ID: Cookbook: browseurl.jbs Time: 03:15:55 Date: 26/01/2019 Version: Tiger's Eye

Transcription

1 ID: Cookbook: browseurl.jbs Time: 03:15:55 Date: 26/01/2019 Version: Tiger's Eye

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Mitre Att&ck Matrix Signature Overview Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN JA3 Fingerprints Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains Contacted URLs URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior Copyright Joe Security LLC 2019 Page 2 of

3 System Behavior Analysis iexplore.exe PID: 4236 Parent PID: 724 General File Activities Registry Activities Analysis iexplore.exe PID: 3924 Parent PID: 4236 General File Activities Registry Activities Disassembly Copyright Joe Security LLC 2019 Page 3 of 26

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Tiger's Eye Start date: Start time: 03:15:55 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 4m 25s light browseurl.jbs viads.blogsyte.com/target/ Analysis system description: Windows bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout CLEAN EGA enabled clean0.win@3/21@4/3 Adjust boot time Show All Exclude process from analysis (whitelisted): ieutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe TCP Packets have been reduced to 100 Detection Strategy Score Range Reporting Whitelisted Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Copyright Joe Security LLC 2019 Page 4 of 26

5 Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Initial Access Execution Persistence Privilege Escalation Valid Accounts Windows Remote Management Winlogon Helper DLL Port Monitors File System Logical Offsets Copyright Joe Security LLC 2019 Defense Evasion Credential Access Discovery Credential Dumping System Service Discovery Lateral Movement Application Deployment Software Collection Exfiltration Data from Local System Data Encrypted 1 Command and Control Standard NonApplication Layer Protocol 4 Page 5 of 26

6 Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Replication Through Removable Media Service Execution Port Monitors Accessibility Features Binary Padding Network Sniffing Application Window Discovery Remote Services Data from Removable Media Exfiltration Over Other Network Medium Standard Application Layer Protocol 4 Signature Overview Networking System Summary Click to jump to signature section Networking: Downloads compressed data via HTTP Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Behavior Graph Copyright Joe Security LLC 2019 Page 6 of 26

7 Hide Legend Behavior Graph ID: URL: Startdate: 26/01/2019 Architecture: WINDOWS Score: 0 started iexplore.exe Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java 6 84.Net C# or VB.NET C, C++ or other language started Is malicious iexplore.exe 1 38 rs-lb-a.lkqd.net , 443, 49800, RACKSPACE-RackspaceHostingUS United States viads.blogsyte.com , 49794, 49795, 80 CONTABOtoAS1299announceAS34933DE Germany 4 other IPs or domains Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link ads203.unoadsrv.com 0% virustotal Browse rs-lb-a.lkqd.net 0% virustotal Browse ssp.lkqd.net 0% virustotal Browse vast.videe.tv 0% virustotal Browse Copyright Joe Security LLC 2019 Page 7 of 26

8 URLs Source Detection Scanner Label Link viads.blogsyte.com/target/ 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=58 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=59 0% Avira URL Cloud safe viads.blogsyte.com/target/root 0% Avira URL Cloud safe viads.blogsyte.com/target/resources/jquery.min.js 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=54 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=55 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=56 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=57 0% Avira URL Cloud safe vast.videe.tv/? width=1920&height=1080&cb= &ua=mozilla%2f5.0%20%28windows%20nt% % Avira URL Cloud safe viads.blogsyte.com/favicon.ico~ 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=52 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=53 0% Avira URL Cloud safe viads.blogsyte.com/favicon.ico 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=60 0% Avira URL Cloud safe ads203.unoadsrv.com/tracking/impression/?adid=837ccc5a5184c9c7 0% Avira URL Cloud safe viads.blogsyte.com/target/d 0% Avira URL Cloud safe vast.videe.tv/? width=1920&height=1080&cb= &ua=mozilla%2f5.0%20%28windows%20nt%2010.0%3b% 20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&uip=&app_name=Countr y%20music%20today&app_bundle=com.roku.countrymusictoday&device_model=steaming_media&devi ce_make=roku&device_category=movies&app_store_url=https%3a%2f%2fchannelstore.roku.com%2 Fen-ca%2Fsearch%2FCountry-Music-Today&device_id=b940bc13-64a8-8edc-a c800b569&aid= % Avira URL Cloud safe adid=837ccc5a5184c9c7&code=65 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=66 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=67 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=61 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=62 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=63 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=64 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=92 0% Avira URL Cloud safe adid=837ccc5a5184c9c7&code=71 0% Avira URL Cloud safe viads.blogsyte.com/target/vastvpaid-player.js 0% Avira URL Cloud safe ads203.unoadsrv.com/vast/? adid=837ccc5a5184c9c7&aid=377024&cmpid=292777&cb= % Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Copyright Joe Security LLC 2019 Page 8 of 26

9 Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2019 Page 9 of 26

10 Startup System is w10x64 iexplore.exe (PID: 4236 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 3924 cmdline: 'C:\Program Files (x86)\internet Explorer\IEXPLORE.EXE' SCODEF:4236 CREDAT:17410 /prefetch: CC2E3DF41EEEA8013E2AB58D5A) cleanup Created / dropped Files C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DAC B-11E9-AAD9-C25F135D3C65}.dat Size (bytes): Microsoft Word Document Entropy (8bit): FA F943910C014348AC439EA2 DA ADA0518D71313FFCA0CAC66FECB0D84 89D3ECB C089C6A CBB980D2E0975DE42DB1F21D9267FFC2D73 AE00DDE8993B736BCB7F1C45F6309FBCCAA74473DE150B775063F654DE9B88A AAA8D E5CD3C 73D3F9ED630CEA9C108CCCEDC F4F96D Copyright Joe Security LLC 2019 Page 10 of 26

11 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DAC B-11E9-AAD9-C25F135D3C65}.dat Size (bytes): Microsoft Word Document Entropy (8bit): A F7228E C4BC42F2 5C2B578DA975B78661A9BD2899BEC1BD90FCDA20 6DD7B88FA92A3FDF1495D932F06A1A3C47CF398D34BB9F779059DCCC8C38A6DB 83213EDE894A2F93C11AA0DB0E769CF394E1F290324F4B558764CE2ABFC0F280EA4BAD1EDA29C70FC2B789C51 5CF673E31E DD4B584ECB26BF8D18B93D C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DAC B-11E9-AAD9-C25F135D3C65}.dat Size (bytes): Microsoft Word Document Entropy (8bit): CA4D717A800BC295EFA030B398FA98 74BC CC44F1612AFF9DCEBA37B203B0 438A83DE6003E7ADAA B5368F8F494E D8AB90063 C43929EFDA7BBCF13B20B9CCACDCFCCECB20AED3BCB0BB DAEB308B B765E2A9AB517B6B 36B2F3A671775EAAC9591A42523F0C91E350F3F3E C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 656 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators E4D75CB805D01FC9BE7311D34A4AF6AD E8C867D3F00772FF8414EBC48BF6087F0EDB4EFD 12C14B0EDBBF849F57C88CD2E397E43AFB3A2AA46FF9CE CFAE8D C23C9FF7C9177F71F2BECC81E1EE EF93B3393C270C0D7C4C84D96BB0B1D785BFCE92D9058EBCA1B 74E085E9B1105EA481483C5B6E389E33AB55B21 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 653 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 7EA4979AE390CF86FAC71849EBEADF72 2E0DAA7848F7A89A3C31D47FB0069EF753264EEC 8390B51BE7BD653AEFCCC67FF81BF ECA911DFBB80D3B973D9E23E C910082B2E6B3E7FC9B7790EB23911D2E53F3D1D623BBEFEFCB6742CC08911A4FC4CB76F32EE814577D6231AC3 30BA61D58B4EFEA9E6F857A00E6BE7A344CC98 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 662 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators AEB8DF343C88C07AD E689BCE8 25CACA9108CAFE E470FBB908126E BD2E9C CCF5610ACD690C9F20E0D98DE916F244C AF6A097C744D978C12F855C2F1CFA9821BA2C990849DE6FEEF6998BDC1F5C77D83BF3114EE6C6EBFB64E406C6 D6A66AE05B8A49D4BF1E38D3BA56491CC Copyright Joe Security LLC 2019 Page 11 of 26

12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 647 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators B80A7806C5A453C7FAD8B725403F285C AB3C583E72CC7D8E536E1405A24FEEAD8623C2AC E95B560A66A3F2A87F497AD18600AE48E1E75E1AFB52E0A596A8A42 570C2D374739D5F06938A06A1C02CCB516EFCD02DC62E8F3014F248A25D3CF50154A82EB0C331A8B70A8ED6CA F79D97B222F2BD66D3F49A2ECB18A959C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 656 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators F50854CA82B448A156B83524FC7F2C0F 8138DAA70E280ABB70E D1C2AC8C288E CC1D EE D1A FE0456C6F5AEA7EFFB3A530D 137C0B0D69EA C0AC0255FA562CDEB19DD05CF0BF6377DEADE DD7F A9BCB2CF D00E6D24C0BACFD1D56702D2E1317A3C420BA6 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 653 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 1F3DB029CD53278DE0D141DFABBA46D4 CC71DCA532321C1BB0E82CA37617B3620D07DE8C 4D23D10B064A E7E01F3700F6F9FEA632A3D58A33FF7AB73572F7C63F 9F153CBFEC12EF CA980BAEB9DBDC370D511CF2153AD ACC8D3CE84A66D8A7303AE25FC4 97F157C CEFCC11B D01CB134 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 656 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 4D721BA711B9D15D5EB D2C945 36E9434F91FE3E02DDF0A3150D0BD0CA910D870B CE5AE98388A959A36DF CCF726F41487EC4D3909F38C21F7C069CB 61C54A60E05C5DCA73D0EBD8E87B57B651E511AFC8AF1BF988ADC11795A6CEE10A17A482EADBB10998C600BA 4F CB7F41ECA5A785A269A5D A C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): C2016ACF C3E94D99E1C84 Copyright Joe Security LLC 2019 Page 12 of 26

13 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml 52384F FCF43248FE185114D65473F 0F11890B8E306DD3FC B A608D7F612F157ABEAD828E D5E23CD868F112C97DC236C3813F2F4D4D19ABACF A7CE3FF6F786C6BA9FA97DD9DE57FC576D9 27F5B83E0BE1AD5D6327D7B6121C678C7F0E47 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 653 Entropy (8bit): XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 76D4D7FAD2C1225FE53BACE460F82DE5 45FA99D6B4C9E9561A CE D991 D88D70BA1CEF2C2EAF3F BA37CB54F244F71FB68555D845DD6536D3 75A08415ED59C46159EADB60F CA161318E0A0C EDC3AB3BC6F66F9345D650656BAF31B7CE2A88 D8660A9F83EC1A4089C86D252CD84DFE7354A C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat C:\Program Files (x86)\internet Explorer\iexplore.exe data Size (bytes): 1262 Entropy (8bit): F6DB9E97BB63218EAA6A34C599F9CEF F541CEC5D F1CDDBD0BCD6766A50BA 7FD DD03F58A124451C DFFDBFAEF8185B1B60C7B5023A67 CFE939350CC0301A1DE97D54225A099866B9F3A1BE23D345E24FEB39D9D9566D1035DEEC5D3AEF762B3541CE5 DA74EB6A21653A098C989A0D5D877294F8101CB C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\target[1].htm Size (bytes): 4395 Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe HTML document, ASCII text, with very long lines, with CRLF line terminators 379EA6F6FDA7D76D99E3ACD222B270E7 D2DB3D25B1A068FD7ADC9D632F E5F 824B10D8E247C3B0AFB4F408B AB78394D19A7ECBACEC3D9FCCE2F 8C5764D8FF994D1148A6CE7B104A11B702409C9D11E54D1D867838AEF1DEC48C7EA5C3AB6CD440C305DE3F3508 BC44E E630CC79896F315BA44CD4A5 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\favicon[1].ico Size (bytes): 1150 Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel F779E9D59D44A77B2 A9B6FDD7C08DDE20AA0CFE6500B438C5BB276D8D F4573D06928F5BB3DB6F3B149D52DD39CF56DE5DADB2EC88A66FF C17 23A58DAD16FD467DADCE88D99C7CBC3CD4E996817C6018BC7C B1C068EC F19D6CA8ED1 AA0FDA442EE42E4E06C690B342C82C5CDC09B65 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\jquery.min[1].js C:\Program Files (x86)\internet Explorer\iexplore.exe ASCII text, with very long lines Copyright Joe Security LLC 2019 Page 13 of 26

14 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\jquery.min[1].js Size (bytes): Entropy (8bit): E51B1DB558320F1939F9789CCF5C8F C72C1735B4D903D90DD51225EBEFB8C74EBBC51F 702B9E051E82B32038FFDB33A4F7EB5F7B38F4CF6F514E4182D8898F4EB0B7FB AB3AD9A98FE EBBF8029BC536F34D16CFEF8B4C62B8A62B56FE2B30A426E3C3186C994C2578BD585DA 1C89A9B421C6D2F27053B2F2ED13B0DD9428C3 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\vastvpaid-player[1].js Size (bytes): Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe ASCII text, with very long lines, with escape sequences E47EFA56A FE7F76008D0E437C 63961DB989E3035BDFCBE6074F39E439543B6CAE 1C12AA63A67106D6FDFA0E95F41FA856F397DC758E148E95A4595BCB17EAD74A 52D3F458998D449C68E931CF19C8B942CD5DAD54FC285EE DA15FEE905A8B4C0E940A5AD2F6F807C982 E825FEAC55194AFB282BF501CB9C38F1A91E8B C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\N734AVTZ.xml Size (bytes): 2832 Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with no line terminators 5DB9B56A851C E0B46EF B6A7F8537EA026CC0DE30DDF89FAF53E91E56E9 8C7D2D60D6B0CA3613D99458B84450D8E22EBF16C136BE82B4B59EFD902A787A 5FEC7B228C03100A6F7CC019B5B5402CBA5A260A540423F01A012D08959F436CDDB914F3DDE84C46E0AC6191AB 55FFCE6E3101EF4CE82B14F7195DDB1C3E3773 C:\Users\user\AppData\Local\Temp\~DF10E2898FA1A79C4F.TMP data Size (bytes): Entropy (8bit): C0D7F918E34B F C 5EE93F90AA082CB5B4D81E5315A65E1750D781AA D142F17D62A84B365B4ED3068BA83C147F53CE44EFF1EB054C6EC3A2AA701EFB 41F4D59FB04EAC64F7F802D841EFA909B558A97E2B1CD449E702FEA91E018B4900F0033FEEB3151E5DE1623DF9 A6045D72E597A5516C8154C05702E0CF8F06A8 C:\Users\user\AppData\Local\Temp\~DF3F6D99B7B0EDA8AE.TMP data Size (bytes): Entropy (8bit): C B875C D38AB F52FE EAEFE5BD92B5A70BA B05BFDCA67C016CA F156B65E81BA091C4B575C190FEC7EF0D 0626A2E7AA DB71C AFAE81E409DED7AC9DE00047A EB2D95CC693BAEB16B37E2DCD7 A3FCB1299BAFEB0A A9625F92034F2F4D Copyright Joe Security LLC 2019 Page 14 of 26

15 C:\Users\user\AppData\Local\Temp\~DFF3B1E758A7848F31.TMP data Size (bytes): Entropy (8bit): AB4A F CB1F19A9B3956 0CD16632DB174BA EA4F25EE5CB658A3B 8B09CAAFDE6B8CD2088C4E93717B BFA02EB874BD7C 72C03AE89F1EECD93105B EC304761ABD5FE CFC05F54BB5915AE6C8BF6C269334F951C7B3CEE C38B50C8E322BF94AF1BB69A3F4545B0E Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation s-videe-tv.geodns.me true unknown ads203.unoadsrv.com true 0%, virustotal, Browse unknown rs-lb-a.lkqd.net true 0%, virustotal, Browse unknown viads.blogsyte.com true unknown ssp.lkqd.net unknown unknown 0%, virustotal, Browse unknown vast.videe.tv unknown unknown 0%, virustotal, Browse unknown Contacted URLs Name Malicious Antivirus Detection Reputation viads.blogsyte.com/target/ Avira URL Cloud: safe unknown viads.blogsyte.com/target/resources/jquery.min.js Avira URL Cloud: safe unknown viads.blogsyte.com/favicon.ico Avira URL Cloud: safe unknown vast.videe.tv/? width=1920&height=1080&cb= &ua=mozilla%2f5.0%20%28windows%20nt% %3B%20WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&ui p=&app_name=country%20music%20today&app_bundle=com.roku.countrymusictoday&devi ce_model=steaming_media&device_make=roku&device_category=movies&app_store_url= https%3a%2f%2fchannelstore.roku.com%2fen-ca%2fsearch%2fcountry-music- Today&device_id=b940bc13-64a8-8edc-a c800b569&aid= Avira URL Cloud: safe unknown viads.blogsyte.com/target/vastvpaid-player.js Avira URL Cloud: safe unknown ads203.unoadsrv.com/vast/? adid=837ccc5a5184c9c7&aid=377024&cmpid=292777&cb= Avira URL Cloud: safe unknown URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation adid=837ccc5a5184c9c7&code=58 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown msapplication.xml3.2.dr high adid=837ccc5a5184c9c7&code=59 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown viads.blogsyte.com/target/root adid=837ccc5a5184c9c7&code=54 adid=837ccc5a5184c9c7&code=55 adid=837ccc5a5184c9c7&code=56 adid=837ccc5a5184c9c7&code=57 {DAC B-11E9-AAD9-C25F1 35D3C65}.dat.2.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown vast.videe.tv/? target[1].htm.3.dr Avira URL Cloud: safe unknown width=1920&height=1080&cb= &ua=mozilla%2f5. 0%20%28Windows%20NT% viads.blogsyte.com/favicon.ico~ imagestore.dat.3.dr Avira URL Cloud: safe unknown adid=837ccc5a5184c9c7&code=52 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown Copyright Joe Security LLC 2019 Page 15 of 26

16 Name Source Malicious Antivirus Detection Reputation adid=837ccc5a5184c9c7&code=53 adid=837ccc5a5184c9c7&code=60 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown msapplication.xml.2.dr high ads203.unoadsrv.com/tracking/impression/? adid=837ccc5a5184c9c7 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown msapplication.xml5.2.dr high viads.blogsyte.com/target/d adid=837ccc5a5184c9c7&code=65 adid=837ccc5a5184c9c7&code=66 adid=837ccc5a5184c9c7&code=67 adid=837ccc5a5184c9c7&code=61 {DAC B-11E9-AAD9-C25F1 35D3C65}.dat.2.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown msapplication.xml7.2.dr high adid=837ccc5a5184c9c7&code=62 adid=837ccc5a5184c9c7&code=63 adid=837ccc5a5184c9c7&code=64 adid=837ccc5a5184c9c7&code=92 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown msapplication.xml6.2.dr high adid=837ccc5a5184c9c7&code=71 N734AVTZ.xml.3.dr Avira URL Cloud: safe unknown msapplication.xml2.2.dr high msapplication.xml4.2.dr high Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious Netherlands ADVANCEDHOSTERS-ASNL Germany CONTABOtoAS1299announceAS 34933DE Copyright Joe Security LLC 2019 Page 16 of 26

17 IP Country Flag ASN ASN Name Malicious United States RACKSPACE- RackspaceHostingUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Timestamp Source Port Dest Port Source IP Dest IP 03:16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: Copyright Joe Security LLC 2019 Page 17 of 26

18 Timestamp Source Port Dest Port Source IP Dest IP 03:16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: :16: Copyright Joe Security LLC 2019 Page 18 of 26

19 Timestamp Source Port Dest Port Source IP Dest IP 03:16: :16: :16: :16: :16: :16: :16: :16: :16: UDP Packets Timestamp Source Port Dest Port Source IP Dest IP 03:16: :16: :16: :16: :16: :16: :16: :16: :16: :17: :17: :17: :17: DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class 03:16: x8d29 Standard query (0) 03:16: x388a Standard query (0) 03:16: x44f7 Standard query (0) 03:16: x12f4 Standard query (0) viads.blog syte.com A (IP address) IN (0x0001) vast.videe.tv A (IP address) IN (0x0001) ads203.uno adsrv.com A (IP address) IN (0x0001) ssp.lkqd.net A (IP address) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class x8d29 No error (0) viads.blog 03:16: syte.com x388a No error (0) vast.videe.tv s-videetv.geodns.me 03:16: x388a No error (0) s-videe-tv 03:16: geodns.me x388a No error (0) s-videe-tv 03:16: geodns.me x44f7 No error (0) ads203.uno 03:16: adsrv.com A (IP address) IN (0x0001) CNAME IN (0x0001) (Canonical name) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) x12f4 No error (0) ssp.lkqd.net rs-lb-a.lkqd.net CNAME IN (0x0001) (Canonical name) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) Copyright Joe Security LLC 2019 Page 19 of 26

20 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) x12f4 No error (0) rs-lb-a.lkqd.net A (IP address) IN (0x0001) HTTP Request Dependency Graph viads.blogsyte.com vast.videe.tv ads203.unoadsrv.com HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process C:\Program Files (x86)\internet Explorer\iexplore.exe Timestamp 03:16: kbytes transferred Direction Data 7 OUT GET /target/ HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: viads.blogsyte.com Connection: Keep-Alive Copyright Joe Security LLC 2019 Page 20 of 26

21 Timestamp 03:16: :16: :16: kbytes transferred Direction Data 9 IN HTTP/ OK Server: nginx/ (Ubuntu) Date: Sat, 26 Jan :16:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Content-Encoding: gzip Data Raw: d 0a 1f 8b ed 58 6d 6f db fe 3e 60 ff cb ee 22 f9 25 4e e2 c d7 75 b7 60 4d 93 b5 6e 8a a a 62 2c d6 94 a c 77 e8 7f df c bb 76 e4 7e 2d a8 45 f2 e1 f1 de 9e d3 b1 03 a9 04 8f e7 c c e 66 c3 3f b a 36 cc 28 0e a4 3b 63 7c 2e 57 8a b8 3e 8f 0a cc 14 cf ce 86 a1 52 c9 45 b a9 dc 8c b8 2a 6b fe be a4 81 0a bd f6 79 a7 55 0b 09 9d 87 ca 6b b7 7a ad 9a 3f f3 da 27 dd 5e f7 f4 bc 7d 7c 52 4b b1 77 c5 bf 50 c6 f0 d3 ce cb 13 b7 f5 b4 03 7f bd f7 34 0e f8 52 c2 e0 f5 14 fe 69 b7 60 e1 f8 39 bc bd bf 7e 7f da cd 5f a7 02 4e 8a 15 6c 3b 2b f6 f4 78 d4 6e 6b 29 e e0 e7 0f e2 2f 78 2d a c e e c6 4a ac d0 55 2a a9 8f a6 3c c0 2b b3 38 4b e f 6c f a4 60 ac c1 45 1a a6 0c 2a f5 c9 5d c4 03 c2 3c a9 08 8e 68 3c bf 8b ad 5c c3 0b e2 bd b9 fe eb 5d 39 e e6 5c ac bc c 90 bb f 7b 4f 82 e fc f9 21 8e 63 c2 cc 72 a f c ed b0 f c 70 8c 09 4e 6e 42 a1 00 0d bc d9 79 b7 35 f3 db c7 ce f7 9c 1e 09 7c 07 9f 75 5a 4e a7 db ee fa bd 56 6b a 5e c3 00 3c 3e 3b 6b 75 ba df 8d f bd a 3d 45 3a 10 7d d a e0 fe 3e 12 d c a7 23 e3 72 2d 13 fd fa cb e0 c9 8b eb f1 f4 9f 9b 09 0a 55 c4 cc 4c f9 82 e a 56 0f f bc c6 d3 db f e f2 ac 54 dd 3b 3d 6b 6b bb f 3a e4 53 4a 33 cf 1a f9 3e 91 d ce be 74 ae 05 9d d3 d8 42 3e cc d6 b3 3d 52 4c aa b2 65 c2 85 da 00 e7 a9 9d 7b db a a d 0c 09 d4 3e 82 a1 a e3 6d e9 da e 96 0f 24 ab d6 30 c3 2c 35 a a 6e 59 2a 7d a4 f0 3d cb 35 ec cb a bc 22 c2 fd 28 ad 21 d0 da 80 ca 7d 83 e6 a6 bb e ac ca 25 e3 7b 1a 27 a9 42 6a cf 52 e4 33 d8 9c fb c ac 87 d1 b6 42 9b bb 43 1a 00 3d cb fd f9 56 f3 62 4c f2 ac 6f ed d9 d8 6e e7 db 6d 7d 9c 0d 24 b e a3 7c 9f fd b3 dc fc e8 e5 c6 fe a 99 c4 d2 6c c c ad d7 85 fe f fb 28 ff 8e 5c 40 1d ea e9 b1 ce 6f d8 3a dc 28 1e 9b 9c f f9 9b 1f 3f a5 44 ac 5c e0 e8 5e d4 df 26 8a 9e d2 4f fd 3e 8d 7d 9d f9 f5 db d1 db e9 8d fd b7 51 af 72 1c a d e f7 61 fd 41 a e 02 e9 63 b2 44 0f 22 eb 01 f7 d3 08 0a 91 3b 27 6a c2 88 7e 7d be ba 0c ea f6 da a3 b1 5f 6c e fb a4 6e 8f 82 b7 0a 0b fb 08 ad 55 df af b0 56 eb d1 63 4b 8a db 0d b7 2c 40 c ad 4e 69 5b f9 bb a3 0c 4f 92 2d d 5b 1b b0 4f c 68 2f b4 f6 e8 1e 0a a7 0c c 35 c3 fe e2 89 6d ec 2e 0f 28 7f bf 3e 36 bb ab d3 87 dd 29 2d 05 4e 7b c5 a1 0e 83 ab 1e 05 ac 9d c 7c 1c b1 a0 b9 0f aa c6 Data Ascii: 573Xmo6>`P"%Nu`MnZb,\wv~-P!Ewty<4hSf?Tfz6(;c.W>7hREa*kyUkz?'