ID: Cookbook: browseurl.jbs Time: 13:58:58 Date: 09/05/2018 Version:

ID: 58705 Cookbook: browseurl.jbs Time: 13:58:58 Date: 09/05/2018 Version: 22.0.0

Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers HTTPS Packets Code Manipulations Statistics Behavior 2 4 4 4 5 5 5 6 6 7 7 7 7 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 10 10 18 18 18 19 19 19 19 19 22 24 24 24 24 39 39 40 Copyright Joe Security LLC 2018 Page 2 of 42

System Behavior Analysis iexplore.exe PID: 3376 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3432 Parent PID: 3376 General File Activities Registry Activities Analysis ssvagent.exe PID: 3500 Parent PID: 3432 General Registry Activities Disassembly Code Analysis 40 40 40 40 40 41 41 41 41 41 41 41 42 42 Copyright Joe Security LLC 2018 Page 3 of 42

Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 58705 Start time: 13:58:58 Joe Sandbox Product: CloudBasic Start date: 09.05.2018 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 59s light browseurl.jbs https://dralifaour.com/3948478587557755757/updatef ixed/monpa52z6q50jiyioz2wk4vk.php?rand=1 3InboxLightaspxn.1774256418&fid.4.125289 9642&fid=1&fav.1&rand.13InboxLight.aspxn.177425641 8&fid.1252899642&fid.1&fav.1&email=thoma s.uk.greipel@daimler.com&.rand=13inboxlight.aspx? n=1774256418&fid=4#n=1252899642&fid=1&fav=1 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean1.win@5/38@2/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Failed Failed Adjust boot time Correcting counters for adjusted boot time Browsing link: https://dralifa our.com/3948478587557755757/up datefixed/monpa52z6q50jiyioz2wk4vk.php? rand=13inboxlightaspx n.1774256418&fid.4.1252899 642&fid=1&fav.1&ra nd.13inboxlight.aspxn.17742564 18&fid.1252899642&fid. 1&fav.1&email=thomas.U K.Greipel@daimler.com&.ran d=13inboxlight.aspx?n=17742564 18&fid=4#n=1252899642& fid=1&fav=1 Real link is: https://dralifao ur.com/3948478587557755757/upd atefixed/monpa52z6q50jiyioz2wk4vk.php? rand=13inboxlightaspxn.1774256418&fid.4.12528996 42&fid=1&fav.1&ran d.13inboxlight.aspxn.177425641 8&fid.1252899642&fid.1 &fav.1&email=thomas.uk.greipel@daimler.com&.rand =13InboxLight.aspx?n=177425641 8&fid=4#n=1252899642&f id=1&fav=1 Copyright Joe Security LLC 2018 Page 4 of 42

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 3432 because there are no executed function Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold 1 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 3 0-5 true Classification Copyright Joe Security LLC 2018 Page 5 of 42

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Networking Summary System Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 42

Click to jump to signature section Networking: Social media urls found in memory data Downloads files Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 42

Behavior Graph ID: 58705 URL: https://dralifaour.com/3948478587557755757/updatefixed/mo... Startdate: 09/05/2018 Architecture: WINDOWS Score: 1 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe 35 61 started iexplore.exe Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 1 20 dralifaour.com 148.163.100.186, 443, 49164, 49165 IOFLOOD-InputOutputFloodLLCUS United States started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 13:59:46 API Interceptor 1963x Sleep call for process: iexplore.exe modified 13:59:47 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link https://dralifaour.com/3948478587557755757/updatefixed/monpa52z6q50jiyioz2wk4vk.php?rand=1 3InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.177425641 8&fid.1252899642&fid.1&fav.1&email=thomas.UK.Greipel@daimler.com&.rand=13InboxLight.aspx?n =1774256418&fid=4#n=1252899642&fid=1&fav=1 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 8 of 42

Detection Scanner Label Link dralifaour.com 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 42

Startup System is w7 cleanup iexplore.exe (PID: 3376 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3432 cmdline: '' SCODEF:3376 CREDAT:275457 /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3500 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A0264879FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): 4.597108537557642 9783B969535E714A80BA60CDA3D9334C DA3863F972F4A31DB672143F64E1AD935D28513B D425EAC1B6991FA4C15DF4F20EB64BB2F3797498B1B1D79C6DAFD265B1BA599D 24D126FFB7AD3B94A211BC8717E8C77A7C315CC66EEADAFA6281EA7EE1EE5201A5B9429D834FD449E48E4388F 03785102418E40F709462EA8BDAF66726C351DD Copyright Joe Security LLC 2018 Page 10 of 42

