e0 76 ed d 1c 4c c1 3c 0f ea 2 7e d5 fb 9d 1e 7 e6 c1 1 e2 d1 12 b0 fc 2 e 4d 33 1c fc bd 7a b0 ba b2 ba 37 c c be 26 4d ff fc 5a 66 df e9 97 3e d a 5d f7 0e 0c 3b ff 57 a5 07 f3 7e fd 71 b5 fe e0 5e 25 a9 f6 01 b1 bd 1b b ba da f0 7f e6 f e0 5f ed e3 ea 76 4b 57 9e 4c a 33 a1 ce f7 f5 2e 51 db 3f fa 36 d2 e7 59 1b a9 39 fa b 9b f9 c5 0d 5f bc 9e 5f bc e6 b db f9 45 ea c7 3f 5e 9e be 9d 6c 31 1c 6 4c e9 dd f6 56 5d a7 f f 49 a1 77 da c1 3 e9 bc ec 5 7d 6b d0 d dd fa e1 a bb bd ad c3 af f4 a 1e f6 4d f 97 ea 79 3d a af da 70 1b ff 5a d9 6f 6d d3 db c1 36 f5 ae f f6 29 dc 9b df d0 59 df 54 e3 60 1e 7c db c9 a2 f1 30 e0 c5 a5 a f3 fe f1 0b aa ae c2 1b df dd f d 47 b dc 5d d1 1c af ae 52 9a aa d b 13 ee ef 6 64 b6 5 5d ad ef e c6 4f c6 1 be 9e 74 ba b0 63 4f e3 70 cd b d 5b d5 6f 65 d5 e 61 e7 ff e6 eb ae 7f be ec fe 74 6f 1f 1e f fd 03 bb 2b 5e d f fb 49 df da fa 9b d b 61 9a f6 2b 5b 97 b6 b c e9 ee e fc c2 d0 d0 7a 73 a1 6d 35 6b bb 1f 4c db bf bf fb 00 5a df 7f f 9a 97 b2 d3 47 d3 af 7 c df d6 7f 9c fa 3c 6f ae ae 19 fc ce 2a cc fe c3 6c cf cd 2f 7f 57 eb 4b f 6e b6 f7 f 61 be f1 fd fb cf ff f c6 e2 e6 3f bc 5c 72 bf fe 56 da a 76 e3 ae ed 9a bd 2d 76 ff f5 df bf 1c f5 de fc 5d 34 cf d5 5f 6d de 35 7d 53 0e 57 ff a1 7b 9b fb bb ef fd d f ab 0f 93 a6 7b 33 9f f f c4 ee 45 ae 7b 4 f0 0 d5 dd ef 1c 62 7a 61 d4 7 7c c 72 f3 cd 20 f9 c6 7c 94 e9 ed ef 1c e5 e6 c2 2 a9 f1 f 2 e5 e6 9b 51 f2 d a0 92 2b db 26 7 a6 b3 5f 9d 3 55 fd be b 74 b4 5d d f5 bd e9 7a 9f 90 bf e5 c0 b1 Data Ascii: 1751\[~_lAT1r]\hBI,)!y,U}f/eQjV~2}s4z~.xY%0OJA6 t67uob {n/_wj}\ovj!)un_g[y.]c?ir2xe_3?ys]mww0e^z},@n!=? %x F/?f~tV$Hd0j7{U/+J}[+[$*<-S'`vWCmLg<Ig~(M3z7Crl&MZf> y:];w~q^%_fvkwl7xj3.q?6y9 E?^l1hLV]4?IwX}kuQ$)My= "ZpZom634O)YT` 0iwT"4ddMG]RrhdX]OtcOpcU%[oeato7xV+ ^yii YaWwg+[Y9Gzsm5kLZGb!?Gx<o*l/WKna?\rVv-v]4_m5} SW{?{3aBcE{bzax r ((Q+&_U5't]txz 15 Total Bytes Transfered (KB) 14 Copyright Joe Security LLC 2017 Page 21 of 2

22 Timestamp Port Dest Port IP Dest IP Header Dec 16, :30: CET GET /font-awesome/4.3.0/fonts/fontawesome-webfont.eot? HTTP/1.1 Accept: */* Referer: s/suspendedpage.cgi?break=1y0fvx03pdwkd0f Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Origin: Accept-Encoding: gzip, deflate Host: maxcdn.bootstrapcdn.com DNT: 1 Connection: Keep-Alive Dec 16, :30: CET GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: divasclassicmakeup.ts5servicesltd.com DNT: 1 Connection: Keep-Alive Total Bytes Transfered (KB) Copyright Joe Security LLC 2017 Page 22 of 2

