ID: Cookbook: browseurl.jbs Time: 17:13:23 Date: 27/08/2018 Version:

Similar documents
ID: Cookbook: browseurl.jbs Time: 22:02:15 Date: 20/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 16:09:48 Date: 05/02/2018 Version:

ID: Cookbook: browseurl.jbs Time: 15:01:22 Date: 30/11/2017 Version:

ID: Cookbook: browseurl.jbs Time: 03:47:54 Date: 05/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 23:25:27 Date: 29/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 16:29:51 Date: 17/11/2018 Version: Fire Opal

ID: Cookbook: browseurl.jbs Time: 17:28:58 Date: 31/08/2018 Version:

ID: Cookbook: browseurl.jbs Time: 01:36:57 Date: 12/11/2018 Version: Fire Opal

ID: Cookbook: browseurl.jbs Time: 13:58:58 Date: 09/05/2018 Version:

ID: Sample Name: OVERDUE_INVOICES qrypted.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 11:58:04 Date: 14/05/2018 Version: 22.0.

ID: Cookbook: browseurl.jbs Time: 21:43:32 Date: 28/11/2018 Version: Fire Opal

ID: Sample Name: CCS Projects.pdf Cookbook: defaultwindowspdfcookbook.jbs Time: 19:48:41 Date: 14/06/2018 Version:

Visa Smart Debit/Credit Certificate Authority Public Keys

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

ID: Sample Name: xnyjv5cbuw Cookbook: default.jbs Time: 07:26:31 Date: 02/07/2018 Version:

C Mono Camera Module with UART Interface. User Manual

8WD4 Signaling Columns

ETSI TS V ( )

Function Block DIGITAL PLL. Within +/- 5ppm / 10 years (Internal TCXO Stability) 1 External Reference Frequency Range: 10MHz +/- 100Hz

A Wrench in the Cogwheels of P2P Botnets. Werner, Senior Virus Analyst, Kaspersky Lab 23 Annual FIRST Conference Vienna, 13th June 2011

CSci 127: Introduction to Computer Science

Audit Attestation Microsec ETSI Assessment 2017 No. AA

Digital Lighting Systems, Inc. PD804-DMX. Eight Channel DMX Pack. (includes information for PD804-DMX-S) USER'S MANUAL. PD804-DMX-UM Rev.

ID: Cookbook: browseurl.jbs Time: 02:09:04 Date: 29/06/2018 Version:

Computer Simulation and DSP Implementation of Data Mappers of V.90 Digital Modem in Theaid of IT

showtech 9th May.txt

Figure 2. Another example from Teun Spaans Domino Plaza web site.

MOBY-D Family Matrix

DEGEN DE1103 FM / MW / SW RECEIVER FM / AM / SSB / CW MODES OPERATING MANUAL

Audit Attestation for SwissSign AG. This is to confirm that TUV AUSTRIA CERT has successfully audited the CAs of SwissSign without critical findings.

! 1F8B0 " 1F8B1 ARROW POINTING UPWARDS THEN NORTH WEST ARROW POINTING RIGHTWARDS THEN CURVING SOUTH WEST. 18 (M4b)

Internet Engineering Task Force (IETF) ISSN: May 2013

Installation and configuration manual DXCa Modbus RTU CAN Gateway V1.2

Rotel RSX-1056 RS232 HEX Protocol

N4115 an alternative encoding for geometric shapes

Recommendation ITU-R BT.1577 (06/2002)

POWER ANALYZER CVM-MINI SERIES INSTRUCTION MANUAL M A CIRCUTOR, SA

Document # Logos: Purch-11B Purchasing Use ONLY: How to Change a Vendor in Logos Original Author Karrie Revolinski Date 5/10/13 Updated Author Date

INTERNATIONAL TELECOMMUNICATION UNION. SERIES V: DATA COMMUNICATION OVER THE TELEPHONE NETWORK Simultaneous transmission of data and other signals

MADEinUSA OPERATOR S MANUAL. RS232 Interface Rev. A

UBN Universal Power Meter. MODBUS Protocol English 1UNMUP3K1004

745 Transformer Protection System Communications Guide

PaperCut MF - General Elatec TWN Reader Tasks

IEEE C802.16e-05/179r1

Supplier s declaration of conformity

Name Date Class Period. 5.2 Exploring Properties of Perpendicular Bisectors

Generation of AES Key Dependent S-Boxes using RC4 Algorithm

SRA Life, Earth, and Physical Science Laboratories correlation to Illinois Learning Standards: Science Grades 6-8

INTERNATIONAL TELECOMMUNICATION UNION. SERIES V: DATA COMMUNICATION OVER THE TELEPHONE NETWORK Simultaneous transmission of data and other signals

ACOUSTIC NOISE AND VIBRATIONS DUE TO MAGNETIC FORCES IN ROTATING ELECTRICAL MACHINES

POINTAX 6000L2 Point Recorder

Osmium. Integration Guide Revision 1.2. Osmium Integration Guide

SIREC D MP SIREC D200 SIREC D300 SIREC D400 : MP , CA 01. : E86060-D4001-A110-C (CD-ROM) E86060-D4001-A510-C (DVD) SIREC D

HEXAGON NOTATION. (1) Salmon, in the "Notes" at the end of his Conic Sections designates by. the point of intersection of the lines ab,

H ~ 580 mm Paper used: 0,26 mm gr ("cardstock") 0,15 mm gr Glue: PVA

Exploring Special Lines (Pappus, Desargues, Pascal s Mystic Hexagram)

Using the 2975 to perform Control Channel Logging

M-BUS Communication Protocol. -for M-BUS modules and counters with integrated M-BUS interface-

Carls-MacBook-Pro:Desktop carl$ exiftool -a -G1 EMMANUEL-MACRON-PORTRAIT-OFFICIEL.jpg [ExifTool] ExifTool Version Number : [System] File Name :

Data Center Energy Trends

Windings and Axes 1.0 Introduction In these notes, we will describe the different windings on a synchronous machine. We will confine our analysis to

overhead storage M O U N T I N G A P P L I C A B I L I T Y U N I V E R S A L O V E R H E A D B A S I C S

G.SRT.B.5: Quadrilateral Proofs

DATA SHEET. BZX884 series Voltage regulator diodes DISCRETE SEMICONDUCTORS. Product data sheet Supersedes data of 2003 May Mar 26 BOTTOM VIEW

CooLink Programmers Reference Manual (PRM)

UCP-Config Program Version: 3.28 HG A

LC-10 Chipless TagReader v 2.0 August 2006

SUPPLY NETWORK ANALYZER CVM-96 SERIES

PERIPHERAL INTERFACING Rev. 1.0

3TK28 Safety Relays. General data. 7/70 Siemens LV

Start Address Function Data CRC End 3,5 bytes 8 bits 8 bits n x 8 bits 16 bits 3,5 bytes

MICROCONTROLLER PRODUCTS. AN428 Using the ADC and PWM of the 83C752/87C752. Author: Greg Goodhue December Philips Semiconductors

Power Analyzer CVM-NRG96. User manual Extended version

KNX manual High-performance switch actuators RM 4 H FIX1 RM 8 H FIX2

!"#$%& '()#"#-#"*+,(-# «!"#$% " $&'()*+,$)& -."/01*&$"2 3' $+ 8'$/"$+». -(/+% &'*"%0 (1'#&# 2*'(0,.#-%'3 % #"*+,(-#

6ES BE30-0XB0 6ES AE30-0XB0 6ES HE30-0XB0

Jeffrey's Image Metadata Viewer

Hacking. Joshua Lackey, Ph.D.

PTN-1B/PTH-1B HG 3 HG 2 PTN-1B/PTH-1B. Type. Standard. Power supply. Semi-standard. Bore 24 V DC 2V 0.05A. f50 f63 f80 f100 f125 to f160 f180 to f250

G.SRT.B.5: Quadrilateral Proofs

MATHCOUNTS. 100 Classroom Lessons. August Prepared by

Universal-Transducer Multi-E11-MU

Traffic Monitoring and Management for UCS

ALPHA Encoder / Decoder IC s

Delta Din-rail Power Meter DPM-D520I User Manual.

APC 2M-14 Quick Installation Guide

Thursday 6 June 2013 Afternoon

"Terminal RG-1000" Customer Programming Software. User Guide. August 2016 R4.3

March 1, Courtney Wilton Portland Public Schools 501 North Dixon Portland, OR 97227

NOTICE OF REQUEST FOR PROPOSALS (RFP) RFP ADDENDUM 1 NORTH SAN JOSE STREET LIGHT CONVERSION TO LED

GUIDE SPECIFICATIONS CONTROLS SPECIFICATIONS AND CONTROL POINT DATA MAP GENERAL DESCRIPTION

C E R A M I C S. Mo t i f

Blue Bamboo P25 Device Manager Guide

PERFORMANCE SPECIFICATION SHEET ELECTRON TUBE, MAGNETRON TYPE 6410A

General regulation functions ElectroStatic Discharge (ESD) ultra high-speed switching High-frequency applications

Parameter Value Unit Notes

Decorative Street Lighting

Power Distribution Module 54.05

Maine Learning Results Science Grade: 3 - Adopted: 2007

0FlashPix Interoperability Test Suite User s Manual

Transcription:

ID: 74314 Cookbook: browseurl.jbs Time: 17:13:23 Date: 27/08/2018 Version: 23.0.0

Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Table of Contents Copyright Joe Security LLC 2018 Page 2 of 35 2 4 4 4 4 4 5 5 6 6 6 6 6 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 9 9 9 9 9 9 10 16 16 16 17 17 17 17 18 18 18 19 20 20 20 20 34

Statistics Behavior System Behavior Analysis iexplore.exe PID: 2160 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 908 Parent PID: 2160 General File Activities Registry Activities Disassembly 34 34 34 34 34 34 34 35 35 35 35 35 Copyright Joe Security LLC 2018 Page 3 of 35

Analysis Report Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 74314 Start date: 27.08.2018 Start time: 17:13:23 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 5m 13s light browseurl.jbs http://win-system-currupt1338.club/error-6555/ Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 22 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout MAL EGA enabled mal56.win@3/31@2/1 Adjust boot time Correcting counters for adjusted boot time Browsing link: http://win-systemcurrupt1338.club/error-6555/ie/# Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe HTTP Packets have been reduced TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Threshold 56 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 35

Strategy Score Range Further Analysis Required? Threshold 5 0-5 Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 5 of 35

Signature Overview AV Detection Networking System Summary Click to jump to signature section AV Detection: Antivirus detection for URL or domain Antivirus detection for dropped file Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Tries to download non-existing http data (HTTP/1.1 404 Not Found) Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Behavior Graph Copyright Joe Security LLC 2018 Page 6 of 35

Behavior Graph ID: 74314 URL: http://win-system-currupt1338.club/error-6555/ Startdate: 27/08/2018 Architecture: WINDOWS Score: 56 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend Is Windows Process Antivirus detection for URL or domain Antivirus detection for dropped file started Number of created Registry Values Number of created Files Visual Basic iexplore.exe Delphi Java 7 39.Net C# or VB.NET C, C++ or other language started Is malicious iexplore.exe 1 30 win-system-currupt1338.club 104.18.44.249, 49169, 49170, 49171 CLOUDFLARENET-CloudFlareIncUS ie9comview.vo.msecnd.net dropped dropped United States C:\Users\user\AppData\Local\...\ie[1].htm, HTML C:\Users\user\AppData\...\error-6555[1].htm, HTML Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Source Detection Scanner Label Link http://win-system-currupt1338.club/error-6555/ 6% virustotal Browse Dropped Files Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K Z\ie[1].htm C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K Z\error-6555[1].htm 100% Avira HTML/Infected.WebPage. Gen2 100% Avira HTML/Infected.WebPage. Gen2 Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 7 of 35

Source Detection Scanner Label Link win-system-currupt1338.club 0% virustotal Browse URLs Source Detection Scanner Label Link http://win-system-currupt1338.club/error-6555/chrome-assests/microsoft.png 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/login.php 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/4microsoft 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/retreaver.js 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/a.htm 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/alert.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/retreaver.js 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/iframe.js 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/bootstrap.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/translator.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/microsoft.png 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/style.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/jquery-1.js 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/k 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/ 100% Avira URL Cloud malware http://getbootstrap.com) 0% Avira URL Cloud safe http://win-system-currupt1338.club/error-6555/root 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/iframe.js 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ 6% virustotal Browse http://win-system-currupt1338.club/error-6555/ 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/fonts/glyphicons-halflings-regulard41d-.eot 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/translator.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/chrome-assests/alert.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/root 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/bootstrap.css 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/jquery-1.js 100% Avira URL Cloud malware http://win-system-currupt1338.club/error-6555/ie/style.css 100% Avira URL Cloud malware Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context Copyright Joe Security LLC 2018 Page 8 of 35

IPs No context Domains No context ASN No context Dropped Files No context Screenshots Startup System is w7 iexplore.exe (PID: 2160 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 908 cmdline: '' SCODEF:2160 CREDAT:275457 /prefetch:2 CA1F703CD665867E8132D2946FB55750) cleanup Copyright Joe Security LLC 2018 Page 9 of 35

Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\Cab8755.tmp Size (bytes): 54153 Entropy (8bit): 7.995723640493843 Microsoft Cabinet archive data, 54153 bytes, 1 file true 767760B1B3B838B2DE0599D0E76D1C76 C56B126F887495918E8ABCF813957780F0B9466A C0F37380971FB93ECB0CFA3C2BD6D91CC77F254F0A6CA41EDEFF47FDA0E409CC BACDD86B37E70FE36274C6AE9076F0AC89E82245356FE575A69EF15FD50DE1D40C89EF454BDD69C4B2A841F048 8E082DFA6D7EDB477566C13D578C286E04FEE6 C:\Users\SAMTAR~1\AppData\Local\Temp\Tar876A.tmp data Size (bytes): 130662 Entropy (8bit): 6.414775585091018 64902CC52CF1CC2739C564325B8DD55A D6D8EA05343C5629B7446F6B3F036D8CCE168FD5 D97A11D07B0491776DEF454680D2DB5E5D0252B568EEF0B9D2E52D056D8241BF DC552F81847FEDC7DB48C76510975EACCF8AB8FD33B77C388317FD067A20DF8EFE9FB263AD607920FA76AB6513 56C36AEF4FB55C9C22C51D20B8778070B1A796 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01550BB6E5CF239E.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 43959 Entropy (8bit): 0.9902721570073869 BD1F2F4C0A068ADCDDC89180731BCD82 BFFBECD65A795E30D9F95847A38871BDF23914FE 5D87EDDA554380E950BB385B17792797DE2CD0B515BB0076934241874F622BF3 C5B69D541CFFFA88053A30098E6D72009EFECAD9EA92FEB20369C39664C752C498A474B3A16A843CD9501D53EA 995C3488B6492DC8DB067D187CB40DB5694C2C C:\Users\SAMTAR~1\AppData\Local\Temp\~DF545DDF88508E7995.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 25441 Entropy (8bit): 0.2867467436113276 6439FE3B321F740CA247B3E84F8AEA2C 9225981809E52C5637BBCDDAA8FD41002EE76580 95199439250956B59E5DA732B13DDA72200DE5E4328E22C513AC7F54C7ACE713 56BB5E5F6E7B92EFF9331C7017B9FC55EBC9D230AEFE782BC974CC1CBCE6BF1488C29343983E41000C5D99E279 7BB2D0C693A05172778EB2043F2C51869A8070 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF7D9E20762B594F36.TMP FoxPro FPT, blocks size 258, next free block index 16711424 Size (bytes): 13077 Entropy (8bit): 0.5089672461865263 Copyright Joe Security LLC 2018 Page 10 of 35

C:\Users\SAMTAR~1\AppData\Local\Temp\~DF7D9E20762B594F36.TMP 26E595BFD2275212CBF682D0C7E00BD9 253D8216FDED588197D3C2004CC7DDFC003BE31A 096D54400B86ED4EF504D8D1464F0FDB6849451474D71D692BC7DAEDC545C45B 55E7621B6CAE0D82AB647242CB63272CD2C2AE8C8F2BB145C1A4C1770ED963AC779F86787101C8AE2DB53DED2 AF8ADC8EC9BE2D88D3AD93AD4620727A877B967 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Size (bytes): 162459 Entropy (8bit): 7.995723640493843 Microsoft Cabinet archive data, 54153 bytes, 1 file true 1D44E50A3D19510061E9E35E5DD4DD70 C9DE64435AE3A411680E949AC5F7401B30DCC2D8 9456A5221CB9F02CF19CA87DB1C3847CC28B70C8AC45F90EE8AB4A3476CBCA8F 5BC6B4384BA7432717E1A1781CAF35CF26117F7CB318A90E4AAE8367263C43A705B1F4A2AEBD9692B93776FB109 619D495BD478AE3AD6DB87EA20CF5468E90BE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 data Size (bytes): 984 Entropy (8bit): 3.160521847702634 30D35654F3B3B05D71679836123D6397 BE9B945AD816808CAB94A4241FDD42F991519F95 6A37535F8719C9198804D7D6117B498B8A3B016CEB554CB2A3CF99F0884CD5AB 11D6723B93CABC4B83C45107F9AC254614554C87C8DF7E62AE5F48712E9395B2FEB27E6E15EF173318D6CCD0E6 485ACCB18F2C7D54664A0FDC73977FB35310D6 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): 6.1480026084285395 PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A691078558E77D6848202F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE520395234D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BCF36701-AA0B-11E8-B3E3-CCDA62336E41}.dat Size (bytes): 33368 Microsoft Word Document Entropy (8bit): 1.8612652185353866 2CC821FA64D2B649764F84D65BAB6CB5 97A6D35BC9E236DEFA46E88F638D99DDE7A64A9D A17AAFBD5412449666DDC17E04B31B4211D3B19B69E1501A7E094A4C022C5B9A B42BED9CAD3885962BD3618DEE19DFB7BA0F83D98AC6381C2675F132D385099D1912CEBE2278A67F5200017AB1 DD461DB71DFAC2103787D96F4C572C686560D3 Copyright Joe Security LLC 2018 Page 11 of 35

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BCF36703-AA0B-11E8-B3E3-CCDA62336E41}.dat Size (bytes): 31690 Microsoft Word Document Entropy (8bit): 1.8575836693764765 2593F23C46426A79DE5BC6CA9D4862B5 77D30B09CB086150786C350A16C50BB05CD3C4CB C4BB90AEAFC5D71BB8F5BFB6A819462C36F737F6482A347EB00DAF0A0996388A AB73CEFD91ED5B77A6F34A6A0F513CDC9E28E918AB53ED20A2F2B194CC265749DB55F3317ACCB6237D7E37206 A8EF58B8100AA7FCEBA3622106F765E5F9D19DE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C74D8DC0-AA0B-11E8-B3E3-CCDA62336E41}.dat Size (bytes): 16984 Microsoft Word Document Entropy (8bit): 1.5663297258820204 B8886F6CB225A5ABADA33411388E6813 095EE8CB3A691DE82008CD52F3710E2CC119F521 46389AA18FFD64DF8685CEC138465DC94B86AE83C90BBCBE786A165A4156A8C5 891C0925F1720BBBBDA0AF23CBB5E5CBEDDBA50BC4A052A6E8D6F4FA608EFCE0155C5DBFC4DBB8B03719BFF E22BDD096F0035F30949741E4BF915282C0977481 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\alert[1].css Size (bytes): 2981 Entropy (8bit): 3.8907710539351283 HTML document, ASCII text, with very long lines 5196CCFEE9569B0BE1FB4A4FB0189F70 D0D701A487759E10831C7BA2C503855AB856CCEA B3679448A88B0B8F35C8947EC3A1591436BFFCC752C2E96F946626D990502BA6 DEA869C0C6764B2547974E0A9996F3FD005EAB68FF6181390054B56EA81880C86BFBB04D269741E6A4E51FC9445 312E84F1743819D8C3929C8344F3DF183A5A6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\retreaver[1].js Size (bytes): 16164 Entropy (8bit): 5.3311469636229205 exported SGML document, ASCII text, with very long lines C7F736410D8FD53B1FCBEB55621122B4 75F9041B398604E62C6DE857921838C8EA8413EF 5E944017E7E53E4654AD11FB20FCA627E5E7C49FB9AAB62FBDE3AEF3B51F2FFF E77D643D3BA3DA60FE0B02306F8202BDCC3B482A59AD95161BA20D2FB1CA50161144FB90B71B4EAC31C5BBA4D 9374950547F99BD2681C7DC222CB41FA368ABA6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\style[1].css Size (bytes): 23238 ASCII text, with very long lines Entropy (8bit): 5.146150665944391 E74FA9C2311B591291E28B68EAF6D0C7 6F97982754BBE9B8C4CD6524E8E0490A541F86F3 8E3025342E6473670FBB8BF4DF98A8454C75A2B288FD54DBA9BBCA8E9E3C9438 0844F41C20933872E35591178001548D80F142E14ADA632C4E0B0E95B9155E5A602E8192A85C7365B6AA914A2F77 576B3BF151FF48CE09B0E4C234BDD08B621 Copyright Joe Security LLC 2018 Page 12 of 35

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\style[1].css C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\translator[1].css Size (bytes): 20763 ASCII text, with very long lines Entropy (8bit): 5.429937452461239 26C0245F59B273D110D73A343CA33FC1 AC49C860727F5F16196A338128BB5A909E53D3CE 8E518D27455B893E291BF603D02B9C3D7F417CA2E6CD3C9F9833C3C16A18633D 88ABF0A1FB5907E50D9F680FD05ECF99AF2615D97F05A08991354DB9599E995B5F8E3127D578FEA3A903129D686 7F616A84FD563086172C1D2C995FAA9558421 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\urlblockindex[2].bin Size (bytes): 16 Entropy (8bit): 1.6216407621868583 data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E49120657D37267C0162FD4A08934800C69 775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD0967938AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\alert[1].css Size (bytes): 3038 Entropy (8bit): 3.936405364495146 ASCII text, with very long lines, with CRLF line terminators FEC3A4215CD9A7F27991217C2620DA78 0FFBC554FF69BBD6C75984D67E2F5FEB1F61A00D D1027347DC643D8B8C574F5B5B98A1CD88F4E46AB561E529188D8C3D700CF170 D8AD9E97A8C5E3C7863148F192512F2860514FA409A93CDA7F0E4297213415D936355F4E678D1F2E8F073367A689 C1BEB23F68D7474A0FCCC5CD4825CC4284D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\bootstrap[1].css Size (bytes): 121303 Entropy (8bit): 5.100131512690436 ASCII text, with very long lines, with CRLF line terminators A1CE56D0E8C4E4E1E31A0206DA27E06C 5CDAAB2F02F4229763851BB7575ADE769CAE56DC CDBC71A8D00370FC1F83791B11DF7228B8CC462C569C8F54809647B93CBB5490 C1CD9AF8E56E110F4ABD2433562935C8C0E7A1364EF62837533F4601B8513013804F24E385DE46D792DB26F0FD1 F69B55C857349B106A2464AAFCE319735900 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\error-6555[1].htm HTML document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 29867 Entropy (8bit): 5.854631307026889 D836B3FDA8E1C38EAFCA0F2A00B3178E Copyright Joe Security LLC 2018 Page 13 of 35

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\error-6555[1].htm Antivirus: 3C9907148622254DEA7C565CC9E7D4EF4E36A70F CA05ABEED9C92C7CB286DDFB7FEAE0DC9D23B5AAECF5A2E4736B0A07BC9443A7 6F58CCC7745F75E5923F6E954B00F1B2B07281C3C3F8B79EB3A103F9065426272F2FC412E909711613E1FD06941A 7AA0CB9E82E71FBB34A61BE732D833860FDF true Antivirus: Avira, Detection: 100%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\ie[1].htm Size (bytes): 125952 Entropy (8bit): 6.079220880570345 Antivirus: HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, LF line terminators 57D8106A308A233A813F9E2E8EB080DF FE15DCDF6339BC29CC22FB59D173288586C5CC43 471A0BE067747365328B99B5A6215F848D2AEED623D19D4E59E50E23FD33061E 6FBF0B48B091BBC32A8C4E36EDB5820D43EFA3D9C7E7BC5B943CBF2CBE9A36AB67BE174BF24FE331D4455CA2 A432C29B48DBD93F7056774913D1D0BC1E73CE56 true Antivirus: Avira, Detection: 100%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\jquery-1[1].js Size (bytes): 95933 Entropy (8bit): 5.394479394490614 ASCII text, with very long lines, with CRLF line terminators 00F66EADA2C54B64A3F632747CE1FE2D A4837154098AC13CCD72E08FD25D7BCF76826986 100A135D8E7D5EBF1FE83B0B16DA1D8D8B2321ACDC4D5C24A1F9A7DF53B23CF1 11220E328A367F1086D0369686D09206BADFD2CCE18CDBC7420B4ACA9785054AD7576F156B6039444F762F6A46A 58AC7CEFDC0F2BF031F215F59A8D6AE8E254D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\retreaver[1].js Size (bytes): 16165 Entropy (8bit): 5.331771280934354 exported SGML document, ASCII text, with very long lines, with CRLF line terminators 68EC33788ED08F7C0FDD73CBD52C2050 8E05B9EB9954164DD41B115DFE9F1D57A2860FC8 71A861100E206EEEE88876CD5313553E0FDC07046CCE33A1A96B96D9485070E1 2BFD61E5AA56D37F7778BE5DB6BBCEC88DD3683CC364317B058FAC3AE4C018BA156B16344A6FBE94B41933B42 CE059D53AFA82AA6656540574F45DFF3E24E0A3 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\style[1].css Size (bytes): 23232 Entropy (8bit): 5.151826072222536 ASCII text, with very long lines, with CRLF line terminators 027459F38DBE23961B107D851FC508F7 B3CDA4F74E2F0812A46986BD1340634DC0650201 A7FDD2397E0F7290CBF6C599AF043BF91D351D755E5FCBCF7CEF9F5BF8FC252F DC5D0E3913850E9362094A8B526567D118851BBDAF944CD1F27CA0EC551777AC238FEFFA288997489F3F088A6FB 7E360569A8AB52E25CF08CEF7108E15F62C26 Copyright Joe Security LLC 2018 Page 14 of 35