C:\Users\HERBBL~1\AppData\Local\Temp\~DF5569D7E69C29C9F3.TMP data Size (bytes): 47825 Entropy (8bit): 3.09041747443135 D46DE8956D2F688872E50BDAF0CAC126 0224B80B80C10F301CF1A8FB43F6447151577A7B 0984A1882A0716C1148F6BD9C41F963ED9412DEEA2EB0680BC9C24F6E3D08D26 4757D39C721F81DB517DE3FAC840A08AD43AEDF84BABDDE8A293E0D9F8A0043A6E45EA74A95CF48E78455607C 4CA4D26C170DDF0C8BA98501172874FE2D159B0 C:\Users\HERBBL~1\AppData\Local\Temp\~DFC0BC84DC7506DF32.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 29745 Entropy (8bit): 0.5684905710356504 348960CE48EE7D15D7FC7C2BAEB24E65 A60154A4CE4D154DAD5E42048029DD2E514147DC B140FDCAC75302251C5414D2E0ADF3898249AEE51F3DAD5F1030774FE5B10039 9325CC56DCBCF54178507FDA41F8621D089C0161B5063682E351303414E260813060166C691B0452E76C6E0CE1D1 8C58D6E6BD0B76A2E891A0A8FA768B99EEA C:\Users\HERBBL~1\AppData\Local\Temp\~DFFBC4900C690417AB.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 13109 Entropy (8bit): 3.282641544428511 84EB805EA9E14A19AB20EBD846920DA0 B86CCE04B2811ED3AC4CFC40804D1189E398D69D 3CBBF78A83A24DDB339E197316B8E73B46A21888CA74B9832CCE69163AFFC9CC 03115A035218E8CD6EDFA2CDD674CB1AF4DCD44D4FC4F76675CD810843C16FB5D4EE61172AE98F2938EB105F13 C9F0B86D69E86DCCF05167BDF9274050D4D5AE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Size (bytes): 19527 Entropy (8bit): 7.96414732129194 Microsoft Cabinet archive data, 6509 bytes, 1 file DA4ABC8C9A1FCFA4161EFE06CB2935AF E33672FBA3E351EF2BB6F0C62DB1A5C3EEA0A1F9 C25B1A0AFC65B15A4B2278A85B519A33164987284C71BDA4D848D852CC25DB46 2E59E847EBFDD74F752CD6E974075EA69B5DAA7AA5CEA092DE9C5BB35BB8748905CCEA7C7B041D7C30847EAB 0FF6FFB58E4E18217F7B9457E426188C07E1375F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA7347534520 3 data Size (bytes): 471 Entropy (8bit): 7.184711713273266 16B888F6ACEDF622DFC0182A8197CCE4 F96CB2A18EDEAF9CB9755EDCF5ED77ADDDA02F32 C0DCF3DF26FEA5DD85A9429DE3A8F1AF2BC34FD092A21A951CE08EDE2B44C9EA Copyright Joe Security LLC 2018 Page 11 of 42

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA7347534520 3 769615B96343B16789B2E97AA678E14F73F72FB8C28841CF93F0B2C63E2ED9CE53255F5BBD8EBA101405FEDBD2 CDA0969AFD5DC254F22DF179E50BD5E6F208E9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Size (bytes): 429984 Entropy (8bit): 7.995311414574702 Microsoft Cabinet archive data, 53748 bytes, 1 file true 781D21D8FA90334B1124ABB8FAE2D451 ACC2C199307CD2B265ABF33698AAF09E7E8C5B24 60D51BF555D2792CAD001CE546E9AAE7E0D1E860B905E75356EB29F9C86CBAB3 F91F9FD6EA28001B1C8003838869087A3328984DC65C697FB25ACF62CC607613BDB663C9FBC0D9BD07D56C83D1 A9794EC97A9990546B7D5A000649DAC82863F7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 4405 Entropy (8bit): 5.519366423614025 8F49D05A12DAF7DC1437D8CCDB188A74 CC31C730E0CB60FF2135016D781AD8F1F8DB788F B6CAF30D26C9B2571099F0E345C3C5F343AE0D4378DE4FEECB0E9E5D9DA27C16 956F073E850CC741480764D01450C632CDCA0CE7B449221FF81DA4C278785D1F1933A85C43FE97994CC7C67EBB 70E177ADA752BFDE76A88D061C7B047FB548C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 1026 Entropy (8bit): 3.13691188356583 D897B37B4B93AB30F0FE38E8C8960842 F2349EF3CD198BC195CCEDF193DA8A58B8102182 DF877C76BA7DFF3848FFBB1C28F764062C553AD76EB74EEFAD1C3CF6820D8785 B2C75EF43F98764357A921750AA397FFC502DAC47416BC43D475038AEF9F0087D97CAF7566C7B215A751D3CCF7B 83D185A55460E08FACEC15457020A85D7D554 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA734753452 03 data Size (bytes): 438 Entropy (8bit): 3.5939923697405622 FBE2877C83F4445A3327C518EDE5FD32 4E90C47F2925BFF2A99BA9E90ACC0CF2DC16169D E8862F66587E434850348B204EA0898B6D84E2AF997D14799464AF5FBE65745D 9339D5EB22411A68CE1DCE62E73FFBCB3F880F1B24C62A8385093BF2FEE7DD8FCFEB774B0D9A3619B31DB37D4 198141BFFB9279F9DC4B4DB08171452B221638A C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 data Copyright Joe Security LLC 2018 Page 12 of 42