23 Timestamp Port Dest Port IP Dest IP Header Dec 16, :30: CET HTTP/ OK Date: Fri, 15 Dec :30:49 GMT Content-Type: application/vnd.ms-fontobject Transfer-Encoding: chunked Connection: keep-alive Last-Modified: Thu, 22 Jan :53:40 GMT ETag: W/"f7c2b4b747b1a225ebdee034134a1b0" Server: NetDNA-cache/2.2 Expires: Mon, 10 Dec :30:49 GMT Cache-Control: max-age= Vary: Accept-Encoding Access-Control-Al-Origin: * X-Hello-Human: Say hello on Twitter X-Cache: HIT Content-Encoding: gzip Data Raw: d 0a 1f b b d 3c d0 ee c1 1d 0e ee d ee 7a a7 b bb bb 3b 94 a2 c5 dd a b 50 b ef 7c bf ae cc dd 4c b2 d b f9 95 c9 3e d e e4 7f 0d 1a f0 bf 0b f0 1f 26 af fc 7f c0 ff 19 ff c1 ff ca c5 3 ff b7 0f 00 c c 00 e c0 0b fb cf 72 f 4f a 00 d5 ff b4 15 c f b fe ff 43 5c ff b b1 f9 9f c0 fe 5f 67 f9 6f ce f6 df c 0a e0 fc 2f e fa ff f4 ff d5 a4 fe 9f 1d a 03 2e 5d e a ac df f e6 d1 75 4a c e de d d b9 db f9 db b 40 c d ce de e1 7a 99 f5 f a a9 b3 ed e5 0c de 3f cb 4c 9b cc 70 ba a1 4e 0d 7c 9a 0b 6a 13 c4 3 7e e3 4b fa dc ac f1 a1 c5 49 cd c d1 ad c7 e4 b4 0e 25 cd d7 05 c7 16 be c 73 3f 4a 36 f c 36 5f 2e 75 df 5b bb 43 cc e 39 e e4 5 cc 42 3a 43 7f d d ab 75 f4 5d a3 5 a1 ee 6d fe 40 7b d0 5 7 f9 7e 3d 5e a9 f1 2e 42 0c 12 f1 0 fc b 6b bd b 2e 6b bf 4 ed eb 35 3 d2 f1 1 a ed e0 45 4e e2 4e 54 b4 9a 31 6f 37 0e ff e3 1e 35 ae d9 79 3c a2 37 a 09 4a 0f d d2 4a 01 f7 b 64 a bd 1b 2a b5 f f2 ca ca b 5a b5 cc e5 a2 0b c5 d af 57 d7 4b 43 f2 6 ba 6f e9 2a 2 9 b0 df 09 b e e5 4c 27 c2 3 fa b f 59 5d ad f0 3 e2 4 a 34 5d 1 ed f1 2b 2e e9 6b 1a 64 3e aa e c f 09 c1 2e cb f f 3f 4f 5e f 10 cd 7e 50 cf db 36 c1 1b 19 f fe 49 d2 3 4c aa a6 b a3 7 e0 9c d 25 c1 aa 4a df 6a a9 60 7e dc b3 2b d4 fa 93 4d 33 6b ee 2b 7b e1 b ce 97 3b 15 9e 1a 9 21 b1 20 b2 fc c3 32 b 9a 62 5d c 2e 04 d f b4 d3 1b 4e 57 5f 15 d b2 51 d3 ab 3e 6f a1 70 ed bd 59 6e ab b9 6b d9 ca ed cf f6 bf 19 fc f0 3c 7a c4 a d2 5c 66 2e 36 f3 57 f3 0f ae d 96 ce 54 a 1b ba fa b db a4 3d 3e dd d6 49 9a e a 4a 1a 1 15 e6 c e5 b6 01 9e e3 34 3a 0 d1 9a 3f 9c d 2d ee a 4c 74 db 6f 9 fe f e4 ff d6 d3 d0 d9 56 b ac 2b 6 1b a 31 cc 70 de dd bc d 99 bb d6 3 e2 56 e c9 5e 47 e5 be 0e d 33 cf 57 cc cc 9c dd 54 9 c5 b5 e9 01 f3 f9 79 d d1 09 d5 9 dd 49 e1 bb c4 b1 1a 30 d6 52 ca e 1e 05 bc 3 5d f2 a1 ac c0 2b b2 b0 e 3a 62 e9 fb fc 7b 21 be b 55 c7 55 6e 4 2e 29 c2 ba 14 dd 0a 27 c a 4d 47 ff dc 21 dd 50 6e 7c a 4a 61 ce 1e a6 6e a5 6f 3 d d1 6a 01 d6 9e 1c d e7 5 6a 59 d2 04 ad 29 5e d4 70 d9 4e d6 9 d d1 45 f e2 9e bf e a1 90 c fe f4 5a Data Ascii: 400at{eP<pp-zpwwww;www+P Lg7;>]> &#Hw `pro`0p4c\5 _go/ddca.]zgquj$ieeb@h"'"zxfqz?lpn j~ KhfIb%sBs?J6`6_.u[C9XB:C%ib-u]Xm@{Xx~=^S.BCKkXU71 IE.kH5EENh"NT1o75y<&sT7JPpJd$fq`*fU+ZWKCho*)L'UOY ]H4]+.kd>.s?O^~P6C1IL2i1S1a&%Jj`~0q+M3k+{w;! 2b]3 '.DeNW_bQ>opYngak<za (b\f.6wtpw=>rit$nj4:?-vvg"lto AAsVaB+iI1piVvaU^GTm3WTyvDIw 0R]+:b{!SUUn.)'q"*MG 6Q!Pn 1*Jano6Cj5XjY)^pNEA(Z 23 Total Bytes Transfered (KB) Copyright Joe Security LLC 2017 Page 23 of 2

ID: Cookbook: browseurl.jbs Time: 18:05:31 Date: 26/12/2017 Version:

ID: Cookbook: browseurl.jbs Time: 18:05:31 Date: 26/12/2017 Version: ID: 41000 Cookbook: browseurl.jbs Time: 1:05:31 Date: 26/12/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis