ID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior System Behavior Copyright Joe Security LLC 2018 Page 2 of 30

3 Analysis iexplore.exe PID: 3732 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3796 Parent PID: 3732 General File Activities Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 30

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 19:37:50 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 7s light browseurl.jbs repo rt=nfs_jundiai.rptdesign&cdverificacao= &n umnota=59 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean0.win@3/31@3/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 3796 because there are no executed function Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 30

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2018 Page 5 of 30

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Networking System Summary Copyright Joe Security LLC 2018 Page 6 of 30

7 Click to jump to signature section Networking: Social media urls found in memory data Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 30

8 Behavior Graph ID: URL: report=nfs_... Startdate: 11/05/2018 Architecture: WINDOWS Score: 0 started iexplore.exe Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious started iexplore.exe 2 21 jundiai.ginfes.com.br , 49175, 49176, 80 UOLDIVEOSABR Brazil visualizar.ginfes.com.br , 49177, 49178, UOLDIVEOSABR Brazil Simulations Behavior and APIs Time Type Description 19:38:24 API Interceptor 556x Sleep call for process: iexplore.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link report=nfs_jundiai.rptdesign&cdverificacao= &n umnota=59 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link visualizar.ginfes.com.br 0% virustotal Browse Copyright Joe Security LLC 2018 Page 8 of 30

9 Source Detection Scanner Label Link jundiai.ginfes.com.br 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 30

10 Startup System is w7 iexplore.exe (PID: 3732 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3796 cmdline: '' SCODEF:3732 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): BDED7575DEC362FBF781DD9BF5BDD52A 60CEA5879A73E5498D31D65428B8062E05E90466 DA2471DD638907A51EA4C206A3BFA D1759FFBEDB07BFBEF459631E1 1FB2CEF0177BA7DB26D36903D939820C8E060DADE12C63DBC2A6B97CA477D B1C732416DE41C701ADA 9B604C3BE75A6DB9E62D11F2779F90275FDEC7 Copyright Joe Security LLC 2018 Page 10 of 30

11 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF3046EC75B42A9CA8.TMP data Size (bytes): Entropy (8bit): C3FBE53FFAA795E033DBE3A572F988A5 15AF14B8C BFC2A9EC6EFC323DCBDE7A2E 88D62D93295BED8D3B686D58AFBA19DEA066740BA6213C162CDBC8340DFF8A30 8E6E90D98F5C9D695C0F80BF B E647490D5CA867015F1997D7286A68FBB D5F 819F2366D7F80B69F90EA5FF5B71A6EE382 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF6BBDE BF5.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): E2CA938BC E CDA F5903E4416CFA4B2A E5AA94AAE F85C39FEBFBEDCA8E6A1263B5A95BF43E93B7C9D9633F67E7C2D2D12D7415F45 BC7BFAE60E64AE0E7AB89F467DD7EF4167E3390FE5B2C7B51F8BE46F3419CFD54EDDC5669FBC C5 D9D15D C8C7294A0B2F1A73A2888ECE C:\Users\SAMTAR~1\AppData\Local\Temp\~DF8C2430A51EBAFA93.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): BAEB0FE02A5A4BA8D87C86AFC4A030D9 CDEFC26A91A3F0619A3475C6182BFC6A3B0D8A28 AC9A82C454F2A8E642B E3E2EB51BEB3AE310A3D3BA6C649C24192FA1 DA31C7D00EB ED1131B DBC9E8F0A570C003AEBAC4FE6CE15F5F0EB368FA96E783C52B8D685BE 3CF0D9B5D330C173F9B577FA680B911EE14C452 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Size (bytes): Entropy (8bit): Microsoft Cabinet archive data, 6509 bytes, 1 file CE371CD7EF9CC216BB EBD518D1A89C6F0079BE759A38869DE9ECC399A D858B12945B35906DD709A2FA9EAFEDA3CDE7E342041AEE65BBD43CDF783C C5FB7B6ED27E52F6EF48754DE5D1B9A756961A EB086135BD5C5420D CC8C1D82D845E8AEBD 50ACABDE23EE17A DB0A13C30E2CC1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (8bit): F0210FCA CC216A E2 D10B86C6F353C30D98B55BFCAADD40E7D493397C 397AD878DB2D20AFD65BA634252E B089E1C9526BD D1221F9 Copyright Joe Security LLC 2018 Page 11 of 30