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\translator[1].css Size (bytes): 21080 Entropy (8bit): 5.460872072332312 ASCII text, with very long lines, with CRLF line terminators 00C7719F627DCF52ED26D09F5F460E6B 0ABD02B3C2D53038C9DCEB4739957D3209C51E5F 25D2D73C6C16C53A9934872E079EBF265F1A70E1DF0E5D9190664F0ACF12510D FA6A544D8F3EBBA4408ADDA645113E5F66C2AD5E30CBCDC8D90650005DB2F0200F88A347D05365A6AB0569A241 0E6CC465529591C5AA07A34A7852768DF55CD6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P3GRP7RI\iframe[1].js Size (bytes): 721 Entropy (8bit): 5.201824572511175 ASCII text, with very long lines, with CRLF line terminators 4C43440BD293650BBDD1C2FABF717D0B 96F72D2B90450849776F507325032C4BB379B7D0 69DB1A94309E88008BBADACF301526EDCE59374410C83F888EC866AD6B2D8E47 7918CB064B247FF45033FB7280F73D828D95189BBB5FB73FEC92BAD8A4600F11EDD84CEE2678BBB0C78DEE19D 4671FA9ADAB598126642785AEE0B2D709E3BEB7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P3GRP7RI\microsoft[1].png Size (bytes): 977 Entropy (8bit): 7.641937113592165 PNG image data, 216 x 46, 8-bit colormap, non-interlaced AB563722EBC08AB73E4C72A3FA0D28C7 3E09D6B9395924DD01360BF11E8EF1E61FC2FAD6 844A92EE435552F7F26B4EC467220C537841F8245A16BBB265975CE4B3081F36 8556C41B84C5E502A03254E232E3E247120A84B22430100664C69C752C875D6CD9A2969AD1FD41013438B397049F BFD547569AB6C11C11FC906E9D8FA98F0B83 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\bootstrap[1].css Size (bytes): 121291 ASCII text, with very long lines Entropy (8bit): 5.099349213117607 69911A571506910FE2BEDDC7ED1F1E7E A995DF4C3A89C7C012AF30857B61BEF6021AB608 CBBD6C980D02125FE27E5752E9F47DFA55845794B0D4FC0444A4211117BEE6E5 E323E8D6D4A5281904C30B83989013B077FFEBC5F4D034AE56F49BA9948BAFAA787D9C3D3C818F2EF2E6B8B579 99912A59FAE888A869705B0857A278549A1250 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\favicon[2].ico Size (bytes): 237 Entropy (8bit): 6.1480026084285395 PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A691078558E77D6848202F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE520395234D0009D452FB96A8ECE236B Copyright Joe Security LLC 2018 Page 15 of 35

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\favicon[2].ico C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\jquery-1[1].js Size (bytes): 95930 ASCII text, with very long lines Entropy (8bit): 5.394134988044021 019C5FB7C4771808DC65E1096C771348 44A33096A0498722BC286C5F190D37B070DB2D23 C8963B6BD2CA8497603794BF9ADCBFF7A3EA55C9C3EDEF3D5A992405EE256A90 10421EAFB6CA5F609E95495CB05F82414890D82284838CE342C4D4FB6B656949890CCF84A70EF49B7C8AD166B55 D67457E5757E14EE7AFC6CEEF86F29BC9C597 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\js[2].js Size (bytes): 71445 ASCII text, with very long lines Entropy (8bit): 5.456823132325725 103C869FC77754B47F2A84BB13EECC81 E5C98D736D1A11547B7C44BB3FA070810E8F2000 F33888E1A91A8D1864CA5B968343FF5723F3F4787CF624459FD73FCC0DF71B21 4929A9EF259630226E8086E73434948E5EF512E199364224CB5FB24424A6E8C4331FDDD10162BC940672EFE06CF5 5A8749DAA5BFE2CCACA75CB43344836B4FDC C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RRZJM8MI.txt Size (bytes): 128 ASCII text Entropy (8bit): 4.632180814296803 A9A016EDFDE133B83D75A4466DD7768E A242F2B4674E4DE38AC870F420091ED69DCD2A53 763C1578640F4781EAE98C126A49FE718382E9C051EAD24EA3D0F4E59F8EB80C BC8167FC18A51BD99D7AEBC7404C528C726344C8F4B3B77E1B549A4A4987AA90EBAC2525520B921B8D566F04C4 AEB09C520B795B79599D47FF4BC5B46D4285F1 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation win-system-currupt1338.club 104.18.44.249 true 0%, virustotal, Browse unknown Contacted URLs Name Process http://win-system-currupt1338.club/error-6555/chrome-assests/microsoft.png http://win-system-currupt1338.club/error-6555/ie/login.php http://win-system-currupt1338.club/error-6555/ie/4microsoft unknown http://win-system-currupt1338.club/error-6555/ie/retreaver.js http://win-system-currupt1338.club/error-6555/ie/a.htm http://win-system-currupt1338.club/error-6555/ie/alert.css http://win-system-currupt1338.club/error-6555/chrome-assests/retreaver.js http://win-system-currupt1338.club/error-6555/chrome-assests/iframe.js Copyright Joe Security LLC 2018 Page 16 of 35

Name https://creativecommons.org/licenses/by/3.0/. http://win-system-currupt1338.club/error-6555/chrome-assests/bootstrap.css http://win-system-currupt1338.club/error-6555/chrome-assests/translator.css http://win-system-currupt1338.club/error-6555/ie/microsoft.png http://win-system-currupt1338.club/error-6555/chrome-assests/style.css http://win-system-currupt1338.club/error-6555/chrome-assests/jquery-1.js http://win-system-currupt1338.club/error-6555/k http://win-system-currupt1338.club/error-6555/ie/ http://getbootstrap.com) https://github.com/krux/postscribe/blob/master/license. https://github.com/twbs/bootstrap/blob/master/license) http://win-system-currupt1338.club/error-6555/root http://win-system-currupt1338.club/error-6555/ie/iframe.js http://win-system-currupt1338.club/error-6555/ http://win-system-currupt1338.club/error-6555/fonts/glyphicons-halflings-regulard41d-.eot http://win-system-currupt1338.club/error-6555/ie/translator.css http://win-system-currupt1338.club/error-6555/chrome-assests/alert.css http://win-system-currupt1338.club/error-6555/ie/root http://win-system-currupt1338.club/error-6555/ie/bootstrap.css http://win-system-currupt1338.club/error-6555/ie/jquery-1.js http://win-system-currupt1338.club/error-6555/ie/style.css Process unknown unknown unknown unknown unknown unknown unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious 104.18.44.249 United States 13335 CLOUDFLARENET- CloudFlareIncUS Static File Info No static file info Copyright Joe Security LLC 2018 Page 17 of 35

Network Behavior Network Port Distribution Total Packets: 58 80 (HTTP) 53 (DNS) TCP Packets Source Port Dest Port Source IP Dest IP 17:14:01.716365099 CEST 63758 53 192.168.2.3 8.8.8.8 17:14:01.755279064 CEST 53 63758 8.8.8.8 192.168.2.3 17:14:01.764128923 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:01.764887094 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:01.777585030 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:01.777642965 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:01.777928114 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:01.777987003 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:01.778708935 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:01.791980028 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.108468056 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.108505011 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.108525038 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.108583927 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.109230042 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109328985 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.109399080 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109424114 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109450102 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.109452009 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109473944 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109497070 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109519005 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.109539986 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.110925913 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.121903896 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.122004032 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.126790047 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.215428114 CEST 49169 80 192.168.2.3 104.18.44.249 17:14:02.217072010 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:02.218859911 CEST 49171 80 192.168.2.3 104.18.44.249 17:14:02.220581055 CEST 49172 80 192.168.2.3 104.18.44.249 17:14:02.222278118 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.224455118 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.228455067 CEST 80 49169 104.18.44.249 192.168.2.3 17:14:02.230055094 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.231985092 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.232075930 CEST 49171 80 192.168.2.3 104.18.44.249 17:14:02.233911991 CEST 80 49172 104.18.44.249 192.168.2.3 Copyright Joe Security LLC 2018 Page 18 of 35