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Size (bytes): 2640 Entropy (8bit): 3.1585126404446293 F258CEAB5E48FA51126595E80DDD055D 91827918EDCC36232AA5EDE9455A16E7F883BB67 9EAA407978FD0EF8B51DB3CFCD25FF5A826270A815B101C566ED677A8456F54B C5E2E2D4A6893306492BEEC865238D234B61A96D16CEAA62D45D02F5FF5975F4939EEF19EE9B2F43AE10D9BA0 A0086B5291B342EC0EDA1C7006C1BC29110ED1D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 452 Entropy (8bit): 3.300224298729398 7C8493D8D49B52AAD1BB04DF8000E43D 70ED367D7A247040F7A76C217B98B0ABB7CDC6EC 5D24BF97E1AC5C56AE1CC399B50A2CC8920CBC71B22B458E30617C75B1C7DFBB F05D4628E6EB1F9E621E644CE913AD21A836856134431C0B374B915696ED9E9F43E629C8FFE37FDFF410B9061AC 99952BD11040C355E5EFC2D7F2C19FCB642BB C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): 6.1480026084285395 PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A691078558E77D6848202F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE520395234D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): 18176 Entropy (8bit): 5.525633053475079 5A34CB996293FDE2CB7A4AC89587393A 3C96C993500690D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D0107733F81937415104E70F68B1BE6FD0CA65DCCF4FF72637943D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): 53204891 Entropy (8bit): 5.132342714615937 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 27D76E6C048A3928C9FB58D2FCBAD521 A068F459099CE41A10D20253E615ABB7369D196E D700F3347A6ED8BE54D8B1EAB49C22E6A374FC161F7B41B6A205D0C14496F34B ABFA7E62F47AACEA292FDFDF4A05C136979867EDF40F2AB108F8D74B32136D5681A8919A2B5BBAC0751B9CEE1 5B5AA6E459BCC3124A8AA27D81A5A3950F2E4CF Copyright Joe Security LLC 2018 Page 13 of 42

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{76D88621-5380-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 46680 Microsoft Word Document Entropy (8bit): 1.9158497378893207 6B37D81C64D9AC00241EDC9263E86EE4 B90A4803E8623069B8072E22D90B4D625A3F814D 3CADFE6EA7CD122190C47656F927E21004C39E105E9A7608658F7F5E5D37C6E0 1D71835A849C03844FD84AD98B5C24703446786A7B77AFB8DF97C91291C3E0A849AF800EB2DC68B3C6C369CFD1 FCBA9F6032D6D6676C22377DDCF7D763EDF846 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76D88623-5380-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 36404 Microsoft Word Document Entropy (8bit): 2.3257761906496937 DC4EC9FC552BF1545461E71DB78D2C3D 4165AC185E31107F0AC0162B49C40FA264151022 518AA0EE1F96D1FADD748E74773AB32B88FED7CEF7EE905CE4F1AF1FD3D63899 19B21686B5A3E89778D87F495556FF24069DB95747ED520C0E81D97FD05264AFB745CE537F6FE49585E68B4602F0 89436152E056E70AE729E44A590C90636C93 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{809F8340-5380-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): 19032 Microsoft Word Document Entropy (8bit): 1.586645242732557 5579E3B2C8F1D2BC8C0EACD636FBBF33 5D98D0276E1A99C2F361A44E82BDFB7B7662040D 225A58164504D60D5FE2F0B507E7F433071CF1C146D5CD6680A6CDA8B55E9905 17E0281E97F27DD4615E1E1FB651AA930E7107EA0B0B0471FC23F343297C953127DBB55F8849861F83D094FCF2F F1C579AE74C76B498A012D9174A60E280BE39 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA1E0.tmp Size (bytes): 15845 Entropy (8bit): 5.061709702572858 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE37 8684403DA59628039E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED97 0E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): 5.2079120169371445 UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA06901EDB98633A686B11D02F4925F827BF0 8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F 62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102 A416C09733F24E8468984B96843DC222B436 Copyright Joe Security LLC 2018 Page 14 of 42

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ErrorPageTemplate[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\down[1] Size (bytes): 748 Entropy (8bit): 7.249606135668303 PNG image data, 15 x 15, 8-bit colormap, non-interlaced C4F558C4C8B56858F15C09037CD6625A EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781 D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F76 8F4840BCD5B62CB6A032EF292A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\invalidcert[1] Size (bytes): 3084 Entropy (8bit): 5.290176356968778 UTF-8 Unicode (with BOM) text, with CRLF line terminators F927FC64C6CCF8F9E508B5C8510C8D26 9AAAD2E4766412C151FF294A116D66D7286CC052 D1122EFA5A5D7CF93E9DA4CB8525CC7E6CCF50B9FA16C167A5D7E8965575A5FA A70CE43D8497EF7D91D8C2C78DFB52FAE9AA1C39691D46D8EE3A2E65D82482E8F2916C39B3D85CE8B8F9A0647 FCCDC831C1FD6824FD300AA91818D0191AA4C50 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\green_shield[1] Size (bytes): 810 Entropy (8bit): 7.169189975235994 PNG image data, 14 x 16, 8-bit colormap, non-interlaced C6452B941907E0F0865CA7CF9E59B97D F9A2C03D1BE04B53F2301D3D984D73BF27985081 1BA122F4B39A33339FA9935BF656BB0B4B45CDDED78AFB16AAFD73717D647439 BEB58C06C2C1016A7C7C8289D967EB7FFE5840417D9205A37C6D97BD51B153F4A053E661AD4145F23F56CE0AEB DA101932B8ED64B1CD4178D127C9E2A20A1F58 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\iecompatviewlist[1].xml Size (bytes): 382769 Entropy (8bit): 5.132342714615937 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators CE5A2E8A386F7070BAA6799FB7C39E0D 70AE543F05CABCD2FBED9C95BF03182A43728021 C0654B0B4367B3A082D00BCECD1DB365D6A3D7B8747F0B059EB4D016E0D94182 032F54676DE8A245CB847D3337BA7C0136B9D773FDA9BEF52C5C156C8C4F4F212DE46796F08F0794169396F2FA1 6436E831E9E369BA0A6513EC6DFFD77093526 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\suggestions[1].en-US data Size (bytes): 18176 Entropy (8bit): 5.525633053475079 5A34CB996293FDE2CB7A4AC89587393A Copyright Joe Security LLC 2018 Page 15 of 42