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB222089C8BEC0A52ECD39D CF B994898E994C7D29C8C513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 4405 Entropy (8bit): F49D05A12DAF7DC1437D8CCDB188A74 CC31C730E0CB60FF D781AD8F1F8DB788F B6CAF30D26C9B F0E345C3C5F343AE0D4378DE4FEECB0E9E5D9DA27C16 956F073E850CC D01450C632CDCA0CE7B449221FF81DA4C278785D1F1933A85C43FE97994CC7C67EBB 70E177ADA752BFDE76A88D061C7B047FB548C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 1368 Entropy (8bit): EA265396DBFACD13E20386B6D064C550 7EE65A048714C86E85F5C D DA2EF947CC8A607C72DA986D5C32B1F924E4E6A9AD99B298FB7704A8B20BB60D 9244DD59EF6E4AC83A51C9AF3D45CA91D1734C3FF0CAB0E43C6099B123CC ED55EC58CC4CCACDBB1 DE133BC8F F083A376A51B2FB8C10 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data Size (bytes): 868 Entropy (8bit): E349E807C06E56E07555AFE2E66ED924 AF7D265600B8AAC0D43694AFC91A7AB25F2DB9B AA8BEE66FE54D36E526C74C01F8A942B55BD1C8843ADBEA3ABF6595 ADF9EC042F8B D395D075857C637B634C63A369E8C9469D2F14AF923E9A38985E809B8A98059A93503C6E C752B79E0BCFC169E6E1E18BF0A09 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 452 Entropy (8bit): C BA7C941FB882B3A3B B4E C873FCEBD95BCCAF469DBE85 42E5DF5BF453B25987AA3DB54D076A9467E2D1E11B04F84D110C F EDD24FA9E482E699C41D2910AFC6C843E1F7EAA660C3DF8E31043A39E0D72F3F751C57FD2B810385FBFDC E6F1C26B1B3CB2E4C340C9D66F669B667B97B C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Copyright Joe Security LLC 2018 Page 12 of 30

13 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Entropy (8bit): FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators CA59D9C2CC8C35A5FEBDE98D351F B161DA256D0CD06319F13EBFA8F97E C93ECBBA8B97E9CFC83D00CA3149A055EEB2BE78DAD6001FBB3AE36DFD FBD8AC8EFBD353B95E4164FC01E10FC4235E5FD2B9E8E0FFBBC3E6A FD636E8BD7D232D468D4F 5AE122E5B0E61C04ABAE054A5415ED8C98FEAD5 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1A4F E8-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (8bit): C9D8A0828F6ED82EE69126C30B167EF9 947D7F2B4860C CC49E3DA93F4ACD7DE72 35BEDCF06C2094BFB05D724FDB60C10C0685F16E65562EEEC3C93DA8AA891D97 66B43CE4C A35656A5CFB20208C7EC2837EF6AAFB96798F35F3953EAB3EA38E2A67B0CD EE 20A3B5EC8CBCB98CD9CBAFF78C21E5958E6EC1 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1A4F E8-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (8bit): C117DC8D2AD79CB9845C1B41E56F89DF 58EC7621E5831DC7969AF988D30FB84600B2C D715F0DDE60052F627E849BAC176DC7CB98FC1B5A02D2E1EBD F8764B9A B DAA972EA03A E4DF9129DEC2F29C910D40B A15BB1 BE71A5A0398B086DD60DED910B4E308E52A9 Copyright Joe Security LLC 2018 Page 13 of 30