Source Port Dest Port Source IP Dest IP 17:14:02.234014988 CEST 49172 80 192.168.2.3 104.18.44.249 17:14:02.234258890 CEST 49171 80 192.168.2.3 104.18.44.249 17:14:02.234721899 CEST 49172 80 192.168.2.3 104.18.44.249 17:14:02.235399008 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.235503912 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.235920906 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.237843037 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.237934113 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.238343954 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.247648954 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.247997046 CEST 80 49172 104.18.44.249 192.168.2.3 17:14:02.249250889 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.251374960 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.267025948 CEST 60052 53 192.168.2.3 8.8.8.8 17:14:02.296319008 CEST 53 60052 8.8.8.8 192.168.2.3 17:14:02.518704891 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.518733978 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.518753052 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.518770933 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.518817902 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:02.518920898 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.518974066 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:02.519076109 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.519134998 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:02.519401073 CEST 80 49170 104.18.44.249 192.168.2.3 17:14:02.519484043 CEST 49170 80 192.168.2.3 104.18.44.249 17:14:02.525686026 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.525790930 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.525794983 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.525835991 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.525897026 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.526001930 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.526024103 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.526051998 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.526362896 CEST 80 49173 104.18.44.249 192.168.2.3 17:14:02.526457071 CEST 49173 80 192.168.2.3 104.18.44.249 17:14:02.544568062 CEST 80 49172 104.18.44.249 192.168.2.3 17:14:02.544589996 CEST 80 49172 104.18.44.249 192.168.2.3 17:14:02.544682026 CEST 49172 80 192.168.2.3 104.18.44.249 17:14:02.560709953 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.560743093 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.560786009 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.560830116 CEST 49171 80 192.168.2.3 104.18.44.249 17:14:02.560949087 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.560972929 CEST 80 49171 104.18.44.249 192.168.2.3 17:14:02.561026096 CEST 49171 80 192.168.2.3 104.18.44.249 17:14:02.690834999 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.690886974 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.690923929 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.690958977 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.690963030 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691049099 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691086054 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691121101 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691128016 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.691157103 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691193104 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691212893 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.691227913 CEST 80 49174 104.18.44.249 192.168.2.3 17:14:02.691281080 CEST 49174 80 192.168.2.3 104.18.44.249 17:14:02.698791027 CEST 80 49169 104.18.44.249 192.168.2.3 UDP Packets Copyright Joe Security LLC 2018 Page 19 of 35

Source Port Dest Port Source IP Dest IP 17:14:01.716365099 CEST 63758 53 192.168.2.3 8.8.8.8 17:14:01.755279064 CEST 53 63758 8.8.8.8 192.168.2.3 17:14:02.267025948 CEST 60052 53 192.168.2.3 8.8.8.8 17:14:02.296319008 CEST 53 60052 8.8.8.8 192.168.2.3 17:14:03.390459061 CEST 52046 53 192.168.2.3 8.8.8.8 17:14:03.406249046 CEST 59644 53 192.168.2.3 8.8.8.8 17:14:03.441948891 CEST 53 52046 8.8.8.8 192.168.2.3 17:14:03.446616888 CEST 53 59644 8.8.8.8 192.168.2.3 17:14:03.783498049 CEST 52564 53 192.168.2.3 8.8.8.8 17:14:03.786748886 CEST 52396 53 192.168.2.3 8.8.8.8 17:14:03.814863920 CEST 53 52396 8.8.8.8 192.168.2.3 17:14:03.817179918 CEST 53 52564 8.8.8.8 192.168.2.3 17:14:06.127270937 CEST 54053 53 192.168.2.3 8.8.8.8 17:14:06.129317999 CEST 55741 53 192.168.2.3 8.8.8.8 17:14:06.130364895 CEST 59843 53 192.168.2.3 8.8.8.8 17:14:06.131592035 CEST 51586 53 192.168.2.3 8.8.8.8 17:14:06.134857893 CEST 63510 53 192.168.2.3 8.8.8.8 17:14:06.137943983 CEST 52884 53 192.168.2.3 8.8.8.8 17:14:06.140810013 CEST 53 54053 8.8.8.8 192.168.2.3 17:14:06.142364979 CEST 53 55741 8.8.8.8 192.168.2.3 17:14:06.144073009 CEST 53 59843 8.8.8.8 192.168.2.3 17:14:06.145178080 CEST 53 51586 8.8.8.8 192.168.2.3 17:14:06.148268938 CEST 53 63510 8.8.8.8 192.168.2.3 17:14:06.151089907 CEST 53 52884 8.8.8.8 192.168.2.3 17:14:06.228857994 CEST 50446 53 192.168.2.3 8.8.8.8 17:14:06.242492914 CEST 53 50446 8.8.8.8 192.168.2.3 17:14:29.924865961 CEST 50955 53 192.168.2.3 8.8.8.8 17:14:29.953108072 CEST 53 50955 8.8.8.8 192.168.2.3 17:15:10.109258890 CEST 53764 53 192.168.2.3 8.8.8.8 17:15:10.147506952 CEST 53 53764 8.8.8.8 192.168.2.3 DNS Queries Source IP Dest IP Trans ID OP Code Name Type Class 17:14:01.716365099 CEST 192.168.2.3 8.8.8.8 0xd204 Standard query (0) win-systemcurrupt1338.club A (IP address) IN (0x0001) 17:15:10.109258890 CEST 192.168.2.3 8.8.8.8 0xf551 Standard query (0) win-systemcurrupt1338.club A (IP address) IN (0x0001) DNS Answers Source IP Dest IP Trans ID Replay Code Name CName Address Type Class 8.8.8.8 192.168.2.3 0xd204 No error (0) win-systemcurrupt1338.club 17:14:01.755279064 CEST 8.8.8.8 192.168.2.3 0xd204 No error (0) win-systemcurrupt1338.club 17:14:01.755279064 CEST 104.18.44.249 A (IP address) IN (0x0001) 104.18.45.249 A (IP address) IN (0x0001) 8.8.8.8 192.168.2.3 0x1096 No error (0) ie9comview 17:14:29.953108072.vo.msecnd.net CEST 8.8.8.8 192.168.2.3 0xf551 No error (0) win-systemcurrupt1338.club 17:15:10.147506952 CEST 8.8.8.8 192.168.2.3 0xf551 No error (0) win-systemcurrupt1338.club 17:15:10.147506952 CEST cs9.wpc.v0cdn.net CNAME (Canonical name) IN (0x0001) 104.18.45.249 A (IP address) IN (0x0001) 104.18.44.249 A (IP address) IN (0x0001) HTTP Request Dependency Graph win-system-currupt1338.club HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49169 104.18.44.249 80 Copyright Joe Security LLC 2018 Page 20 of 35