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\suggestions[1].en-US 3C96C993500690D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D0107733F81937415104E70F68B1BE6FD0CA65DCCF4FF72637943D44278D3A77F704AEDFF59D2DBC0D56A6 9B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\favicon[1].ico Size (bytes): 237 Entropy (8bit): 6.1480026084285395 PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A691078558E77D6848202F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE520395234D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): 5.312819714818055 UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B665151571B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC28513482409FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5 BA16B5A64A23AF0C11EEFBF69625B8F9F90C8FA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\invalidcert[1] Size (bytes): 5123 Entropy (8bit): 4.984119168592184 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators DE640A4BFEBAB60DA20EA8D35B796662 E1FDF9A543B44A0B0C3F51379FBC0E59AB2EFAD8 E8EC4E22DDCC6E52E242331CB84DDB1EAC45E8ABD51F1892DE33DC279E0E6586 53826F57AE5C927142523E0030C4B44A1FAB7C7991F6CFF8FB0C40A40C35D6C26C76BE5EAE8E22C5CFC89EE066 81F08A157B63C0A55B3557C08D331A7EC4B7C7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\red_shield[1] Size (bytes): 810 Entropy (8bit): 7.08447668600376 PNG image data, 14 x 16, 8-bit colormap, non-interlaced 006DEF2ACBD0D2487DFFC287B27654D6 C95647A113AFC5241BDB313F911BF338B9AEFFDC 4BD9F96D6971C7D37D03D7DEA4AF922420BB7C6DD46446F05B8E917C33CF9E4E 9DABF92CE2846D8D86E20550C749EFBC4A1AF23C2319E6CE65A00DC8CBC75AC95A2021020CAB1536C3617043A 8739B0495302D0BA562F48F4D3C25104B059A04 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin data Copyright Joe Security LLC 2018 Page 16 of 42

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): 1.6216407621868583 FA518E3DFAE8CA3A0E495460FD60C791 E4F30E49120657D37267C0162FD4A08934800C69 775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD0967938AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\background_gradient_red[1] JPEG image data, JFIF standard 1.01 Size (bytes): 868 Entropy (8bit): 6.696939024700283 337038E78CF3C521402FC7352BDD5EA6 017EAF48983C31AE36B5DE5DE4DB36BF953B3136 FBC23311FB5EB53C73A7CA6BFC93E8FA3530B07100A128B4905F8FB7CB145B61 0928D382338F467D0374CCE3FF3C392833FE13AC595943E7C5F2AEE4DDB3AF3447531916DD5DDC716DD17AEF14 493754ED4C2A1AB7FE6E13386301E36EE98A7D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): 5.076790888059911 UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A 1676D43B977C07A3F6A5473F12FD16E56487803A1CB9771D0F189B1201642EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E97640918C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\red_shield_48[1] Size (bytes): 4127 Entropy (8bit): 7.944471069595179 PNG image data, 40 x 48, 8-bit/color RGBA, non-interlaced 7C588D6BB88D85C7040C6FFEF8D753EC 7FDD217323D2DCC4A25B024EAFD09AE34DA3BFEF 5E2CD0990D6D3B0B2345C75B890493B12763227A8104DE59C5142369A826E3E0 0A3ADD1FF681D5190075C59CAFFDE98245592B9A0F85828AB751E59FDF24403A4EF87214366D158E6B8A4C59C5B DAF563535FF5F097F86923620EA19A9B0DC4D C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\B6C2JPBS.txt Size (bytes): 78 ASCII text Entropy (8bit): 4.597392566006503 931E18EADB2B9827C55A47866E047BCC 2D5CD24B07B522D1FFAF96BA826B95D81047B71D 65466EDF0292A7B5B437D5E773F7C67B24A9E147593059EDF36B5C8B11029C1A 260114801828853AAB8A1A3B3B771386CCD0187A9483F26620D886B2C608AE9D30FE77FB615DD04953E3647A9B6 518A426E8B0229955E9FC79C6D598F5795C1 Copyright Joe Security LLC 2018 Page 17 of 42

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CC5X6POG.txt Size (bytes): 199 ASCII text Entropy (8bit): 4.912775091771854 75E7DB961D33401D31F698F8D7ACD7A0 175E26729649E84677DBA6377A6D8535E95CAA8C 24D8E95493D0B87CCC17A42C4A9E66F2701786B4AE81CC8A0B2BCBF2284982BE A1A324996FF0A32AFBE572975442C4483D9C7BDAD95ABD43E4C3E6DCADDF07C3FA1D8C447A2B3C5C6BBFC9F0 56CB13A6D9275D96204A3B018AE2D6D31D33C199 C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OX2K064K.txt Size (bytes): 282 ASCII text Entropy (8bit): 4.8454067362617055 334345959673ABB1279A3696D4F1ABBD E57D7CBAFC4B0818D41B083D305BAE9534D8B26D CE54C81E985472BF16C477E0E6196DF3D5A57237652B239B846E639081E5271E E6B2CEE336E171660AD0A084AFFF6DDA2576D2573EF01D3321C77A7A4C969511D5F8A53336A7684339300652E9F 57F7031BE2EDE26212C9C3E9C7BF1EBABEC4A Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation dralifaour.com 148.163.100.186 true 0%, virustotal, Browse unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Copyright Joe Security LLC 2018 Page 18 of 42

IP Country Flag ASN ASN Name Malicious 148.163.100.186 United States 53755 IOFLOOD- InputOutputFloodLLCUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: 145 443 (HTTPS) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:38.850800991 59605 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:38.985375881 53 59605 8.8.8.8 192.168.2.2 May 9, 2018 13:59:38.995076895 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:38.995105028 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:38.995182991 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:38.995920897 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:38.995937109 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:38.996001005 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.052558899 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.052592993 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.053276062 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.053289890 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.071746111 50900 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:39.080627918 51075 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:39.144994974 53 50900 8.8.8.8 192.168.2.2 May 9, 2018 13:59:39.185600996 53 51075 8.8.8.8 192.168.2.2 May 9, 2018 13:59:39.500288963 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.500302076 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.500307083 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.500463009 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.541770935 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.541784048 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.541795969 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.541954041 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.541982889 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.565627098 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.565639019 443 49165 148.163.100.186 192.168.2.2 Copyright Joe Security LLC 2018 Page 19 of 42

Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:39.565644026 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.565746069 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.608719110 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.608737946 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.616880894 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.616892099 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.616985083 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.635261059 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.635282040 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.922372103 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.922458887 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:39.994395018 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:39.996160984 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:40.859380007 61674 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:40.861186028 59291 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:40.970752954 63053 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:40.989789009 53 59291 8.8.8.8 192.168.2.2 May 9, 2018 13:59:40.989814997 53 61674 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.051944971 53 63053 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.197827101 60812 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.199623108 58523 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.201318026 65490 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.260106087 53 60812 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.260140896 53 58523 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.260155916 53 65490 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.481615067 60652 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.587886095 53 60652 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.597704887 57729 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.624624968 65311 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.678692102 53 57729 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.684079885 50323 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.708308935 53 65311 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.770311117 53 50323 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.948601007 64115 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.035607100 53 64115 8.8.8.8 192.168.2.2 May 9, 2018 13:59:42.071332932 59195 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.195669889 53 59195 8.8.8.8 192.168.2.2 May 9, 2018 13:59:42.465980053 58138 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.556572914 53 58138 8.8.8.8 192.168.2.2 May 9, 2018 13:59:42.561707020 60708 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.659670115 53 60708 8.8.8.8 192.168.2.2 May 9, 2018 13:59:43.805697918 65034 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.807437897 58653 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.905185938 53 65034 8.8.8.8 192.168.2.2 May 9, 2018 13:59:43.905210018 53 58653 8.8.8.8 192.168.2.2 May 9, 2018 13:59:43.913620949 57327 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.915400982 56352 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.977938890 53 57327 8.8.8.8 192.168.2.2 May 9, 2018 13:59:44.040245056 53 56352 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.051467896 62091 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.125843048 53 62091 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.128755093 63509 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.218496084 53 63509 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.223880053 51492 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.298969984 53 51492 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.914916039 62750 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.963145018 53 62750 8.8.8.8 192.168.2.2 May 9, 2018 13:59:46.600841999 58913 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:46.606533051 63309 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:46.665044069 53 58913 8.8.8.8 192.168.2.2 May 9, 2018 13:59:46.670816898 52316 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:46.695669889 53 63309 8.8.8.8 192.168.2.2 May 9, 2018 13:59:46.768968105 53 52316 8.8.8.8 192.168.2.2 May 9, 2018 13:59:50.420890093 443 49164 148.163.100.186 192.168.2.2 Copyright Joe Security LLC 2018 Page 20 of 42

Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:50.420922995 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:50.420988083 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:50.541524887 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:50.541558027 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:50.541598082 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:52.837743044 49164 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:52.837759018 443 49164 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.016449928 49165 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.016469002 443 49165 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.024816990 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.024838924 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.024892092 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.025933981 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.025947094 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.518131018 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.518146992 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.518153906 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.518244982 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.568651915 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.568679094 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.568773031 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.594508886 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:53.594535112 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.885562897 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:53.885690928 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:55.252688885 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:55.252804041 443 49181 148.163.100.186 192.168.2.2 May 9, 2018 13:59:55.252886057 49181 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:55.934757948 65236 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:56.027040005 53 65236 8.8.8.8 192.168.2.2 May 9, 2018 13:59:56.030793905 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.030813932 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.030883074 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.033154964 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.033166885 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.530122042 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.530141115 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.530148983 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.530262947 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.566262007 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.566282034 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.566651106 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.613440037 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.613464117 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.672343016 49183 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.672375917 443 49183 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.672873974 49183 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.684092045 49183 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.684109926 443 49183 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.922131062 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:56.922353029 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:56.986493111 55904 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:57.093053102 53 55904 8.8.8.8 192.168.2.2 May 9, 2018 13:59:57.096606970 55581 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:57.166990995 443 49183 148.163.100.186 192.168.2.2 May 9, 2018 13:59:57.167151928 49183 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:57.184035063 49183 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:57.184062004 443 49183 148.163.100.186 192.168.2.2 May 9, 2018 13:59:57.238488913 53 55581 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.397578955 57178 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:58.475364923 53 57178 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.479301929 62406 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:58.562817097 53 62406 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.571728945 49183 443 192.168.2.2 148.163.100.186 Copyright Joe Security LLC 2018 Page 21 of 42

Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:58.571831942 443 49183 148.163.100.186 192.168.2.2 May 9, 2018 13:59:58.571933031 49183 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:58.574923038 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:58.574940920 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:58.575040102 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:58.575752020 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:58.575764894 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:58.877458096 58563 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:58.944647074 53 58563 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.946976900 49408 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:59.007577896 53 49408 8.8.8.8 192.168.2.2 May 9, 2018 13:59:59.109453917 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.109473944 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.109481096 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.109637976 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.160404921 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.160425901 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.160653114 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.192655087 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.192679882 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.263916969 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.263951063 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.485318899 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.485578060 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.564982891 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.565001965 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.604893923 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.604912996 443 49182 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.605140924 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.605511904 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.605602980 49182 443 192.168.2.2 148.163.100.186 May 9, 2018 13:59:59.861733913 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.861752033 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 13:59:59.861856937 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 14:00:01.126007080 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 14:00:01.126192093 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 14:00:05.042732954 49186 443 192.168.2.2 148.163.100.186 May 9, 2018 14:00:05.042752028 443 49186 148.163.100.186 192.168.2.2 May 9, 2018 14:00:06.517587900 61609 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:06.754684925 53 61609 8.8.8.8 192.168.2.2 May 9, 2018 14:00:11.345715046 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:12.344788074 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:13.346378088 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:15.352956057 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:19.365159988 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.181396008 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.186726093 57291 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.223021030 53 57291 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.702457905 52245 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.851329088 53 52245 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.854984045 56115 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.892198086 53 56115 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.953918934 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:23.927021027 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:25.916138887 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:26.387790918 53 59433 8.8.8.8 192.168.2.2 UDP Packets Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:38.850800991 59605 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:38.985375881 53 59605 8.8.8.8 192.168.2.2 May 9, 2018 13:59:39.071746111 50900 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:39.080627918 51075 53 192.168.2.2 8.8.8.8 Copyright Joe Security LLC 2018 Page 22 of 42

Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:39.144994974 53 50900 8.8.8.8 192.168.2.2 May 9, 2018 13:59:39.185600996 53 51075 8.8.8.8 192.168.2.2 May 9, 2018 13:59:40.859380007 61674 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:40.861186028 59291 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:40.970752954 63053 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:40.989789009 53 59291 8.8.8.8 192.168.2.2 May 9, 2018 13:59:40.989814997 53 61674 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.051944971 53 63053 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.197827101 60812 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.199623108 58523 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.201318026 65490 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.260106087 53 60812 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.260140896 53 58523 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.260155916 53 65490 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.481615067 60652 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.587886095 53 60652 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.597704887 57729 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.624624968 65311 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.678692102 53 57729 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.684079885 50323 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:41.708308935 53 65311 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.770311117 53 50323 8.8.8.8 192.168.2.2 May 9, 2018 13:59:41.948601007 64115 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.035607100 53 64115 8.8.8.8 192.168.2.2 May 9, 2018 13:59:42.071332932 59195 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.195669889 53 59195 8.8.8.8 192.168.2.2 May 9, 2018 13:59:42.465980053 58138 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.556572914 53 58138 8.8.8.8 192.168.2.2 May 9, 2018 13:59:42.561707020 60708 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:42.659670115 53 60708 8.8.8.8 192.168.2.2 May 9, 2018 13:59:43.805697918 65034 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.807437897 58653 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.905185938 53 65034 8.8.8.8 192.168.2.2 May 9, 2018 13:59:43.905210018 53 58653 8.8.8.8 192.168.2.2 May 9, 2018 13:59:43.913620949 57327 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.915400982 56352 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:43.977938890 53 57327 8.8.8.8 192.168.2.2 May 9, 2018 13:59:44.040245056 53 56352 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.051467896 62091 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.125843048 53 62091 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.128755093 63509 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.218496084 53 63509 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.223880053 51492 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.298969984 53 51492 8.8.8.8 192.168.2.2 May 9, 2018 13:59:45.914916039 62750 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:45.963145018 53 62750 8.8.8.8 192.168.2.2 May 9, 2018 13:59:46.600841999 58913 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:46.606533051 63309 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:46.665044069 53 58913 8.8.8.8 192.168.2.2 May 9, 2018 13:59:46.670816898 52316 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:46.695669889 53 63309 8.8.8.8 192.168.2.2 May 9, 2018 13:59:46.768968105 53 52316 8.8.8.8 192.168.2.2 May 9, 2018 13:59:55.934757948 65236 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:56.027040005 53 65236 8.8.8.8 192.168.2.2 May 9, 2018 13:59:56.986493111 55904 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:57.093053102 53 55904 8.8.8.8 192.168.2.2 May 9, 2018 13:59:57.096606970 55581 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:57.238488913 53 55581 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.397578955 57178 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:58.475364923 53 57178 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.479301929 62406 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:58.562817097 53 62406 8.8.8.8 192.168.2.2 May 9, 2018 13:59:58.877458096 58563 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:58.944647074 53 58563 8.8.8.8 192.168.2.2 Copyright Joe Security LLC 2018 Page 23 of 42