^} RKwP4Ri`9~_Nl;+WExnk)ftA/x- WIrxcJU*<+8Klt_`E* ]<h<h@q\]9ce\ghst\t0o{o`!crc$v #ICx)LpNnBy5i uznvkvrz^<>;kued!ib@pz=e:}dge>v i#r- ULzV3PT12drA3ADF$!T;=kkh:SJ3>s8g1tB>By=RLXe{1#H#}>mf`$0,5gjnY*}A=50"(!}3%{'BjR3 HV ebc=4vblonm}$s xn &l4&brg!$(\@o:(dt?d\^v&o>}avqrbv*h-caaaarncd";'j~}%v_lawneuvck,@98xqni[o-ep}[orf\h/i`<5m.(>6)-n{y(, x 10 OUT GET /target/vastvpaid-player.js HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: viads.blogsyte.com Connection: Keep-Alive 11 IN HTTP/ OK Server: nginx/ (Ubuntu) Date: Sat, 26 Jan :16:45 GMT Content-Type: application/javascript Content-Length: Last-Modified: Fri, 21 Dec :50:50 GMT Connection: keep-alive ETag: "5c1d19ea-fa54" Access-Control-Al-Origin: * Cache-Control: public, max-age= , immutable Accept-Ranges: bytes Data Raw: e f 6e b f 62 6a d 3d f f e e d f d 6f c d 6f c 65 2e f d b 65 6c e f 6e 22 3d 3d f e e 65 2e 61 6d e b 5d 2c b 65 6c b b 62 3d e e d f e 64 6f 77 3f e 64 6f 77 3a e e d f c 6f c 3f 67 6c 6f c 3a e e d f c 66 3f c 66 3a c 62 2e c d d 7d e f 6e b b e e f 6e c 63 2c b e f 6e c b b 67 5d 29 7b b 67 5d 29 7b d e f 6e 22 3d 3d f b e c b e c b a 3d 6e f e 6e 6f e d 6f c b 67 2b b f a 2e 63 6f d 22 4d 4f c 45 5f 4e 4f 54 5f 46 4f 55 4e c 6a 7d b 3d 63 5b 67 5d 3d 7b f a 7b 7d 7d 3b 62 5b 67 5d 5b 30 5d 2e c 6c 28 6b 2e f c e f 6e b d 62 5b 67 5d 5b 31 5d 5b 61 5d 3b e f 63 3a d 2c 6b 2c 6b 2e f c 61 2c 62 2c 63 2c d e b 67 5d 2e f d 66 6f d e f 6e 22 3d 3d f c 67 3d 30 3b 67 3c 64 2e 6c 65 6e b 67 2b 2b b 67 5d 29 3b e d 28 7b 31 3a 5b e f 6e c 62 2c b 62 2e f d e 2f 6c f c d 2c 7b 22 2e 2f 6c f c a 35 7d 5d 2c 32 3a 5b e f 6e c 62 2c b b e 63 Data Ascii:!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"== typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global? global:"undefined"!=typeof self?self:this,b.vastplayer=a()}}(function(){var a;return function a(b,c,d){function e(g,h){if(!c[g]) {if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find mod ule '"+g+"'");throw j.code="module_not_found",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1] [a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g<d.leng th;g++)e(d[g]);return e}({1:[function(a,b,c){b.exports=a("./lib/vastplayer")},{"./lib/vastplayer":5}],2:[function(a,b,c){"use strict";func Copyright Joe Security LLC 2019 Page 21 of 26

22 Session ID Source IP Source Port Destination IP Destination Port Process C:\Program Files (x86)\internet Explorer\iexplore.exe Timestamp 03:16: :16: :16: kbytes transferred Direction Data 10 OUT GET /target/resources/jquery.min.js HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: viads.blogsyte.com Connection: Keep-Alive 23 IN HTTP/ OK Server: nginx/ (Ubuntu) Date: Sat, 26 Jan :16:45 GMT Content-Type: application/javascript Content-Length: Last-Modified: Fri, 21 Dec :50:50 GMT Connection: keep-alive ETag: "5c1d19ea-1514f" Access-Control-Al-Origin: * Cache-Control: public, max-age= , immutable Accept-Ranges: bytes Data Raw: 2f 2a a e 31 2e c a f 75 6e f 6e 20 7c 20 6a e 6f f 6c e a 2f 0a e f 6e c b b 22 6f 62 6a d 3d f d 6f c f 62 6a d 3d f d 6f c 65 2e f f 6d 6f c 65 2e f d 61 2e 64 6f d 65 6e 74 3f c a e f 6e b e 64 6f d 65 6e f e f a e 64 6f f d 65 6e b e d 3a d e e d f e 64 6f 77 3f e 64 6f 77 3a c e f 6e c b b d 5b 5d 2c 64 3d 61 2e 64 6f d 65 6e 74 2c 65 3d 4f 62 6a e f 74 6f f 66 2c 66 3d 63 2e 73 6c c 67 3d 63 2e 63 6f 6e c 68 3d 63 2e c 69 3d 63 2e 69 6e f 66 2c 6a 3d 7b 7d 2c 6b 3d 6a 2e 74 6f e 67 2c 6c 3d 6a 2e f 77 6e f c 6d 3d 6c 2e 74 6f e 67 2c 6e 3d 6d 2e c 6c 28 4f 62 6a c 6f 3d 7b 7d 3b e f 6e c b 62 3d 62 7c 7c 64 3b d 62 2e c 65 6d 65 6e b 63 2e d 61 2c 62 2e e e c e e 74 4e 6f e d 6f c d d e 31 2e c 72 3d e f 6e c b e 20 6e e 66 6e 2e 69 6e c d 2c 73 3d 2f 5e 5b 5c 73 5c c d 2b 7c 5b 5c 73 5c c d 2b 24 2f 67 2c 74 3d 2f 5e 2d 6d 73 2d 2f 2c 75 3d 2f 2d 28 5b 61 2d 7a 5d 29 2f 67 2c 76 3d e f 6e c b e e 74 6f d 3b 72 2e 66 6e 3d 72 2e f 74 6f d 7b 6a a 71 2c 63 6f 6e f 72 3a 72 2c 6c 65 6e a 30 2c 74 6f a e f 6e Data Ascii: /*! jquery v3.1.0 (c) jquery Foundation jquery.org/license */!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b) {"use strict";var c=[],d=a.document,e=object.getprototypeof,f=c.slice,g=c.concat,h=c.push,i=c.indexof,j={},k=j.tostr ing,l=j.hasownproperty,m=l.tostring,n=m.call(object),o={};function p(a,b){b=b d;var c=b.createelement("script");c.text= a,b.head.appendchild(c).parentnode.removechild(c)}var q="3.1.0",r=function(a,b){return new r.fn.init(a,b)},s=/^[\s\ufeff \xa0]+ [\s\ufeff\xa0]+$/g,t=/^-ms-/,u=/-([a-z])/g,v=function(a,b){return b.touppercase()};r.fn=r.prototype={jquery:q,con structor:r,length:0,toarray:function 166 OUT GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: viads.blogsyte.com Connection: Keep-Alive Copyright Joe Security LLC 2019 Page 22 of 26

23 Timestamp 03:16: kbytes transferred Direction Data 167 IN HTTP/ OK Server: nginx/ (Ubuntu) Date: Sat, 26 Jan :16:46 GMT Content-Type: image/x-icon Content-Length: 1150 Last-Modified: Fri, 21 Dec :10:50 GMT Connection: keep-alive ETag: "5c1d48ca-47e" Access-Control-Al-Origin: * Cache-Control: public, max-age= , immutable Accept-Ranges: bytes Data Raw: ed ed ff 00 2a 22 f e9 4a e3 a e2 e e6 fc eb fc ec e eb a eb 4a ed be ed ed ed d e d f cb ef 22 1d bb ff 20 1c b0 ff 1f 1b b0 ff 21 1b bf ff 25 1f da ff ea ff ea ef eb ec e ed db e db b2 25 1f cc ff 23 1d bc ff 20 1c af ff 1b 18 a3 ff d ff ff e ff 21 1b c7 ff e9 ff ea ff eb b ec e f e da ff 25 1f cb ff 21 1c bc ff b2 ff 51 4f ba ff 7b 79 c8 ff 7c 7a c6 ff b0 ff 21 1d 9a ff 20 1a ca ff eb ff ea ff eb ed ec e7 f da ff 24 1e cb ff c3 ff a6 a4 e0 ff f3 f2 fb ff ff ff ff ff ff ff ff ff f4 f3 fb ff ae ad d8 ff ad ff 24 1e e0 ff eb ff ea ed eb 4b eb b e7 ff da ff 2a 24 cc ff a6 a3 e6 ff ff ff ff ff d3 d3 d4 ff e9 e9 eb ff ff ff ff ff fe fe ff ff ff ff ff ff b2 b1 db ff 2d 27 d0 ff eb ff ea ff eb a eb e e7 ff 25 1e da ff d8 ff f0 ef fb ff ff ff ff ff ff 3e 3e 3f ff b9 b9 ba ff fa fa fb ff ff ff ff ff f6 f6 fa ff dc ff 25 1e ea ff ea ff ea e ea fc e7 ff 24 1d d9 ff 7d 7a e2 ff fe fe ff ff ff ff ff ff 6d 6d 6e ff ff 0f 0f 0f ff 6c 6c 6d ff e7 e7 e9 ff ff ff ff ff 92 8f ef ff 25 1e e9 ff ea ff ea fb ea fc e7 ff 24 1d d9 ff 7f 7b e3 ff fe fe ff ff ff ff ff ff 6d 6d 6e ff ff ff ff e8 e8 ea ff ff ff ff ff f4 ff 25 1e ea ff ea ff ea fb eb e e7 ff 25 1d da ff d9 ff f2 f1 fc ff ff ff ff ff ff 4f 4f 50 ff c5 c5 c7 ff fb fb fc ff ff ff ff ff f7 f7 fe ff f0 ff 25 1e ea ff ea ff ea e eb a e7 ff da ff 2c 26 cd ff ad ab e8 ff ff ff ff ff df df e1 ff f1 f1 f3 ff ff ff ff ff fe fe ff ff ff ff ff ff bb b8 f8 ff 34 2d eb ff ea ff ea ff eb a eb 4b e8 ee db ff 23 1e ca ff 3b 36 c4 ff b0 ae e4 ff f6 f6 fc ff ff ff ff ff ff ff ff ff f6 f6 fb ff b8 b6 f4 ff 45 3f ed ff 26 1f ea ff ea ff ea ee eb 4b ed eb e5 ff d3 ff 21 1c be ff b2 ff 5a 58 bd ff cc ff d1 ff 60 5c Data Ascii: h( ( ( AI*"(!J'!' (!(!(!(!(!J(!5I( ( ( '"(!& %"!%(!(!(!(!)"( (!( '!%#!(!(!(!(!)"(!(!' %!&"QO{y zsp! (!(!(!(!(!T(!' $6162$(!(!(!K(! (!' *$-'( (!(!(!(!%UQqqr>>?d`%(!(!(!(!$}zmmnllm%(!(!(!(!${mmnssu%(!(!(!(!%YTvvxOOPid%(!(!(!(!',&4-' (!(!(!K(!'!#;6E?&(!(!(! K(!(!(!&!)%ZX`\ Session ID Source IP Source Port Destination IP Destination Port Process C:\Program Files (x86)\internet Explorer\iexplore.exe Timestamp 03:16: :16: kbytes transferred Direction Data 169 OUT GET /?width=1920&height=1080&cb= &ua=mozilla%2f5.0%20%28windows%20nt%2010.0%3b%20 WOW64%3B%20Trident%2F7.0%3B%20rv%3A11.0%29%20like%20Gecko&uip=&app_name=Country%20Music%20 Today&app_bundle=com.roku.countrymusictoday&device_model=steaming_media&device_make=ROKU&device_cate gory=movies&app_store_url=https%3a%2f%2fchannelstore.roku.com%2fen-ca%2fsearch%2fcountry-music-today &device_id=b940bc13-64a8-8edc-a c800b569&aid= HTTP/1.1 Accept: */* Referer: Accept-Language: en-us Origin: Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vast.videe.tv Connection: Keep-Alive 170 IN HTTP/ OK Server: Adtelligent 1.0 Date: Sat, 26 Jan :16:46 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 543 Access-Control-Al-Origin: Access-Control-Al-Credentials: true Content-Encoding: gzip Set-Cookie: vmuid=56127f91ca028c75; expires=fri, 29 Mar :16:46 GMT; domain=.videe.tv; path=/ Data Raw: 1f 8b e ff bc 96 5f 6f 9b c5 bf 0a e3 21 6f 8b f9 d d 52 a4 bd 6c a1 d9 43 d5 07 cf be 6d ad 82 b1 6c 43 bb 6f 3f 91 3f a4 cd 14 b f db bf 73 af ae 4f 0e be 7e a9 2b af 03 6d f 9c 07 be c c8 87 cc bf 29 bf 7e 4c 7d ef 9a e0 6d be 29 bd 61 5b 3c 0f 7c ee 09 9e f9 69 9c b1 c a 55 ac 8a c4 27 f8 a7 a6 4a 81 ee b7 6c 7e 1b 0b f5 5b 02 c9 f a a3 fc b0 81 ec f e9 c3 cd 8f 35 c1 1f 6e 8b cf df 3e 5a ab 3e b de ca a3 bb 39 6b 6a d d1 35 e e c 8b ae 66 ac 56 6b 9e 45 ab fb bc 4c c3 34 0a 82 bb 3b 82 d1 36 df ec ba 56 1a 4c df 8b b0 9a b f ce 5d d7 b3 5e df 5e 68 a c8 b0 24 f8 9b c1 e5 e1 de 2f 1d 48 6b 4e df 3d e8 7f c8 7c bc 15 f0 ec ff 9b d2 dd 0d ce 58 c3 21 5b 44 3b b1 47 0d 7f d3 8d a5 da 8e 8f 8d 1d d8 5a 70 d f9 ca 41 be 17 da d8 ef 2d d e e1 0b 07 de 3e 0a cd a7 c3 2f 1d 78 d6 d4 aa 02 3b 41 e1 fb d0 ea 76 0a 6a ea a8 b7 95 d e ae a2 ad 19 bf c9 cb c0 81 d5 f0 2c 24 1f 7d aa 97 a1 93 6b da 7a 82 7a 5d ee 75 df a 40 8e 5f b3 cb c2 e0 45 d1 29 7a ed d c 97 cb bb cc e3 f7 d ff 67 3a 3e dc e5 5a 3b f8 ff c7 52 c6 40 d9 b5 ec 84 a e3 4f f7 ea fc 65 0d ce 7d 8c 29 5b c1 a1 29 2a c1 9e fa 54 d3 7f 9e bc fd 1d 81 6e ee 8c 92 ec dd e5 8c 81 de fb d b3 d6 ab a d e5 9c 60 b4 cd f ff ff 46 b b Data Ascii: n_o0!o2wmrlcmlco??`oq"so~+md#3?5\)~l}m)a[< sieazu'jl~[t9/5ny>z>!dxr9kjqc5g<$fvke(ial4;6' VLwI'!]Pt^^hVt`$@5/HkN= v8dx![d;gzp9a-vt0~>/x;awqyvjpw,$}kzz]uva@_e)z20tuslpiyuc`g:>z;r@v4oe})[)*tnh S@!)`7%F%s Copyright Joe Security LLC 2019 Page 23 of 26