17:14:01.778708935 CEST 0 OUT GET /error-6555/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* 17:14:02.108468056 CEST 2 IN HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 15:14:02 GMT Content-Type: text/html; charset=utf-8 Set-; expires=tue, 27-Aug-19 15:14:01 GMT; path=/; domain=.win-system-currupt1338.club; HttpOnly CF-RAY: 450f7c49278b3e50-ZRH Content-Encoding: gzip Data Raw: 61 37 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 57 eb 73 a2 c8 16 ff 9c a9 9a ff 81 f1 c3 dd 49 cd 24 3c d4 8c ec c4 d9 ea e6 25 18 48 40 41 e5 cb 2d 1e 2d a2 3c 1c 40 d1 ec ee ff 7e ab 01 1f 71 33 d9 d9 bd 9d b2 e1 9c 3e cf df e9 3e 4d ee 17 45 1c 11 bb 38 4a f2 7e 6b 51 14 eb 5f c9 b2 2c 6f cb f6 6d 9a 05 24 cd b2 2c b9 c3 22 ad 6f ef df dd 2f 90 e3 7f bb 8f 51 e1 10 58 f4 06 7d df 84 db 7e 8b 4b 93 02 25 c5 cd 78 bf 46 2d c2 ab a9 7e ab 40 bb 82 c4 ba 5f 09 6f e1 64 39 2a fa 65 98 f8 69 99 df d0 4c 97 69 35 96 12 27 46 fd 56 96 ba 69 91 9f 69 27 69 98 f8 68 f7 39 49 e7 69 14 a5 25 0e e0 ea be 08 8b 08 7d 7b 9c cf 43 2f 74 22 62 b4 59 af d3 ac 20 38 94 14 19 22 ee c9 7a 1d 4b 46 61 b2 22 16 19 9a f7 5b de 22 4b 63 74 e3 e4 39 ca 8b 9c 74 d3 b4 c8 8b cc 59 df 7a 79 de 22 32 14 f5 5b 79 b1 8f 50 be 40 a8 68 11 e4 df e8 57 b2 ff 52 b7 c8 9c 24 8f 9c 22 cd 6a 03 a1 df 6f 8d 1e fe 3b c2 26 5e 31 57 ec d7 a8 01 b2 12 ff 3b f3 4e 84 b2 e2 8d d0 b0 76 ee 65 e1 ba 38 37 bd 74 b6 4e cd ad 40 de 3a 19 11 e6 1c b6 1c 6e 62 a2 4f d4 55 bb ad 7d 7d 7e ff 8e 20 08 62 8b 12 3f cd 34 27 46 27 81 c4 d9 86 41 95 5b bd da 88 86 f9 e3 1a 65 ce 6b 72 9b 1c 65 20 40 49 71 5b 15 fb 71 fe b1 f5 f8 64 b4 ae 89 6f c4 0d 7d 54 97 05 e4 07 e8 27 f5 05 3f 40 8d 81 af ef df 5d 85 f3 8f 67 b9 7c e8 f7 89 64 13 45 c4 7f fe 43 5c b0 37 89 8f e6 61 82 7c bc 76 9e 5d bf 4f b4 a4 34 0d 22 44 c8 89 77 db aa 75 9b 94 fa c4 dc 89 72 54 f3 0e 71 36 cc 6b e2 ea f7 2a 85 2b 92 24 c2 9c 68 8c d4 30 be 7f 77 d5 64 13 a5 9e 53 84 69 72 8b 2b 4a f4 89 d6 2d e9 2d c8 2a 9f 5b 7c 7a 7e 4b fa f4 4d af db bd e9 74 99 9b bb 6e b7 db c2 79 fd 59 e7 f6 26 14 62 98 a1 79 ba 6b 5d 13 1f fa c4 0d 4d 5c d7 80 d6 41 d5 e3 c7 31 cc c3 8c c4 9e b0 54 e3 ec 1f c0 ff 2f 1c 22 3f b8 74 f8 76 7a ea 48 16 4e ae 88 3f fe 20 3e 7e f8 e0 a7 de 26 c6 62 87 17 35 f5 ab 92 14 d9 06 11 d7 d7 04 49 ca 22 21 0b c4 37 82 a6 2e c2 fb 71 6c 21 3a 0f ed fd bb 7b b2 3e 2f 2f 8f 54 9e 79 7f 39 91 19 2a 32 e4 6c 51 76 bb cc 5b 3f 3a 74 47 73 6f 59 5a 7e df a0 6c 7f 43 ff df 86 c2 79 e6 c4 e8 a7 cc e0 f4 ea bf 9f e8 1b 87 0d 9d 26 2b b4 f7 d3 32 21 fa c4 7c 93 78 18 cb 8f 68 5b 5c 63 99 df f1 84 6b 8b b6 c5 ed 0a ed b9 a6 3c cc 17 5c Data Ascii: a72wsi$<%h@a--<@~q3>>me8j~kq_,om$,"o/qx}~k%xf-~@_od9*eili5'fvii'ih9ii%}{c/t"by 8"zKFa"[" Kct9tYzy"2[yP@hWR$"jo;&^1W;Nve87tN@:nbOU}}~ b?4'f'a[ekre @Iq[qdo}T'?@]g dec\7a v]o4"dwurtq6k*+$h0wdsir+j- -*[ z~kmtnyy&byk]m\a1t/"?tvzhn? >~&b5i"!7.ql!:{>//ty9*2lqv[?:tgsoyz~lcy&+2! xh[\ck<\ 17:14:02.215428114 CEST 13 OUT GET /error-6555/chrome-assests/bootstrap.css HTTP/1.1 Accept: text/css, */* Referer: http://win-system-currupt1338.club/error-6555/ 17:14:02.698791027 CEST 57 IN HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 15:14:02 GMT Content-Type: text/css Last-Modified: Thu, 23 Aug 2018 20:05:15 GMT ETag: W/"1d9cb-5741fc707189b" Content-Encoding: gzip CF-Cache-Status: MISS Expires: Mon, 27 Aug 2018 19:14:02 GMT Cache-Control: public, max-age=14400 CF-RAY: 450f7c4c100e3e50-ZRH Data Raw: 33 61 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 c8 91 e0 e7 f5 af 90 7b 30 98 ee 69 49 4d 51 af 92 0a 53 d8 3d ef 62 d7 c0 7a 3f dc fa 80 03 c6 7d 07 4a a4 4a f4 50 a2 4c 52 fd 18 9d f6 b7 5f be 1f 91 11 24 a5 aa 19 fb 70 76 c3 b6 2a 33 32 32 32 22 32 22 33 98 19 f9 e1 fb df fe 66 f0 fd e0 bf 95 65 53 37 55 72 1a 7c 9a 8e a7 e3 c5 e0 ed be 69 4e eb 0f 1f 9e b3 66 a3 eb c6 db f2 f0 8e 43 ff ae 3c 7d ad f2 e7 7d 33 88 a3 c9 64 c4 fe 67 3e f8 e3 e7 bc 69 b2 6a 38 f8 fd 71 3b e6 40 ff 9e 6f b3 63 9d a5 83 f3 31 cd aa c1 1f 7e ff 47 89 b4 e6 58 f3 66 7f de 70 7c 1f 9a cf 9b fa 83 e9 e2 c3 a6 28 37 1f 0e 49 cd 50 7d f8 f7 df ff ee 5f fe e3 3f ff 85 77 f9 e1 c3 f7 bf 1d 1c cb ea 90 14 f9 cf d9 78 5b d7 9c d0 68 3c 1d fc 1f 81 59 75 c6 fe 72 50 1f b3 6d 59 24 f5 07 bf dd f7 1f f6 cd a1 b8 ec ca 63 33 da 25 87 bc f8 ba ae 93 63 3d aa b3 2a df 3d 8e 3e 67 9b 9f f2 66 d4 64 5f 9a 51 cd da 8c 92 f4 cf e7 ba 59 4f a2 e8 db c7 d1 a1 c6 6b ae 9b 32 fd 7a 39 24 d5 73 7e 5c 47 d7 a4 6a f2 6d 91 0d 93 3a 4f b3 61 9a 35 49 5e d4 c3 5d fe bc 4d 4e 4d 5e 1e f9 cf 73 95 0d 77 6c dc 8c 67 fb 2c 49 f9 ff 3d 57 e5 f9 34 3c 24 f9 71 78 c8 8e e7 e1 31 f9 34 ac b3 ad 68 51 9f 0f 0c fd d7 4b 9a d7 a7 22 f9 ba 66 8c da fe 74 4d ce 69 5e 0e b7 c9 f1 53 52 0f 4f 55 f9 5c 65 75 3d fc c4 7a 2d 0d 64 7e 2c f2 63 36 12 0d 1e 3f 65 9c b4 a4 18 31 86 3c 1f d7 9b a4 ce 78 ad 44 b4 3e 96 cd db 1f b7 8c 33 55 59 d4 1f df 19 14 c7 f2 98 3d ee 33 2e 72 36 ba 1f f7 79 9a 66 c7 8f c3 26 3b b0 ea 26 f3 e0 ae c9 65 93 6c 7f e2 63 39 a6 23 26 81 b2 5a 33 d1 1e eb 53 52 65 c7 e6 9a ac 13 36 a2 4f 8c 39 eb 7d c9 c8 b9 94 e7 86 93 c0 d9 b6 d9 54 3f 36 79 53 64 1f 2f 9b b2 62 3c 19 6d ca a6 29 0f eb c9 e9 cb 20 65 3f b3 f4 ba 19 32 4d 29 8f cf 52 82 9f 25 51 cb 28 ba a6 bb a3 2c ab 9b af 45 b6 ce 1b 36 c4 ed 75 3f d1 62 19 2f 96 d9 61 10 3d 4a 18 26 c0 75 9c 1d ae ac f2 a7 8b a4 f2 9b 28 8a 1e 2d ed eb 6f 76 bb e8 5a 33 d5 51 da 22 da 3c 30 61 d7 67 46 c4 f9 74 39 95 75 ce 85 b3 ae 32 c6 06 36 26 07 f7 72 fe ed a3 e0 bb 66 1b c9 7a 8e a9 29 4f eb d1 78 ce e8 61 b8 2f 6a d0 a3 71 cc 4b f2 c3 b3 e2 06 63 51 fd e9 59 48 69 5d 31 d5 79 77 e1 0c dc 15 e5 e7 b5 14 c9 55 ea 95 1e f1 84 Data Ascii: 3aee}k{0iIMQS=bz?}JJPLR_$pv*3222"2"3feS7Ur infc<}}3dg>ij8q;@oc1~gxfp (7IP}_?wx[h<YurPmY$ c3%c=*=>gfd_qyok2z9$s~\gjm:oa5i^]mnm^swlg,i=w4<$qx14hqk"ftmi^srou\eu=z-d~,c6?e1<xd>3uy=3.r6yf&;&elc9 #&Z3SRe6O9}T?6ySd/b<m) e?2m)r%q(,e6u?b/a=j&u(-ovz3q"<0agft9u26&rfz)oxa/jqkcqyhi]1ywu Copyright Joe Security LLC 2018 Page 21 of 35