Timestamp Port Dest Port IP Dest IP May 9, 2018 13:59:58.946976900 49408 53 192.168.2.2 8.8.8.8 May 9, 2018 13:59:59.007577896 53 49408 8.8.8.8 192.168.2.2 May 9, 2018 14:00:06.517587900 61609 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:06.754684925 53 61609 8.8.8.8 192.168.2.2 May 9, 2018 14:00:11.345715046 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:12.344788074 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:13.346378088 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:15.352956057 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:19.365159988 59433 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.181396008 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.186726093 57291 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.223021030 53 57291 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.702457905 52245 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.851329088 53 52245 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.854984045 56115 53 192.168.2.2 8.8.8.8 May 9, 2018 14:00:22.892198086 53 56115 8.8.8.8 192.168.2.2 May 9, 2018 14:00:22.953918934 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:23.927021027 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:25.916138887 53 59433 8.8.8.8 192.168.2.2 May 9, 2018 14:00:26.387790918 53 59433 8.8.8.8 192.168.2.2 ICMP Packets Timestamp IP Dest IP Checksum Code Type May 9, 2018 14:00:22.954125881 192.168.2.2 8.8.8.8 d010 (Port unreachable) May 9, 2018 14:00:23.927253962 192.168.2.2 8.8.8.8 d010 (Port unreachable) May 9, 2018 14:00:25.916224957 192.168.2.2 8.8.8.8 d010 (Port unreachable) Destination Unreachable Destination Unreachable Destination Unreachable DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class May 9, 2018 13:59:38.850800991 192.168.2.2 8.8.8.8 0x13e2 Standard query (0) May 9, 2018 13:59:55.934757948 192.168.2.2 8.8.8.8 0xa1db Standard query (0) dralifaour.com A (IP address) IN (0x0001) dralifaour.com A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class May 9, 2018 8.8.8.8 192.168.2.2 0x13e2 No error (0) dralifaour.com 148.163.100.186 A (IP address) IN (0x0001) 13:59:38.985375881 May 9, 2018 8.8.8.8 192.168.2.2 0xa1db No error (0) dralifaour.com 148.163.100.186 A (IP address) IN (0x0001) 13:59:56.027040005 HTTPS Packets Timestamp May 9, 2018 13:59:39.541770935 Port Dest Port IP Dest IP Subject Issuer 443 49164 148.163.100.186 192.168.2.2 CN=dralifaour.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US Before Sun Apr 08 02:00:00 2018 After Sun Jul 08 01:59:59 2018 Raw [[ Version: V3 Subject: CN=dralifaour.com Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 24593829110856903521204520052330766797235157498264 24968142005809635874887885970728118602859811467521 67814423432672789314962056952912972876544639928741 48220669068370365306323838592455275412089574118416 80756137347149014043684329158552784892152103577900 81129382958909449133302332678868195335938382840089 40123952207996679936876008320614576833079017734863 80400826399030824983610886310714298223843026074381 06004521287776163224101024397619532307032282278724 35459680514229344337671289214991364408152006701462 39785849862159147870604600738052665272343720089670 07768655095237291455238538362688427848171918765619 59570055686161871 public exponent: 65537 Validity: [From: Sun Apr 08 02:00:00 2018, To: Sun Jul 08 01:59:59 2018] Issuer: CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US SerialNumber: [ 591793ac 531d0c31 Copyright Joe Security LLC 2018 Page 24 of 42

Timestamp Port Dest Port IP Dest IP Subject Issuer Before After 1848e1fe 08e5ff4b]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Raw Criticality=Extension unknown: DER encoded OCTET string =0000: 04 81 F5 04 81 F2 00 F0 00 75 00 EE 4B BD B7 75...u..K..u0010: CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F 7E 5F B0.`..Bi...f..._.0020: 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 01 62 A4 r...z...b.0030: AA C9 A1 00 00 04 03 00 46 30 44 02 20 66 4C B8...F0D. fl.0040: D6 CC 13 29 2E DA F9 69 3C 7B 7E B3 55 4D 9D BB...)...i<...UM..0050: 64 6B 1B 41 B8 ED CA 0C 57 70 E5 71 33 02 20 79 dk.a...wp.q3. y0060: F1 44 53 1A 1B D6 FA F3 48 EF B7 A9 60 CD F1 9B.DS...H...`...0070: AC E9 26 A9 2F 00 FC BB 27 43 3E 0C 7D 5B 2B 00..&./...'C>..[+.0080: 77 00 DB 74 AF EE CB 29 EC B1 FE CA 3E 71 6D 2C w..t...)...>qm,0090: E5 B9 AA BB 36 F7 84 71 83 C7 5D 9D 4F 37 B6 1F...6..q..].O7..00A0: BF 64 00 00 01 62 A4 AA C4 82 00 00 04 03 00 48.d...b...H00B0: 30 46 02 21 00 86 7F 8F C3 DB 61 52 68 5E 0B 6D 0F.!...aRh^.m00C0: B9 E3 A6 32 8B F7 01 AE 1F 3C 55 18 2F 0A 36 E1...2...<U./.6.00D0: C9 32 88 3D EE 02 21 00 B0 B1 0C 8F 68 05 0C F7.2.=..!...h...00E0: 21 09 7B 57 38 9D 20 A7 1D B6 42 94 F0 FA A0 09!..W8....B...00F0: 39 36 5E 23 02 50 B6 5F 96^#.P._[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=AuthorityInfoAccess [ [ accessmethod: caissuers accesslocation: URIName: http://crt.comodoca.com/cpanelinccertificationauthority.crt, accessmethod: ocsp accesslocation: URIName: http://ocsp.comodoca.com]][3]: ObjectId: 2.5.29.35 Criticality=AuthorityKeyIdentifier [KeyIdentifier [0000: 7E 03 5A 65 41 6B A7 7E 0A E1 B8 9D 08 EA 1D 8E..ZeAk...0010: 1D 6A C7 65.j.e]][4]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA: PathLen: undefined][5]: ObjectId: 2.5.29.31 Criticality=CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/cpanelinccertificationauthority.crl]]] [6]: ObjectId: 2.5.29.32 Criticality=CertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.52] [PolicyQualifierInfo: [ qualifierid: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65..https://secure0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53.comodo.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][7]: ObjectId: 2.5.29.37 Criticality=ExtendedKeyUsages [ serverauth clientauth][8]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=SubjectAlternativeName [ DNSName: dralifaour.com DNSName: autodiscover.dralifaour.com DNSName: cpanel.dralifaour.com DNSName: mail.dralifaour.com DNSName: webdisk.dralifaour.com DNSName: webmail.dralifaour.com][10]: ObjectId: 2.5.29.14 Criticality=SubjectKeyIdentifier [KeyIdentifier [0000: 90 F0 2D E0 28 82 0A 76 BB 47 E4 AC 63 F3 52 E7..-. (..v.g..c.r.0010: B9 4B 7E F5.K..]]] Algorithm: [SHA256withRSA] Signature:0000: 4F 8C 46 1B 29 9B 98 37 B3 84 2E 26 4B EA 8F 7E O.F.)..7...&K...0010: 06 93 CC 1F A4 FA 21 AD 28 2C 38 D7 B0 29 6E 79...!.(,8..)ny0020: 75 84 EF 16 C5 37 0A CD B4 DA 05 83 6E 37 52 D0 u...7...n7r.0030: BC 97 CC 3B 77 C0 14 FD 1F C9 71 92 08 08 C7 14...;w...q...0040: 1F CE CE AA 07 BB 9B C2 63 06 B4 5A CE BF 26 C6...c..Z..&.0050: 5B 2F BE 64 DA A0 2C E4 12 21 85 37 A4 37 CD 07 [/.d..,..!.7.7..0060: 66 5C C6 75 56 B6 E6 2A AF 91 D1 B4 8C 42 98 F2 f\.uv..*...b..0070: 77 5C 7F 4E 5B 42 78 EB D8 7D 92 97 10 89 3C 9F w\.n[bx...<.0080: C3 2C 4C 98 DF C4 AA 60 CC DA 5A A6 48 A0 AE 9B.,L...`..Z.H...0090: F4 66 16 FC 4D F6 F6 2E FF 5E CF 1D CA E0 31 68.f..M...^...1h00A0: F6 39 E7 47 CC 30 98 87 D1 3D A3 7F 22 45 2A E6.9.G.0...=.."E*.00B0: 94 7C 31 86 14 FC E2 79 FE BE FB BA 94 95 A2 1E..1...y...00C0: 7C CA 34 63 25 E6 01 A7 53 05 6B E0 89 D6 56 74..4c%...S.k...Vt00D0: CD 1E 4F A7 30 22 CF 27 EE DF 36 FB 12 21 03 8C..O.0".'..6..!..00E0: 5E 85 1B E5 FF C2 38 95 EC 2D 26 39 3F 13 57 02 ^...8..-&9?.W.00F0: 3F B2 C2 9A 2C 4C F4 8C 99 84 A8 7F 02 1E BD 3B?...,L...;] Copyright Joe Security LLC 2018 Page 25 of 42