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ E8-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (8bit): BBF2C1323D64B16B FF C598F17DD89A7C30ABC56AC8E2E5B9925F88E2C3 C0B765599DD3F73102A8337C04C308D3C757C86A0D1E836BC66A51BEF9933AD7 4D6BF06DC6BD AA73B1E3044E46EEC48C0574A9D56CE6A221E10E B605A0E B5D07AE83 9B5C3706A157AE C2F42C96FC1DAC94 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver699B.tmp Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED97 0E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\cab_01[1].gif GIF image data, version 89a, 2 x 102 Size (bytes): 873 Entropy (8bit): B6F6A65FA8C4D29860EF7CE39F2EC5F 482CC13D8B CC9F1A36F71899D52B43FCB B6A97D0B95A70A54B4A581E FB0F699F245D53679C91576D A3 31A32B77A6F2A F6002FB31973E3E960A64AA6F7D94D184ACCF632BB35DCD6D41E9F924292E1AEA7755 A2B80E9674A809F6CDF FBB6828EAD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\consultarNota[1].htm Size (bytes): Entropy (8bit): HTML document, ISO-8859 text, with very long lines, with CRLF, LF line terminators 8D41A0F695A372EF597485EDBB85FA43 0A40DECB4F920D41E5F BC6651FA92BD8A A2B58EF9FCD2D72D1ADD DAAC8AC86D DBB59A AB16829A6DA662912A4966CA B533D5FC9EC220C1DAA0C7846C8BF862108C8EE1860E90AFE145C E4D3DDE3202EDCD805865C89CD80A84439E38 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\iecompatviewlist[1].xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators CE5A2E8A386F7070BAA6799FB7C39E0D 70AE543F05CABCD2FBED9C95BF03182A C0654B0B4367B3A082D00BCECD1DB365D6A3D7B8747F0B059EB4D016E0D F54676DE8A245CB847D3337BA7C0136B9D773FDA9BEF52C5C156C8C4F4F212DE46796F08F F2FA1 6436E831E9E369BA0A6513EC6DFFD Copyright Joe Security LLC 2018 Page 14 of 30

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\iecompatviewlist[1].xml C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\rod_01[1].GIF GIF image data, version 89a, 2 x 59 Size (bytes): 843 Entropy (8bit): DDB05ADF9D8751DC2968D04DAEF3CE94 B8A19D9DB0E333C2E46D FED58AA95 E3A409811FE5E240D8E1D07B30B2995C4B3E03AD28A501936F012D77BAA2B1F7 0999CEF2073D3DCA4BBC5235AFFF DE8E9C669C43B F F63F170B00E63484B0C995F453 5E8C300FAAA837F0634C3FDCE C465 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\suggestions[1].en-US data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 9B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\estilo[1].css Size (bytes): 630 ASCII text, with CRLF line terminators Entropy (8bit): F9B169D199F76AE761082BF84C4D7C77 B1753FAF25FEC2498DCB610B514CD44F6F B775B6DFD522A99B2F807433F890228BA301DAB1E41D2548BCD9A3A7D F000D6AD0F4ADBB3F A9B B7F604DE6CC7B7B804AEA5F380915F844E C7FEA132C 9B4D28B45416A78D208DF10197F70FB43DABD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\frameset[1].htm Size (bytes): 507 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators A6802B8EA0FD6B7C516EBD5BC871E491 56D84C0C56506F219210B1F4C56099B63D8F158E 2F AA9335DC3FA88A8BB78DFB6DF22A3A FF03E48A E8FE2146C493045EF0182CD504F11FE AEBB8EFBE74AC2F704765F83E9CD150B64FD7A43602B68A9538F7 BCEC12D309A6E66E874DB9E A59CB1A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\image[1].jpg JPEG image data, EXIF standard Size (bytes): 3857 Entropy (8bit): DC141FEE582256D A4C934F29 Copyright Joe Security LLC 2018 Page 15 of 30

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\image[1].jpg FCF038A0EA3DE731B082A0CD11DDF017F4EFA431 D2CDAC25F34037A16FBBD1CE2FC45EBE0DB87D20FC3E C45BCEDADCCF6 D72BAC6517DBDA492AB67387C71A10085D98BFD508D410929A907D550ECC14B14CA84AF0ADACFDA723EBDD56 DBA67832E3DF4DEDCE27DE78E5D28D6EB04A07C4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P3GRP7RI\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\logo[1].gif GIF image data, version 89a, 175 x 100 Size (bytes): 4729 Entropy (8bit): B822834EC1EFBE3C5ECECBD37EBE580 8A05DDAAEAA8CABB1D175673BBBB3C4C6DE8682D 43AFE970685E19035E16249D2C980B60BBE281483B0EB87F0E83B784396DE8E2 F255D8CC1B73C27EECB38AF40DE89C2378E22EF002DC9A788BA1882B DA4232B478362FB44704A2 9394BA8CE430E188BBA56F39278F537DD042D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\pdf[1].jpg JPEG image data, JFIF standard 1.01 Size (bytes): 824 Entropy (8bit): BC6B548A576E1B9551FA8BDC CE914763C7CAB7F5D762ADBBB2D61A858D AB5E190BFB9ED0B4A7C98589DAFBA79E DFFF54135F68D782BC38 D4597B26F38836ADF62C9E6C96885D9EE667A B440D3B8F2CF054C7CC75B0A3F01DB26D F0E 74C2E269BF A0DAC1AF634507F3204 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NN4ZQ5Z9XJKXNU205EDP.temp data Copyright Joe Security LLC 2018 Page 16 of 30

17 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NN4ZQ5Z9XJKXNU205EDP.temp Size (bytes): 5026 Entropy (8bit): DF BE20AA5C31CA4FCD75A792 CD1E08A9F33CE091F5C6A264BA3C6CE0E0A7FC5B B D BA805F BE018EFB11D2991A84F5D6735BB9D7A80CF C152E76BFF9C603B5AF2D4F4FF1DE65FD861C EC0B45B18ABF6A1DB3B377309A6EE1AF4881B4F 692D240080C196DCE06F3D68A388A6C1769D9A \samr Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation visualizar.ginfes.com.br true 0%, virustotal, Browse jundiai.ginfes.com.br true 0%, virustotal, Browse Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Copyright Joe Security LLC 2018 Page 17 of 30

18 IP Country Flag ASN ASN Name Malicious Brazil UOLDIVEOSABR Brazil UOLDIVEOSABR Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Timestamp Source Port Dest Port Source IP Dest IP 19:38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST Copyright Joe Security LLC 2018 Page 18 of 30

19 Timestamp Source Port Dest Port Source IP Dest IP 19:38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST Copyright Joe Security LLC 2018 Page 19 of 30

20 Timestamp Source Port Dest Port Source IP Dest IP 19:38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST Copyright Joe Security LLC 2018 Page 20 of 30

21 Timestamp Source Port Dest Port Source IP Dest IP 19:38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST UDP Packets Timestamp Source Port Dest Port Source IP Dest IP 19:38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST Copyright Joe Security LLC 2018 Page 21 of 30

22 Timestamp Source Port Dest Port Source IP Dest IP 19:38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :38: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST :39: CEST DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class 19:38: CEST xe85a Standard query (0) jundiai.gi nfes.com.br A (IP address) IN (0x0001) 19:38: CEST x88ca Standard query (0) visualizar.ginfes.com.br A (IP address) IN (0x0001) 19:38: CEST x4a08 Standard query (0) visualizar.ginfes.com.br A (IP address) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class xe85a No error (0) jundiai.gi 19:38: nfes.com.br CEST A (IP address) IN (0x0001) Copyright Joe Security LLC 2018 Page 22 of 30

23 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class x88ca No error (0) visualizar 19:38: ginfes.com.br CEST x4a08 No error (0) visualizar 19:38: ginfes.com.br CEST A (IP address) IN (0x0001) A (IP address) IN (0x0001) HTTP Request Dependency Graph jundiai.ginfes.com.br visualizar.ginfes.com.br HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data 19:38: CEST 6 OUT GET /birt/frameset/? report=nfs_jundiai.rptdesign&cdverificacao= &numnota=59 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: jundiai.ginfes.com.br DNT: 1 Connection: Keep-Alive 19:38: CEST 38 IN HTTP/ OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Set-Cookie: JSESSIONID=A5A2B0E68ADB1B8AFB162BA2414EC98F; Path=/birt/frameset Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Fri, 11 May :38:31 GMT Data Raw: 61 0d 0a 1f 8b d 0a d 0a c1 52 db d d7 33 fe b8 10 2f 9d b 0e a 93 d8 1e 10 a5 3d ac 24 ca b ad 13 e0 eb 89 b1 7b d2 db b7 b3 da f7 de c6 51 1c a5 5f a7 65 c6 ff f9 c5 e d dd cc ee cf e3 0c 60 ca a7 7d c 7e 23 dc 0b 1b 34 6a c8 0b 1a ba 46 6c 7e 00 ec f7 fb 64 3f 4e 9c 5f 01 7f e cd 04 8c d6 f4 2a ee b6 75 ec 01 a5 f3 9c 5f 93 e2 7a 9e 33 fa 50 de 94 fc ac 2c 78 5e b f2 ae 98 e6 7f 4e de 96 b3 59 f9 dc cd a6 41 7a dd 20 c1 b a ea a2 67 fb cf e3 c a e3 41 d4 4e fd 2e 7c b2 d2 76 a dd f1 e0 55 e3 3c b f 1c 8a 9f 8b 45 4f 33 bb 0c 8b 4d 6b 6b 2d f4 91 ac 7f 2b af 97 5a 0a 29 1c 3b 9f 9c 9e 8d cf c7 67 df 8f 6c bb ed 86 d8 01 4a db 6c 2a af 02 8a da b 63 8e 2f e3 e8 cb f4 0a 3b 07 6b 25 ea ee dd 2a 14 a ff 5a bd c5 11 3f 78 a3 44 f6 d5 60 b2 0b ec 92 c8 b5 f b e2 b7 a3 8b cf a f7 8f 15 a9 c4 4a a5 d0 d7 9f 19 c3 ff 45 2f ae 7e 1b a8 01 a6 30 1c e0 03 3e 93 a3 b0 fb d 0a 30 0d 0a 0d 0a Data Ascii: a17a5qr0=3u/8f=e$(+{q_ev93r=2bg`}c~#4jggfl~d?n_5nsa%5*u_z3p,x^pfnhqyaz F1a#vg8):uANV. vb "6yU<t6/EO3Mkk-+Z);glJl*yf[c/A6;k%*7RZc4s?xD`A!{8PQWJE/~0>0 Session ID Source IP Source Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data 19:38: CEST 94 OUT GET /report/consultarnota? report=nfs_jundiai&cdverificacao= &numnota=59&cnpjprestador=null HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: report=nfs_jundiai.rptdesign&cdverificacao= &numnota=59 Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: visualizar.ginfes.com.br DNT: 1 Connection: Keep-Alive 19:38: CEST 98 IN HTTP/ OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Set-Cookie: JSESSIONID=617CED08707E2EBF7724B1BDAEC38D14; Path=/report Content-Type: text/html;charset=iso Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Fri, 11 May :38:34 GMT Data Raw: 61 0d 0a 1f 8b d 0a Data Ascii: a Copyright Joe Security LLC 2018 Page 23 of 30

24 Timestamp kbytes transferred Direction Data 19:38: CEST 113 OUT GET /report/imagens/logo.gif HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Referer: report=nfs_jundiai&cdverificacao= &num Nota=59&cnpjPrestador=null Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: visualizar.ginfes.com.br DNT: 1 Connection: Keep-Alive Cookie: JSESSIONID=617CED08707E2EBF7724B1BDAEC38D14 19:38: CEST 117 IN HTTP/ OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Accept-Ranges: bytes ETag: W/" " Last-Modified: Thu, 18 Jan :26:40 GMT Content-Type: image/gif Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Fri, 11 May :38:34 GMT Data Raw: 61 0d 0a 1f 8b d 0a d 0a ed d3 fb 3f d3 8f 02 c7 f1 cf 67 1b e6 7e ab 6d 66 d d d c b7 98 5b d1 46 6c cb f ee d e d7 2e be 28 5a d 76 ce f9 2f ce 0f e7 f9 c3 eb 0f 78 3f 1e 6f 6b 9b c7 bc 6b 01 3f c7 c6 2c 0a 1e a7 b a1 d0 ec 7a 13 d4 c6 fb fd 87 0f 87 c2 8b e d dd b 93 cd ae c d 0f 84 5a 7b f5 f6 f5 c3 ac dc b1 ee ad 7c f1 9a ac bd af 6a 48 aa b8 0d 71 f2 9f f7 b e c1 3f 7f fe 54 f2 8e f9 b2 ba 0a fc df ff fd 0f d3 f9 6f fe fb e e d 8f c1 3a d6 e3 24 b9 7d b fa 92 be ad 1c a b1 cf 18 f5 ec a7 d9 9a e7 b8 f e3 ad b 55 0f 9b c6 f2 e7 05 9a 06 4d 31 e2 63 a5 e6 a0 5a b8 84 8a ed f b8 9e 25 a2 d0 b5 a9 72 bc 62 f7 8d c8 df f d 39 2e 8d 3e ef 07 1b 05 4e d5 c4 c ac a0 17 f0 13 b d5 2e e ea 87 9c 6e ad 39 d de 3c 9c eb 23 2a 83 c f 09 d fc b7 10 9f da 6b 3b b6 77 a7 a9 fb 00 e9 3d fa c1 23 af 59 8d cb 2f a0 16 a9 d8 79 a2 ea db 01 d2 a6 9b 9f 23 eb b4 5a a e 1f e b1 bb a0 07 f6 4e 31 de 21 2c 7d c7 5b 54 4c de 2c cd 73 a4 9d 1c a7 6e ec fc 39 a2 e6 a4 a8 18 3c e0 5d e7 bf f0 e bc 54 e cb 4f ac 21 c3 cb 01 eb a f8 1b 6f 3e 4e bc e7 26 ba d0 3a 7e ad 2b 25 2e ef a c a fd 2e 61 dd 5c e3 cd 79 0d 0a d 0a 5c 48 f1 79 3f a 71 a4 22 8c 5e 1c 3f 55 d9 ca 8a c e5 2b 85 b7 e4 6d 5e e c0 1b 6f e8 af c3 81 b7 49 bb 5e 9e da d2 54 8e d7 d5 d8 7b da ff 02 dc d7 4e cc 9f e7 1b 8d c 9c 54 d4 79 ea 6b d e5 b0 1f dc d eb 36 7b 59 3a ce 99 ed f2 cf 73 d0 5a a2 a b5 e f e1 75 8a 9c 4a e6 e5 90 d1 fd e6 10 fc fc ba 9d 7c b2 3f e c 52 c f6 1a 00 dc a ef b c 29 e5 a2 e7 cb e3 4b 9e 82 9c a4 05 9e a f c2 e3 6a d a 2f 24 d0 ae b b e b 4b a0 c9 6a 55 e dc 09 e2 79 8b e1 c e d6 49 4f 50 3d a1 cb af cc 2c ba 3c af 9d 2f d6 ee f6 b0 6e 51 5e bb cf 79 3e a4 f9 c f4 55 4b cd f9 8f ed d 5a 4f be 5b c a0 2b 86 1e 9d 7a d8 06 b3 0c 3b 98 bb de cf 39 c8 d9 8c 0c d6 e6 09 cd f4 3f 87 1d f5 60 b2 9a 1a 5e ec f4 da 93 9f 4a 96 5a a0 a2 49 d5 a1 62 8c a3 49 d5 80 d2 c3 e1 9a 81 2f 58 9d 86 de e a5 5c 84 c6 2a d3 74 0a de d8 3f f af c6 eb 8c 3e df b8 df be f ae 6d 9d f9 bb 26 0a 78 7e b3 e7 19 e1 5d ef de f4 7b 8d f4 f5 e b e7 90 a5 e4 eb 1b cd b6 fb 4c 0e 3d fd d4 3c 5c 1c c da ec ad be bc 3a c9 fc de bf 7 1 e0 b1 e3 1e c f8 99 f4 6e c1 fe 53 7d ce f7 83 ce 37 ab d7 54 cd a2 3a 7c df ed 1c 5d 3a 67 bd bc 7e f3 be 57 fb d f0 b0 9e 0d 0a d 0a 0f d 86 e a1 2b 77 2a 32 a2 9a 67 ca 90 8c b f 2c ad c7 93 f ee 8c f9 1b dd b7 2b 65 ea bc 4d 66 d7 d5 dc ed be d1 f2 e9 6d 68 bf b0 f2 5c fb 53 ed fd ab f6 ef a3 Data Ascii: a200?g~mf7h%[shfl$s_3y5w%!.(z%iv/x?oksfk?`f,8bza.s`'`w;y&f)z{5 5bjHqss2?To.@g@D@-:$}T3A$ 3P+UM1cZ%rbs9.>N29)'.6^n9S<#*4xUk;w=#Y/y#F"Zxi2sXN1!,}[TL,s!&n9<]iRT'OtR!T'o>N&:~+%.wT(7*yb.a\y200\Hy? Ezq"^?UYt"r+m^$RoI^wWT{N',Tyk)F-X6{Y:sZHRuJ2 Y@s?8LR07IE )Kw/jb)S/$'avv+KjUyHR"nT@IOP=,</nQ^Yy>H9U Kp@3vMZO[@)tL+z;9U?`^beJZCICIbI/X9c^\*t?H>T3m&x~xx]PD{#$DtL=irCR<\!SU:%(qYnS}7T: ]:g~w=2001f+w*2gqe, Y5q'+eMfmh\ST Session ID Source IP Source Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data 19:38: CEST 113 OUT GET /report/imagens/pdf.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Referer: report=nfs_jundiai&cdverificacao= &num Nota=59&cnpjPrestador=null Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: visualizar.ginfes.com.br DNT: 1 Connection: Keep-Alive Cookie: JSESSIONID=617CED08707E2EBF7724B1BDAEC38D14 Copyright Joe Security LLC 2018 Page 24 of 30

25 Timestamp kbytes transferred Direction Data 19:38: CEST 122 IN HTTP/ OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Accept-Ranges: bytes ETag: W/" " Last-Modified: Thu, 18 Jan :26:40 GMT Content-Type: image/jpeg Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Fri, 11 May :38:34 GMT Data Raw: 61 0d 0a 1f 8b d 0a d 0a fb 7f e3 ff f 37 4f f8 7f 9b a d 8d 83 8d d 8b 8b b 57 8c 8f a c 5e e 46 4e 4e 59 dd 48 4b f 55 4e 4e db 5a 47 df d8 d4 c2 c cb d6 d1 c6 cc d1 c8 dc c b 8b 97 9b f 4f d e c5 14 1b 30 d1 43 b c 4d ff 1f e fc 7f a e ca 19 0a b2 b a d9 14 0d d 03 8b 37 2a b2 8b 88 8a d 9c f4 10 a c 03 8a 71 4c cc ac 20 9b c6 b1 22 c9 02 8d f c9 31 f1 a1 f0 ff 5b 0c 3c 40 bd 4c 82 cc 82 0c f6 0c 97 df cd 7a c4 ba ea d5 1b f6 99 d3 1e af a f6 e2 b0 64 e f8 fe d3 d7 07 3d cb e7 5e dd 76 cb 21 e8 d4 a3 f4 e e ff 5d 55 b6 f5 72 d4 a2 b0 7d 33 ad ae e7 17 f9 b8 ea 2e 35 5b f0 4a 48 b4 ed 02 bf 16 fb 84 ec 2b ed a5 4b 9a 0b 73 7f 0b e d5 cc e1 df b3 49 e8 50 d8 74 c1 4b 0e 37 ab 75 e d5 a6 14 af 2c ef ed fd f1 72 4b fc 1c d5 2b eb 2e ed 2f dd dc bf e4 e9 e9 b7 71 b6 2b cf 9d 4b d1 6e e6 2b f9 ca 62 2b a0 30 f1 f1 ee 39 a1 a7 ae 16 bb 9e f5 df b4 88 cf cd f0 e0 c1 e3 d7 36 dc f5 5f be 35 f5 d7 bf d7 ef 22 af 1c 9e b4 6b ca 6d cf 68 6b b 85 9e df 87 8b 77 9e cd 8e 6f 8f 51 b2 99 c8 f9 85 8d e9 d4 61 af 9c 14 e1 9d fe 2b b2 0b 4d d5 f4 f3 fd ca 95 fd e2 e5 4b b7 d9 8b 3e 5d 2b ae ab d4 d9 12 ae d1 b7 f2 47 ce 0d 0a d 0a ae 05 4c b5 14 0a ac 3e b3 79 ad 76 cf 9d 79 9f 66 7f 8d 35 0d fc d4 32 e9 cf 44 ee cd 6f 4f eb 96 7c 6b 67 be dd 5f 56 bd 73 c1 ab f0 32 e5 f7 42 3e d1 4b 2a 35 b bd f c8 ad e 79 e2 d5 81 fb 37 3e 2a eb 1f db b2 67 df c e 26 ff 4b ab a6 ab bc 92 4e fd e8 b5 fd 90 b0 75 c8 02 bd c d7 9a 15 cd a f 52 eb 4e b9 eb ae f4 6b aa cf cb 79 9e fe e 3a 4d b8 c7 f ce 83 b9 9f fb f8 8e a 7d 97 9c f3 d2 62 c5 73 b9 ca f7 49 2f f3 7e a4 c4 ab ca e9 de e7 e9 7e b2 f b0 a8 c4 12 bd 30 ed dc 87 1e a1 c7 b4 83 bc df b2 15 ba 8a 30 4c 7f d2 6b fd 2b 27 fe b5 c3 45 a9 0a 99 ee 9c 80 fa 5c b 02 d3 6e 7b c e9 61 7c a0 b1 a8 8b e1 ff 4d 00 c d 0a 30 0d 0a 0d 0a Data Ascii: a200/7o7fff dwwjxd@l^fqa^fnnyhkyu_unnzgbqwoten0c5qelm``pfpfftb`dddar`aecgf rBYX7*&6MEdqL "TdYAH1[<@LzidIu#h=CV^v!w~'3]Ur}3.5[JH+Ksw~IPtK7u$,rK+./q+Kn+b+09S6_5"kmhkdKwoQav+MK >]+G10bLsr'i>yvyf52DoO kgw_vs2b>k*5&8^y7>*ypvgpf>&knutu'xd'rnky!.:mdf$qz}bsi/~5u~b`090lk+'e\kn{la Mt80 Session ID Source IP Source Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data 19:38: CEST 114 OUT GET /report/css/estilo.css HTTP/1.1 Accept: text/css, */* Referer: report=nfs_jundiai&cdverificacao= &num Nota=59&cnpjPrestador=null Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: visualizar.ginfes.com.br DNT: 1 Connection: Keep-Alive Cookie: JSESSIONID=617CED08707E2EBF7724B1BDAEC38D14 19:38: CEST 123 IN HTTP/ OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Accept-Ranges: bytes ETag: W/" " Last-Modified: Thu, 18 Jan :26:40 GMT Content-Type: text/css Transfer-Encoding: chunked Content-Encoding: gzip Vary: Accept-Encoding Date: Fri, 11 May :38:35 GMT Data Raw: 61 0d 0a 1f 8b d 0a d 0a 9d b c ef 85 fe 87 b0 5e b6 d0 76 db 2e c8 92 9e 7a 51 3c cf 92 b6 69 3a a2 ab f8 df 4d b6 bb 50 c5 5d d4 40 0e 33 bc 3c de f a 47 fd 1e b 9e 05 ea 49 b b9 4e d3 0d 0c 4c d ab 9f b2 3c 15 d f9 c8 99 4d 5e cb 30 e de d9 e8 e7 8f b4 d bb d 4f 49 b1 1d 97 da 62 e7 46 e2 ce 49 6e c1 4e d2 eb 3b ad 6c d2 b1 01 e4 9e 92 0a f2 a8 a0 d1 2d 27 f7 0f f b a6 4c e7 2c 9b 09 8d 46 4a 46 0d ca 72 f4 1b 2d fd e2 2a 73 a7 aa ca a3 a ee 42 e6 8b 8c 52 8b af c4 c f be 5a 90 7b a1 e7 5e b7 6c e4 17 fb df df ed dd cd 8f fd 5d cf 76 7f 2f 60 c6 15 c8 f c0 c5 18 fe 55 f1 6f 0b 1d 38 7c 2b 74 7e 8a a2 5e 17 db 5d 7c bc fa f7 4f 5a b d 0a 30 0d 0a 0d 0a Data Ascii: a114ak0^v.zq<xi:&emp]@3<6g5kitbnlpe6<em^09rg0yhmoibfinn;li-'alb8b,fjfr-*s7brz{^egyqls]v/ `XUo8 +t~^] QyOZtbv0 Copyright Joe Security LLC 2018 Page 25 of 30