17:14:03.279685974 CEST 103 OUT GET /error-6555/ie/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://win-system-currupt1338.club/error-6555/ 17:14:03.444145918 CEST 104 IN HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 15:14:03 GMT Content-Type: text/html Last-Modified: Thu, 23 Aug 2018 20:05:24 GMT CF-RAY: 450f7c5281343e50-ZRH Content-Encoding: gzip Data Raw: 36 35 33 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd d9 ae e4 c8 91 28 f8 ac 02 fa 1f f2 16 30 28 09 6c 89 5b 90 0c b6 54 6a 70 0f 32 48 06 f7 6d 30 18 70 0b ee 4b 70 27 ef ed 2f bb 0f f3 49 f3 0b 83 38 71 4e e6 c9 52 49 2d cd f4 00 03 8c 98 c7 83 e1 b6 b9 99 b9 d3 dc 69 ee 81 fc 3f ff e7 ff f1 a7 7c 6a ea 2f 5b 53 b7 e3 cf 3f e6 d3 d4 ff 1b b8 ae eb 1f 56 f4 0f dd 90 81 30 49 92 e0 f6 24 f9 f1 cf 3f fc 29 4f c3 e4 cf 7f 6a d2 29 fc f2 a4 fc 7d fa 98 8b e5 e7 1f 99 ae 9d d2 76 fa bd b5 f7 e9 8f 5f e2 57 ed e7 1f a7 74 9b c0 27 eb 1f bf c4 79 38 8c e9 f4 f3 5a b4 49 b7 8e bf 87 11 0c f9 f1 cf 3f fc f0 92 d5 86 4d fa f3 8f 43 17 75 d3 f8 89 bf ed 8a 36 49 b7 7f 6d bb 7b 57 d7 dd fa d4 60 2a a6 3a fd b3 52 c4 43 37 76 f7 e9 cb ed 7e 2f e2 22 ac bf 98 73 df 77 c3 f4 27 f0 45 f1 c3 9f ea a2 ad be e4 43 7a ff f9 c7 a8 eb a6 71 1a c2 fe 0f f1 38 fe f8 65 48 eb 9f 7f 1c a7 bd 4e c7 3c 4d a7 1f bf 27 7e 43 fc 3d 84 d3 10 b6 63 1d 4e dd f0 a2 2e 92 9f 7f 34 e5 ff dd 7c d2 ff f8 65 da fb f4 dd 05 7f 87 ac b0 4e 87 e9 af 34 fa 2f 3f 3c ff fd f0 a7 ff f6 fb df 7f 11 ea 2e 0a eb 2f 63 31 a5 5f a6 30 fb f2 db 6c 0a b3 3f 94 e3 ef be fc fe 8b d0 75 59 9d 7e a1 da b0 de a7 22 1e bf fc fe f7 7f fe 97 1f fe 34 c6 43 d1 4f 5f c2 71 6f e3 2f e3 10 bf 3a 79 fc 37 f0 ad 9b b3 37 a6 29 cc 9a b0 0d b3 74 f8 43 dc 35 e0 53 28 58 8e ff 5e 24 3f db d4 ef 61 88 c0 20 08 3b 9f 7e 0f ff f8 e7 3f 81 2f 79 df 24 ff f9 5f 7e f8 f2 e5 d5 af 7f 48 c2 29 94 c3 3d 1d be fc fc 97 a0 ff f1 3f be fc af ff db 1f 9f d4 f7 b9 8d a7 a2 6b bf 3c 1b fa ed ef fe fb 57 9a 3f f4 f3 98 ff 36 1c b2 b9 49 db 69 fc dd 1f ff e3 49 fe 46 f5 53 39 fe f4 af 5f da 74 fd c2 86 53 fa db df fd ee 8f 4f af 7c 20 e3 ae bd 17 d9 4f ff fa e5 a7 ef 15 fe e9 49 f6 49 e7 8f 7f 5f dd f2 e6 90 21 9d 86 34 5c d2 e1 0f e5 f8 5d cf 95 e1 12 be 08 3f 59 fe 3d 6f f9 98 d3 61 ff 3d fc 7f 83 b5 b8 0f 61 93 fe 63 8c 7f 85 f0 87 df fc e6 dd df 5d 5b a5 7b d2 ad ed 97 9f bf fa f9 b7 e9 32 fd ee 87 df fc e6 bf ff f0 9b df fc a6 b8 3f ab 7f a8 d2 9d e9 92 f4 cb cf 3f 7f 41 88 67 df fc 02 08 9f 7f 0d 88 a0 bf 02 3d 63 bf 02 24 7f 8d 1d c6 7e 15 8a ff 2a 14 f9 55 e8 e9 d7 a0 c4 d3 ba 97 79 bf 19 d2 69 1e da 2f f7 b0 1e d3 3f fe f0 04 fd c7 f3 f3 3f fe f8 0b 1f f5 43 3a 8e df 3b a9 fd de 49 ed af 9a fe 3d 14 26 7e f7 e5 2f 5a 7c b6 f5 8f 74 5d d7 46 e9 bd 1b d2 b9 ad bb 30 f9 f9 ab 46 5f d5 79 0b 0f 5f 7e fb e3 bf bf ae 2f 9c c9 fc eb 97 d7 d7 0f d0 fb fd df ff db 8f bf 7b 5a fa e1 86 bf 8f e5 a5 f5 3f a6 f4 12 0e 5f c6 69 e8 aa f0 cb cf 5f 7e fc d3 34 fc f9 4f 53 f2 65 09 eb 22 6b 7f fe 69 ea fa 9f fe fc a7 29 Data Ascii: 653d(0(l[Tjp2Hm0pKp'/I8qNRI-i? j/[s?v0i$?)oj)}v_wt'y8zi?mcu6im{w`*:rc7v~/"sw'eczq8ehn<m' ~C=cN.4 en4/?<./c1_0l?uy~"4co_qo/:y77)tc5s(x^$?a ;~?/y$_~h)=?k<w?6iiifs9_tso OII_!4\]?Y=oa=ac][{2?? Ag=c$~*Uyi/??C:;I=&~/Z t]f0f_y_~/{z?_i_~4ose"ki) 17:14:03.734330893 CEST 182 OUT GET /error-6555/ie/bootstrap.css HTTP/1.1 Accept: text/css, */* Referer: http://win-system-currupt1338.club/error-6555/ie/ Copyright Joe Security LLC 2018 Page 22 of 35

17:14:04.181804895 CEST 320 IN HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 15:14:04 GMT Content-Type: text/css Last-Modified: Thu, 23 Aug 2018 20:05:23 GMT ETag: W/"1d9d7-5741fc77ded9a" Content-Encoding: gzip CF-Cache-Status: MISS Expires: Mon, 27 Aug 2018 19:14:04 GMT Cache-Control: public, max-age=14400 CF-RAY: 450f7c5551cb3e50-ZRH Data Raw: 34 64 34 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 c8 91 e0 e7 5b 60 ff 83 dc 83 c1 74 4f 4b 6a 8a 7a 95 54 98 c2 ee 79 17 bb 06 d6 fb e1 d6 07 2c 30 ee 3b 50 22 55 a2 87 12 65 92 ea c7 e8 b4 bf fd f2 fd 88 8c 20 29 55 cd d8 87 b3 1b b6 55 99 91 91 91 11 91 11 99 c1 cc c8 0f df ff e6 ef ff 6e f0 fd e0 bf 97 65 53 37 55 72 1a 7c 9a 8e a7 e3 c5 e0 ed be 69 4e eb 0f 1f 9e b3 66 a3 eb c6 db f2 f0 4e 80 ff b6 3c 7d ad f2 e7 7d 33 88 a3 c9 64 c4 fe 67 3e f8 c3 e7 bc 69 b2 6a 38 f8 dd 71 3b 16 50 ff 96 6f b3 63 9d a5 83 f3 31 cd aa c1 ef 7f f7 07 89 b6 e6 78 f3 66 7f de 70 8c 1f 9a cf 9b fa 83 e9 e4 c3 a6 28 37 1f 0e 49 cd 70 7d f8 b7 df fd f6 9f ff fd 3f fe 59 74 fa e1 c3 f7 bf 19 1c cb ea 90 14 f9 cf d9 78 5b d7 9c d6 68 3c 1d fc 1f 81 5a f5 c6 fe 72 70 1f b3 6d 59 24 f5 07 bf dd f7 1f f6 cd a1 b8 ec ca 63 33 da 25 87 bc f8 ba ae 93 63 3d aa b3 2a df 3d 8e 3e 67 9b 9f f2 66 d4 64 5f 9a 51 cd da 8c 92 f4 4f e7 ba 59 4f a2 e8 db c7 d1 a1 c6 6b ae 9b 32 fd 7a 39 24 d5 73 7e 5c 47 d7 a4 6a f2 6d 91 0d 93 3a 4f b3 61 9a 35 49 5e d4 c3 5d fe bc 4d 4e 4d 5e 1e f9 cf 73 95 0d 77 6c e0 8c 6b fb 2c 49 f9 ff 3d 57 e5 f9 34 3c 24 f9 71 78 c8 8e e7 e1 31 f9 34 ac b3 ad 68 51 9f 0f 0c fd d7 4b 9a d7 a7 22 f9 ba 66 9c da fe 74 4d ce 69 5e 0e b7 c9 f1 53 52 0f 4f 55 f9 5c 65 75 3d fc c4 7a 2d 0d 64 7e 2c f2 63 36 12 0d 1e 3f 65 9c b4 a4 18 31 86 3c 1f d7 9b a4 ce 78 ad 44 b4 3e 96 cd db 1f b7 8c 33 55 59 d4 1f df 19 14 c7 f2 98 3d ee 33 2e 74 36 ba 1f f7 79 9a 66 c7 8f c3 26 3b b0 ea 26 f3 e0 ae c9 65 93 6c 7f e2 63 39 a6 23 26 81 b2 5a 33 d9 1e eb 53 52 65 c7 e6 9a ac 13 36 a2 4f 8c 39 eb 7d c9 c8 b9 94 e7 86 93 c0 d9 b6 d9 54 3f 36 79 53 64 1f 2f 9b b2 62 3c 19 6d ca a6 29 0f eb c9 e9 cb 20 65 3f b3 f4 ba 19 32 55 29 8f cf 52 82 9f 25 51 cb 28 ba a6 bb a3 2c ab 9b af 45 b6 ce 1b 36 c4 ed 75 3f d1 62 19 2f 96 d9 61 10 3d 4a 18 26 c0 75 9c 1d ae ac f2 a7 8b a4 f2 9b 28 8a 1e 2d ed eb 6f 76 bb e8 5a 33 d5 51 da 22 da 3c 30 61 d7 67 46 c4 f9 74 39 95 75 ce 85 b3 ae 32 c6 06 36 26 07 f7 72 fe ed a3 e0 bb 66 1b c9 7a 8e a9 29 4f eb d1 78 ce e8 61 b8 2f 6a d 0 a3 71 cc 4b f2 c3 b3 e2 06 63 51 fd e9 59 48 69 5d 31 d5 79 77 e1 0c dc 15 e5 e7 b5 14 c9 55 ea 95 Data Ascii: 4d4a}k[`tOKjzTy,0;P"Ue )UUneS7Ur infn<}}3dg>ij8q;poc1xfp(7ip}?ytx[h<zrpmy$c3%c=*=>gfd_qo YOk2z9$s~\Gjm:Oa5I^]MNM^swlk,I=W4<$qx14hQK"ftMi^SROU\eu=z-d~,c6?e1<xD>3UY=3.t6yf&;&elc9#&Z3SRe6O9}T? 6ySd/b<m) e?2u)r%q(,e6u?b/a=j&u(-ovz3q"<0agft9u26&rfz)oxa/jqkcqyhi]1ywu Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.3 49170 104.18.44.249 80 17:14:02.217072010 CEST 14 OUT GET /error-6555/chrome-assests/style.css HTTP/1.1 Accept: text/css, */* Referer: http://win-system-currupt1338.club/error-6555/ Copyright Joe Security LLC 2018 Page 23 of 35

17:14:02.518704891 CEST 26 IN HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 15:14:02 GMT Content-Type: text/css Last-Modified: Thu, 23 Aug 2018 20:05:17 GMT ETag: W/"5ac6-5741fc71e598f" Content-Encoding: gzip CF-Cache-Status: MISS Expires: Mon, 27 Aug 2018 19:14:02 GMT Cache-Control: public, max-age=14400 CF-RAY: 450f7c4bd2a63e74-ZRH Data Raw: 31 35 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 3c 6b 8f e3 36 92 9f a7 7f 05 77 1a 83 9d ce 58 6e 49 7e b4 1f c8 20 73 bd 33 77 03 24 f9 70 9b c5 1d 90 cb 01 b4 44 db 4a cb 92 4e 92 fb 11 a3 ff fb 15 1f a2 f8 94 3d d9 bb 34 32 dd a2 aa 8a c5 62 b1 aa 58 2c ea f6 bb bf 5c a1 ef d0 d7 cf 51 88 1e 33 f2 54 95 75 8b f6 38 79 40 db b2 46 7f 3f d6 5b 9c 90 db 94 34 0f 6d 59 a1 ff c8 8a b4 7c 6a d0 02 6d 8e 3b 8a 77 5f 56 2f 75 b6 db b7 28 0e a3 69 00 ff cc d0 2f 4f 59 db 92 7a 84 be 16 c9 98 02 fd 98 25 a4 68 48 8a 8e 45 4a 6a f4 d3 d7 5f d0 fb 7d db 56 cd ea f6 76 97 b5 fb e3 66 9c 94 87 db f6 69 d3 dc 6e ca b2 6d da 1a 57 b7 9b bc dc dc 1e 70 03 a4 6e 7f fc 7a ff f9 e7 bf 7f be 01 6a b7 3f 04 87 26 e8 58 3d 3d 65 69 bb 5f a5 e4 11 fa 08 d8 c3 eb 0f 41 39 fc 7e e8 e5 78 9f e7 a7 0d 8c 7f 57 97 c0 6e 90 94 79 59 af ae b7 db e4 75 9c 9c c4 d3 72 b9 7c 1d 93 ba ee 9e 3f 85 e1 da c6 f9 f2 e9 d3 eb f8 a1 83 09 e7 80 53 76 4f b3 d9 0c e8 1d 34 82 49 25 61 d9 63 a4 bf 6d b4 c7 5d ea e0 f2 cb fd fd 7a 53 d6 20 e4 55 54 3d a3 a6 cc b3 14 5d df 87 21 c0 93 d3 b6 2c da a0 69 5f 72 b2 ca 5a 9c 67 30 a2 5d 37 84 9a a4 f0 b4 97 0c 4c 28 4a e6 e8 e2 fe 8b ab 8b f0 9e c2 cb d1 7d a2 23 df f5 c3 09 29 c3 47 9 d 78 2b 87 73 3f 07 31 25 9a 9c 1e 52 fd b1 d0 1f 2b fd b1 d6 1f 25 e5 f0 6e f1 3a 96 32 fe 32 87 6e a5 10 d3 e9 74 39 83 86 02 77 2d d3 ed 72 9b 6c a1 65 d3 b5 4c e6 c0 59 d1 73 f6 09 c8 15 65 ff 96 a2 a7 fd ac 7c 81 c7 4c 9b a4 82 74 8f 6c 0e 8a 6d ff 48 81 73 1d b7 1f e4 3d 7d 94 c3 88 b7 73 60 0d 5a 1e 7b 09 4e 40 97 9e 7a f9 02 71 f9 b4 d9 6c 60 d4 5b 6d d8 87 bd fe 98 e9 8f a5 2e 23 29 80 7b 3a 53 4d a2 3f a6 ca e3 da a1 53 4d ac c3 13 fd 71 af 3f 4a 4e 3e d1 41 34 cf fa 5b 39 b3 13 aa 51 4d a4 bf 95 93 f9 e5 1e e4 b1 a9 b4 79 7b 4c 34 69 3d ee f4 c7 4c 7b cc 72 4d 02 49 d3 20 98 80 0f f0 ff 88 3f 94 dd ef 0f ca c4 d0 39 be e5 f6 f3 5f 3a b3 85 fe 56 26 0d 37 6f d4 ba 91 56 1a 34 6a e3 6e 2c 9b 19 5d 66 33 db 3d 41 f7 35 c1 6d f6 08 7f 94 87 43 59 34 e8 53 db d6 d9 e6 d8 66 65 81 26 e3 10 fd a3 a0 56 0d 70 04 f2 18 7d 29 6b 4a 2c 25 2d ce f2 66 84 1a 42 50 67 79 13 41 2e e1 d4 c6 65 bd bb cd 39 22 98 e1 97 5b a0 78 4b 59 01 93 9c be 9c aa b2 c9 68 47 60 Data Ascii: 15ea<k6wXnI~ s3w$pdjn=42bx,\q3tu8y@f?[4my jm;w_v/u(i/oyz%hhejj_}vvfinmwpnzj?&x==ei_a9~xw nyyur?svo4i%acm]zs UT=]!,i_rZg0]7L(J}#)Gx+s?1%R+%n:22nt9w-rleLYse LtlmHs=}s`Z{N@zql`[m.#){:SM?SMq?J N>A4[9QMy{L4i=L{rMI?9_:V&7oV4jn,]f3=A5mCY4Sfe&Vp})kJ,%-fBPgyA.e9"[xKYhG` 17:14:02.778825045 CEST 102 OUT GET /error-6555/chrome-assests/iframe.js HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: http://win-system-currupt1338.club/error-6555/ Session ID Source IP Source Port Destination IP Destination Port Process 2 192.168.2.3 49171 104.18.44.249 80 17:14:02.234258890 CEST 15 OUT GET /error-6555/chrome-assests/translator.css HTTP/1.1 Accept: text/css, */* Referer: http://win-system-currupt1338.club/error-6555/ Copyright Joe Security LLC 2018 Page 24 of 35

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback