ID: 190651Cookbook: browseurl.jbsTime: 11:48:30Date: 19/11/2019Version: 28.0.0 Lapis Lazuli

2444555667777888

889999999

1010111111111111111111111111111212414141424444454545454547484849

Table of Contents

Table of ContentsAnalysis Report http://www.joinfproxy.com

OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview

AV Detection:Phishing:Networking:System Summary:Malware Analysis System Evasion:HIPS / PFW / Operating System Protection Evasion:

Behavior GraphSimulations

Behavior and APIsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs

Sigma OverviewJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

ScreenshotsThumbnails

StartupCreated / dropped FilesDomains and IPs

Contacted DomainsContacted URLsURLs from Memory and BinariesContacted IPsPublic

Static File InfoNo static file info

Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency Graph

Copyright Joe Security LLC 2019 Page 2 of 86

49778484848585858585

85858586

86

HTTP PacketsHTTPS Packets

Code ManipulationsStatistics

BehaviorSystem Behavior

Analysis Process: iexplore.exe PID: 1132 Parent PID: 700GeneralFile ActivitiesRegistry Activities

Analysis Process: iexplore.exe PID: 2672 Parent PID: 1132GeneralFile ActivitiesRegistry Activities

Disassembly

Copyright Joe Security LLC 2019 Page 3 of 86

Analysis Report http://www.joinfproxy.com

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli

Analysis ID: 190651

Start date: 19.11.2019

Start time: 11:48:30

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 8m 25s

Hypervisor based Inspection enabled: false

Report type: light

Cookbook file name: browseurl.jbs

Sample URL: www.joinfproxy.com

Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

Number of analysed new started processes analysed: 7

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: EGA enabledAMSI enabled

Analysis stop reason: Timeout

Detection: MAL

Classification: mal60.phis.win@3/157@16/7

Cookbook Comments: Adjust boot timeEnable AMSIBrowsing link: http://www.joinfproxy.com/#Browsing link: http://agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tLw==Browsing link: http://agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL3JlY292ZXIvaW5pdGlhdGU/bHd2PTExMCZhcnM9cm95YWxfYmx1ZV9iYXI=Browsing link: http://www.joinfproxy.com/legal/terms/updateBrowsing link: http://www.joinfproxy.com/about/privacy/updateBrowsing link: http://www.joinfproxy.com/policies/cookies/Browsing link: https://de-de.facebook.com/Browsing link: https://fr-fr.facebook.com/Browsing link: https://it-it.facebook.com/Browsing link: https://pt-pt.facebook.com/Browsing link: https://sq-al.facebook.com/

Copyright Joe Security LLC 2019 Page 4 of 86

Warnings:

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 60 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exeHTTP Packets have been reducedTCP Packets have been reduced to 100Created / dropped Files have been reduced to 100Excluded IPs from analysis (whitelisted): 2.19.153.179, 152.199.19.161, 172.217.23.228, 216.58.201.99, 40.90.22.186, 40.90.22.188, 40.90.22.185, 93.184.220.29, 51.143.111.7Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, umwatson.trafficmanager.net, cs9.wac.phicdn.net, lgin.msa.trafficmanager.net, ie9comview.vo.msecnd.net, fonts.gstatic.com, login.msa.msidentity.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, ocsp.digicert.com, login.live.com, go.microsoft.com.edgekey.net, www.google.com, www.gstatic.com, watson.telemetry.microsoft.com, cs9.wpc.v0cdn.netReport size exceeded maximum capacity and may have missing behavior information.Report size getting too big, too many NtCreateFile calls found.Report size getting too big, too many NtDeviceIoControlFile calls found.

Show All

Classification

Copyright Joe Security LLC 2019 Page 5 of 86

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Command andControl

Valid Accounts WindowsRemoteManagement

WinlogonHelper DLL

ProcessInjection 1

Web Service 1 CredentialDumping

ProcessDiscovery 1

Remote FileCopy 3

Data from LocalSystem

DataEncrypted 1

Web Service 1

ReplicationThroughRemovableMedia

ServiceExecution

Port Monitors AccessibilityFeatures

ProcessInjection 1

NetworkSniffing

SecuritySoftwareDiscovery 1

RemoteServices

Data fromRemovableMedia

Exfiltration OverOther NetworkMedium

StandardCryptographicProtocol 2

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

Copyright Joe Security LLC 2019 Page 6 of 86

Drive-byCompromise

WindowsManagementInstrumentation

AccessibilityFeatures

PathInterception

Rootkit Input Capture File andDirectoryDiscovery 1

WindowsRemoteManagement

Data fromNetwork SharedDrive

AutomatedExfiltration

Standard Non-ApplicationLayerProtocol 5

Exploit Public-FacingApplication

Scheduled Task SystemFirmware

DLL SearchOrder Hijacking

ObfuscatedFiles orInformation

Credentialsin Files

System NetworkConfigurationDiscovery

Logon Scripts Input Capture Data Encrypted StandardApplicationLayerProtocol 5

SpearphishingLink

Command-LineInterface

ShortcutModification

File SystemPermissionsWeakness

Masquerading AccountManipulation

Remote SystemDiscovery

Shared Webroot Data Staged ScheduledTransfer

Remote FileCopy 3

Initial Access Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Command andControl

Signature Overview

• AV Detection

• Phishing

• Networking

• System Summary

• Malware Analysis System Evasion

• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Phishing:

Phishing site detected (based on logo template match)

Form action URLs do not match main URL

Found iframes

HTML title does not match URL

Invalid T&C link found

None HTTPS page querying sensitive user data (password, username or email)

META author tag missing

META copyright tag missing

Networking:

Social media urls found in memory data

Downloads files from webservers via HTTP

Found strings which match to known social media urls

Performs DNS lookups

Posts data to webserver

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Urls found in memory or binary data

Uses HTTPS

Copyright Joe Security LLC 2019 Page 7 of 86

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Sample might require command line arguments

Spawns processes

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Uses new MSVCR Dlls

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Behavior GraphID: 190651

URL: http://www.joinfproxy.com

Startdate: 19/11/2019

Architecture: WINDOWS

Score: 60

agent.joinf.cn

Multi AV Scanner detectionfor domain / URL

Antivirus detectionfor URL or domain

Phishing site detected(based on logo template

match)

iexplore.exe

6 87

started

iexplore.exe

7 353

started

agent.joinf.cn

47.91.149.178, 443, 49714, 49715

unknown

United States

scontent-hkg3-2.xx.fbcdn.net

157.240.15.22, 443, 49724, 49725

unknown

United States

18 other IPs or domains

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

Behavior Graph

Simulations

Copyright Joe Security LLC 2019 Page 8 of 86

No simulations

No Antivirus matches

No Antivirus matches

No Antivirus matches

Source Detection Scanner Label Link

www.joinfproxy.com 3% Virustotal Browse

agent.joinf.cn 10% Virustotal Browse

Source Detection Scanner Label Link

https://sq-al.faceb 0% Avira URL Cloud safe

www.mercadolivre.com.br/ 0% Virustotal Browse

www.mercadolivre.com.br/ 0% Avira URL Cloud safe

www.merlin.com.pl/favicon.ico 0% Virustotal Browse

www.merlin.com.pl/favicon.ico 0% URL Reputation safe

www.joinfproxy.com/?sk=inbox7http://www.joinfproxy.com/images/icons/app/messages.ico 100% Avira URL Cloud phishing

www.dailymail.co.uk/ 0% Virustotal Browse

www.dailymail.co.uk/ 0% URL Reputation safe

agent.joinf.cn/static/rsrc.php/v3/yN/r/YSGcJgI3134.js?_nc_x=Ij3Wp8lg5Kz 100% Avira URL Cloud phishing

www.joinfproxy.com/?sk=nf3http://www.joinfproxy.com/images/icons/ 100% Avira URL Cloud phishing

https://sq-al.facebook 0% Avira URL Cloud safe

agent.joinf.cn/images/icons/app/events.ico 100% Avira URL Cloud phishing

https://pt-pt.face 0% Avira URL Cloud safe

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lJL2wvMCxjcm9zcy95TGc2MkZpRGpURC5jc3M/X25jX3g9SWozV3A4bGc1S3o=

100% Google Safe Browsing

phishing

www.joinfproxy.com/images/marketing/cookies/www/tools_active.png 100% Avira URL Cloud phishing

https://agent.joinf.cn/login/identify/?ctx=recover&ars=royal_blue_barJlY292ZXIvaW5pdGlhdGU/bHd2PTExM

100% Avira URL Cloud phishing

busca.igbusca.com.br//app/static/images/favicon.ico 0% Virustotal Browse

busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe

agent.joinf.cn/?sk=nf/http://agent.joinf.cn/images/icons/app/ 100% Avira URL Cloud phishing

https://it-it.facebook 0% Avira URL Cloud safe

agent.joinf.cn/static/rsrc.php/v3ivK94/yW/l/en_US/-fNtMGApV03.js?_nc_x=Ij3Wp8lg5Kz 100% Avira URL Cloud phishing

www.etmall.com.tw/favicon.ico 0% Virustotal Browse

www.etmall.com.tw/favicon.ico 0% URL Reputation safe

it.search.dada.net/favicon.ico 0% Virustotal Browse

it.search.dada.net/favicon.ico 0% URL Reputation safe

agent.joinf.cn/facebook/policies/cookies/ 100% Avira URL Cloud phishing

search.hanafos.com/favicon.ico 0% Virustotal Browse

search.hanafos.com/favicon.ico 0% URL Reputation safe

agent.joinf.cn/rsrc.php/v3/yj/r/AE-e0Vw8Uhd.png 100% Avira URL Cloud phishing

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3l5L2wvMCxjcm9zcy9vQWx1M09BVjF2US5jc3M/X25jX3g9SWozV3A4bGc1S3o=

100% Google Safe Browsing

phishing

cgi.search.biglobe.ne.jp/favicon.ico 0% Virustotal Browse

cgi.search.biglobe.ne.jp/favicon.ico 0% Avira URL Cloud safe

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Copyright Joe Security LLC 2019 Page 9 of 86

ocsp.pki.goog/gts1o10 0% Virustotal Browse

ocsp.pki.goog/gts1o10 0% URL Reputation safe

www.joinfproxy.com/ 3% Virustotal Browse

www.joinfproxy.com/ 100% Avira URL Cloud phishing

search.msn.co.jp/results.aspx?q= 0% Virustotal Browse

search.msn.co.jp/results.aspx?q= 0% URL Reputation safe

buscar.ozu.es/ 0% Virustotal Browse

buscar.ozu.es/ 0% Avira URL Cloud safe

ocsp.pki.goog/gsr202 0% Virustotal Browse

ocsp.pki.goog/gsr202 0% URL Reputation safe

https://pki.goog/repository/0 0% Virustotal Browse

https://pki.goog/repository/0 0% URL Reputation safe

www.joinfproxy.com/about/privacy/updateRoot 100% Avira URL Cloud phishing

https://agent.joinf.cn/policies/cookies/ 100% Avira URL Cloud phishing

search.auction.co.kr/ 0% Virustotal Browse

search.auction.co.kr/ 0% URL Reputation safe

agent.joinf.cn/static/rsrc.php/v3iqES4/yN/l/en_US/lIJrOY0twaO.js?_nc_x=Ij3Wp8lg5Kz 100% Avira URL Cloud phishing

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lrL2wvMCxjcm9zcy9HN1h6Y2FTMVFtTS5jc3M/X25jX3g9SWozV3A4bGc1S3o=

100% Google Safe Browsing

phishing

www.joinfproxy.com/policies/cookies/ 100% Avira URL Cloud phishing

www.pchome.com.tw/favicon.ico 0% Virustotal Browse

www.pchome.com.tw/favicon.ico 0% Avira URL Cloud safe

browse.guardian.co.uk/favicon.ico 0% Virustotal Browse

browse.guardian.co.uk/favicon.ico 0% URL Reputation safe

crl.pki.goog/gsr2/gsr2.crl0? 0% Virustotal Browse

crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe

google.pchome.com.tw/ 0% Virustotal Browse

google.pchome.com.tw/ 0% Avira URL Cloud safe

www.garagefonts.comhttp://www.joshuadarden.comhttps://www.garagefonts.comFreightSans 0% Avira URL Cloud safe

www.ozu.es/favicon.ico 0% Virustotal Browse

www.ozu.es/favicon.ico 0% Avira URL Cloud safe

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3ltL3Ivb180bk5kYlppczkucG5n

100% Google Safe Browsing

phishing

search.yahoo.co.jp/favicon.ico 0% Virustotal Browse

search.yahoo.co.jp/favicon.ico 0% URL Reputation safe

www.gmarket.co.kr/ 0% Virustotal Browse

www.gmarket.co.kr/ 0% URL Reputation safe

www.joinfproxy.com/legal/terms/updateover&ars=royal_blue_barJlY292ZXIvaW5pdGlhdGU/bHd2PTExMCZ

100% Avira URL Cloud phishing

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL2hlbHAvMTk1MjI3OTIxMjUyNDAw

100% Avira URL Cloud phishing

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL2hlbHAvaW50ZWxsZWN0dWFsX3By

100% Avira URL Cloud phishing

agent.joinf.cn/static/rsrc.php/v3/yQ/r/SgyPmYUaN1c.js?_nc_x=Ij3Wp8lg5Kz 100% Avira URL Cloud phishing

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL2hlbHAvY29udGFjdC8yNTk1MTg3MTQ3

100% Avira URL Cloud phishing

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29t 100% Avira URL Cloud phishing

search.orange.co.uk/favicon.ico 0% Virustotal Browse

search.orange.co.uk/favicon.ico 0% Avira URL Cloud safe

www.iask.com/ 0% Virustotal Browse

www.iask.com/ 0% Avira URL Cloud safe

service2.bfast.com/ 0% Virustotal Browse

service2.bfast.com/ 0% URL Reputation safe

www.news.com.au/favicon.ico 0% Virustotal Browse

www.news.com.au/favicon.ico 0% Avira URL Cloud safe

Source Detection Scanner Label Link

No yara matches

Yara Overview

Initial Sample

Copyright Joe Security LLC 2019 Page 10 of 86

Sigma Overview

No Sigma rule has matched

No yara matches

No yara matches

No yara matches

No yara matches

No context

No context

No context

No context

No context

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Copyright Joe Security LLC 2019 Page 11 of 86

System is w10x64

iexplore.exe (PID: 1132 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2672 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1132 CREDAT:17410 /prefetch:2 MD5:

071277CC2E3DF41EEEA8013E2AB58D5A)cleanup

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\de-de.facebook[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with no line terminators

Size (bytes): 215

Entropy (8bit): 4.768867360717767

Startup

Created / dropped Files

Copyright Joe Security LLC 2019 Page 12 of 86

Encrypted: false

MD5: E7E2F2203F5EDCBB91A319E4057C6DCD

SHA1: 1A1EA84D8678A294DF128B300F5A8A7F7FEDF4C9

SHA-256: 7347A660D53B3859DE31F0B960F642322DFD6978ABD160E7332430734448BBCD

SHA-512: 3EA114703E5D21103B789362C7A44199CAE327B4366ADA2403A5E085493A06038016D53C997878A78C5A2207181A6BC3D502AD4DDF903DEE279BA2A9A70EE1AE

Malicious: false

Reputation: low

Preview:<root></root><root><item name="Session" value="mrviwa:1574193096717" ltime="2931614624" htime="30777106" /></root><root><item name="Session" value="mrviwa:1574193096850" ltime="2933024624" htime="30777106" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\de-de.facebook[1].xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\1FBVMPHM\sq-al.facebook[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 914

Entropy (8bit): 4.882471955141429

Encrypted: false

MD5: FA2AA79BABF4627CED3FA1A55F0E9A82

SHA1: 0A92F9697737819E862A1CB77FE672243D681D6E

SHA-256: 4094E8E5E49D88BAA77833B1DD55CA695C908BB73DF06A169531B747D9A4B092

SHA-512: B041D347AB7413FA335FAF15D1D0E832FDA44065298CA89134ECABECEC515A5BCA17BD89B90FD8B8CEFB1772CE26DA71888395C0308D99C6D88E06374E260821

Malicious: false

Reputation: low

Preview:<root></root><root><item name="Session" value="wc4pvh:1574193118553" ltime="3159624624" htime="30777106" /></root><root><item name="Session" value="wc4pvh:1574193121098" ltime="3175484624" htime="30777106" /></root><root><item name="Session" value="wc4pvh:1574193121108" ltime="3175564624" htime="30777106" /></root><root><item name="Session" value="wc4pvh:1574193121108" ltime="3175564624" htime="30777106" /><item name="mutex_banzai" value="6itqq8:1574193101221" ltime="3176684624" htime="30777106" /></root><root><item name="Session" value="wc4pvh:1574193121108" ltime="3175564624" htime="30777106" /></root><root><item name="Session" value="wc4pvh:1574193122055" ltime="3185004624" htime="30777106" /></root><root><item name="Session" value="wc4pvh:1574193123247" ltime="3198994624" htime="30777106" /></root><root><item name="Session" value="e5i85p:1574193157682" ltime="3541204624" htime="30777106" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9K719AIK\agent.joinf[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 17550

Entropy (8bit): 5.319178887915541

Encrypted: false

MD5: CF42F0F367288524CB5FC8473AE0FC37

SHA1: DB26C5D4800B3E5B3C03BB8D4EF94AD0344D1D6F

SHA-256: CC29C0DE704CE636E069E73FAA2A10A79B84AB9BDEBAFC9374BABBC0F98CA33C

SHA-512: C07CE0FAE4B2AB3E5B4D2C390956BE19E42B46FC07E825C2FD432F743093F77BF858D100BDA29B6A299041B8066DE9A082B259C32D97F60864C46B292740C2A9

Malicious: false

Reputation: low

Preview:<root></root><root><item name="Session" value="qi1v7y:1574193062799" ltime="2608534624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193067468" ltime="2639194624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193067482" ltime="2639384624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193067482" ltime="2639384624" htime="30777106" /><item name="check_quota" value="check_quota" ltime="2639674624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193067482" ltime="2639384624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193067482" ltime="2639384624" htime="30777106" /><item name="mutex_banzai" value="w33k8c:1574193047521" ltime="2639754624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193067482" ltime="2639384624" htime="30777106" /></root><root><item name="Session" value="qi1v7y:1574193070145" ltime="2665964624" htime="30777106" /><item name

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9K719AIK\pt-pt.facebook[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 9807

Entropy (8bit): 5.163056287323746

Encrypted: false

MD5: 1CA95982F840691CC6FABCDAD0F06244

SHA1: 520DBED337F457B1111CB08E6FEE024238F5F96C

SHA-256: 168D48C151A68DB135CED2A1EAB95D53932805F936425B4162B9AB0F58682210

SHA-512: 69504D9CB2A1685AA1230746B6D3DD0705DCEA17EC946BFFCDCAA1B8B4EB9A8B40C1DFE7B85DC2CE2447D7B100D2822C48C44BDD4EAF2155B3D96A4C1C2C5BC9

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 13 of 86

Preview:<root></root><root><item name="Session" value="7vlw18:1574193112762" ltime="3108234624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193115680" ltime="3121294624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193115687" ltime="3121384624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193115687" ltime="3121384624" htime="30777106" /><item name="check_quota" value="check_quota" ltime="3122144624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193115687" ltime="3121384624" htime="30777106" /><item name="mutex_banzai" value="5fxaxj:1574193095767" ltime="3122144624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193115687" ltime="3121384624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193117765" ltime="3142144624" htime="30777106" /></root><root><item name="Session" value="7vlw18:1574193118802" ltime="3152494624" htime="30777106" /></root><ro

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9K719AIK\pt-pt.facebook[1].xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\C16CYV4I\fr-fr.facebook[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 9814

Entropy (8bit): 5.112847308549422

Encrypted: false

MD5: 559BCFE1FD0AD028EB0B3C195F9AA54F

SHA1: ED93A5293094FEFAF26D401749247C3239F4A503

SHA-256: 26A3258426BD8E2683D23A3FFC1375D2E34492FDED4052480D89515E22B255E4

SHA-512: 61082688C41B25DBFF344A872CA7FA18AB77B3C8744B65E57DCEA21282CECEF2AE45BA859BC9AC373E2FC19B25D35BC0B63E679F18ED56C9657E48D0D3499724

Malicious: false

Reputation: low

Preview:<root></root><root><item name="Session" value="o9iuq8:1574193096355" ltime="2937324624" htime="30777106" /></root><root><item name="Session" value="o9iuq8:1574193098805" ltime="2952634624" htime="30777106" /></root><root><item name="Session" value="o9iuq8:1574193098814" ltime="2952674624" htime="30777106" /></root><root><item name="Session" value="o9iuq8:1574193098814" ltime="2952674624" htime="30777106" /><item name="check_quota" value="check_quota" ltime="2953874624" htime="30777106" /></root><root><item name="Session" value="o9iuq8:1574193098814" ltime="2952674624" htime="30777106" /><item name="mutex_banzai" value="ohbsj7:1574193078948" ltime="2953994624" htime="30777106" /></root><root><item name="Session" value="o9iuq8:1574193099076" ltime="2955284624" htime="30777106" /><item name="mutex_banzai" value="ohbsj7:1574193078948" ltime="2953994624" htime="30777106" /></root><root><item name="Session" value="o9iuq8:1574193099076" ltime="2955284624" htime="30777106" /></root><root><item

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\D1YBPPLZ\it-it.facebook[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 2966

Entropy (8bit): 5.229291535723517

Encrypted: false

MD5: 097A08F1894E9167630B64852E123365

SHA1: FBB967A6E41E5F398250804598A0958E2A45C23A

SHA-256: F35144373AFBD2572004417A29EB2A4042863CC7FB9B76F54E5E6178257EFC02

SHA-512: 9A21020F4A1DEBDEDA1A0FAC0FF2A62800B830A9BA08E801905C4C199137A9F6AB43A182EC3A273C8ED9CBF1188C6883C5E7077D35B084E7B85DAE22360CF190

Malicious: false

Reputation: low

Preview:<root></root><root><item name="Session" value="qq5f8e:1574193103808" ltime="3040924624" htime="30777106" /></root><root><item name="Session" value="qq5f8e:1574193109200" ltime="3056514624" htime="30777106" /></root><root><item name="Session" value="qq5f8e:1574193109209" ltime="3056594624" htime="30777106" /><item name="mutex_banzai" value="5r3vmq:1574193089222" ltime="3056734624" htime="30777106" /></root><root><item name="Session" value="qq5f8e:1574193109209" ltime="3056594624" htime="30777106" /></root><root><item name="Session" value="qq5f8e:1574193111516" ltime="3079764624" htime="30777106" /></root><root><item name="Session" value="qq5f8e:1574193113284" ltime="3097304624" htime="30777106" /></root><root><item name="Session" value="qq5f8e:1574193113284" ltime="3097304624" htime="30777106" /><item name="bz:qq5f8e:i5lyep:5r3vmq.1574193083295.8645" value="[[&quot;categorized_ods&quot;,{&quot;2979&quot;:{&quot;banzai&quot;:{&quot;blue_total_messages_received&quot;:[26]}}},1574193083281

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\D1YBPPLZ\www.joinfproxy[1].xmlProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 301790

Entropy (8bit): 5.10470843874641

Encrypted: false

MD5: 00E2BC70D89B22446C3BF7FA0D737A86

SHA1: 5E2A60F239397FA734BC570383AE32EC2C2742E6

SHA-256: 1A66F8905D7A2A35FF7A8B672C009B5A04197AFFA819DD5A9B23008DF6FBAEA0

SHA-512: 4DA1DCFFDF368095FD5352289BD8845F92DD760124348C79F4E56F6A407FA5E577004B50169FCA4D32C48C621B2FE3A41660FA31ECECF3A8D41E3B2D41E4C240

Malicious: false

Reputation: low

Preview:<root></root><root><item name="Session" value="82q1th:1574193006622" ltime="2088554624" htime="30777106" /></root><root><item name="Session" value="82q1th:1574193021282" ltime="2177274624" htime="30777106" /></root><root><item name="Session" value="82q1th:1574193021282" ltime="2177274624" htime="30777106" /><item name="check_quota" value="check_quota" ltime="2186064624" htime="30777106" /></root><root><item name="Session" value="82q1th:1574193021282" ltime="2177274624" htime="30777106" /><item name="mutex_banzai" value="mbog0n:1574193002154" ltime="2186104624" htime="30777106" /></root><root><item name="Session" value="82q1th:1574193022218" ltime="2186804624" htime="30777106" /><item name="mutex_banzai" value="mbog0n:1574193002154" ltime="2186104624" htime="30777106" /></root><root><item name="Session" value="82q1th:1574193022218" ltime="2186804624" htime="30777106" /></root><root><item name="Session" value="82q1th:1574193024532" ltime="2209934624" htime="30777106" /></root><root><item

Copyright Joe Security LLC 2019 Page 14 of 86

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4DC9C63-0B05-11EA-AADB-C25F135D3C65}.datProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: Microsoft Word Document

Size (bytes): 30296

Entropy (8bit): 1.851235316157272

Encrypted: false

MD5: 825F199CADB008E5AAEEE1A1E3BA0121

SHA1: A68A85AF6ACA24D1D711468C874F2436F2ECBA6E

SHA-256: 28888E627ED3E62345179CD7C251956EF5CB7F2A0EFB3B0C0323A996D1A2F14E

SHA-512: 1DC5F3F22562B19DEE1166DD034F93DB55AEEB476AEF8B371772722505C7A56C22248CD57F2DA9F1E0A1189722FA5B3E9B6834608978F78E9FE6DF76FF126DC7

Malicious: false

Reputation: low

Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4DC9C65-0B05-11EA-AADB-C25F135D3C65}.datProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: Microsoft Word Document

Size (bytes): 345706

Entropy (8bit): 3.0817276407321508

Encrypted: false

MD5: 8FA85361248B4A96621733ED2B172B1A

SHA1: AD1ED16FECFBD1CF64646E34390D12D31287BD63

SHA-256: 601FEDE7AD1471F7D0BA9617B07F687510DB004274B242C56B030A2AF38CFD1B

SHA-512: 52FFE05CB5CD02EC11BB994A18273F908D3D0A2A1EF1B5D100A5342C003005F979580593C62460BD8B91F14034064C951703200A1A5342C7F6768836AAC9A0E7

Malicious: false

Reputation: low

Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BEAB6195-0B05-11EA-AADB-C25F135D3C65}.datProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: Microsoft Word Document

Size (bytes): 16984

Entropy (8bit): 1.5660810766324997

Encrypted: false

MD5: B6958904871BADBF481068B3C8FD1717

SHA1: B798867864D6C5132BCA58AF744040E258FE62B1

SHA-256: 0E0313225435B4E2DC1611734C66885B98B4C83026AE3265BC0FE53EA9C61C10

SHA-512: FA9A8C76624916313EA19FBA7AB72501BED918768DDBD4DBC0BCDB1D4AD1F533CCC7A22845F18D460349E7FD11FDD1FC079CD9B9220EDE4ADE41A9E55CB25144

Malicious: false

Reputation: low

Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 656

Entropy (8bit): 5.146187713591611

Encrypted: false

MD5: 3F288593ABCBB3CF3A83334E6879E5E7

SHA1: 7D309D5CE4AE5A9F0EB43EE93DAE92BDC2F4D704

SHA-256: A8404C4CD6AD872AF0F2B79B0A64A2A5570FFB3949ACF31BA2722702737F984A

SHA-512: C5BAFCD88820D19EE07890CA2FBDBBF97C762AAB2411964A6AF8922C2AE436E30E924878D68C9E32212B9DB2762A678EDD21B9CBB562A13ED9C9E79CD21F89E1

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 15 of 86

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x94718976,0x01d59f12</date><accdate>0x94718976,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x94718976,0x01d59f12</date><accdate>0x947411b1,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 653

Entropy (8bit): 5.184580338906425

Encrypted: false

MD5: 575BC2370996895BE95F8C5264BB9DB3

SHA1: 5976D37D8FF4F12A6FA476BD16A1AC6160046168

SHA-256: D40C08DD38C75276421436D6C81AB4E89F9ECE474F6C382190A0B0868ACFE60F

SHA-512: C1F3A679BE6664BF52F6D6A1EEAB2C283628FECBC97779C723C080902BE590FC9FF0EA48DD0AA5B6D01F1E367B1B1E25E508009AF9281443E47A01F8307A7E12

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x94447568,0x01d59f12</date><accdate>0x94447568,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x94447568,0x01d59f12</date><accdate>0x945ffd61,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 662

Entropy (8bit): 5.136256124090803

Encrypted: false

MD5: 86C68940B6D3F2EF12AAA9AF4CB5355A

SHA1: 7E5EEA171D7628E264AC7567C60DC367C508E768

SHA-256: 8C393E2BAF9231F8694C6CC34D871B6CDD27055F95E73CC409384A29CD6ECD92

SHA-512: 0A1ED487D0DE1F774A8C98A51F024A554A035B29ADE48A87BCAB751D42265E9404690FCD79333AFCFDE55715183A4F25E1F978D259A7DC21CFBB2668D6BBF34C

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x947411b1,0x01d59f12</date><accdate>0x947411b1,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x947411b1,0x01d59f12</date><accdate>0x947411b1,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 647

Entropy (8bit): 5.142477170172917

Encrypted: false

MD5: 0FC35020FBD51E949F697B164B950F02

SHA1: F803FD41BEB2AC09908FF15D83BE9949E00B6321

SHA-256: 9F8C35995E5AB51CA3C02FF672AE259E55D1EFBF8C226CF8DC57D57FA88783C5

SHA-512: 7BB7E5351165F2B3E0B44E2A2C55466769C29298E28D67AC5DF417D8CDE37B7891FBA7E5A1BF5C0E545965981D574395C07468D2ECE6351AB139B79FC55813AB

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x946c8d09,0x01d59f12</date><accdate>0x946c8d09,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x946c8d09,0x01d59f12</date><accdate>0x946c8d09,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 656

Entropy (8bit): 5.187487861420848

Copyright Joe Security LLC 2019 Page 16 of 86

Encrypted: false

MD5: F2FBC80AFBFFBB32E8F8EE7F386E51B2

SHA1: A6802ED45E1F8549DD02FB650B3B1B935AC4E46E

SHA-256: 14DD5ECE1BC9205E9EF9018F393C11CCA34A8A73C86FD1E49933F98CD8BDF6AF

SHA-512: 7D175C06D2B2695613CA577C8D6BCB060A833FED2F1B165989090313C66A87EA4EA2525AFDB489A1362C12782029530F5F05E909F463C2A3407E98C249BF1151

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x947687bb,0x01d59f12</date><accdate>0x947687bb,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x947687bb,0x01d59f12</date><accdate>0x947687bb,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 653

Entropy (8bit): 5.1467530184173

Encrypted: false

MD5: 7B2BD6BB763492AC95558EEDF5C5AEAE

SHA1: 13842660F78C9125C2CB703840E600C6CBFF8409

SHA-256: 74DE0179149D61B8F987F76A08565ABA3EE4F438C86FBE67614D9B51B5AA9E4F

SHA-512: 67AB8AA9758E1E25DE0AA6EE51F71D757B3EBD2FDF55CC1638AD23BEE5B035F0C9A82235451C3DE4CDD5A239ABA37D244B0827D609253D94585CFB7E3E54DF1F

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x946f272e,0x01d59f12</date><accdate>0x946f272e,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x946f272e,0x01d59f12</date><accdate>0x94718976,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 656

Entropy (8bit): 5.175801897778691

Encrypted: false

MD5: 9F4E637BB91B4C78CCF8DDDF3F077BFC

SHA1: AE51CC51202B158D8296607189F7A19B0C1A9D60

SHA-256: 4D0A8B9E53127D361BDA5683EA2728CE8BD850395105CF1E079733EA71241DE8

SHA-512: 6F2ECCDC69971EA31C800E90C85EC8E09AE6FD71D0A6C69CF514A624AF6889BA26F95E56B9DE576AA0E63DE9B55F396A759047F9A0E31BEF7C7B5D8BEB405E92

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x946f272e,0x01d59f12</date><accdate>0x946f272e,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x946f272e,0x01d59f12</date><accdate>0x946f272e,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 659

Entropy (8bit): 5.149512399821964

Encrypted: false

MD5: 26F4DCD09369E142D503BEAF44C81B87

SHA1: 390C7F6B21B616469618F07A794879AE2DCC87EC

SHA-256: 394BE8248348E4A76FC5129E2ABD64CBADDEFBA325A55FCE37B6760A9914F9A5

SHA-512: F348A8D9C180447621570A9F71DC90EFE1DF5F3F24072E5457E7D26375AFB94C7A69B75376C70B9A7D656A6E215ED982ABAB755EFE204EC5B380665065798844

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 17 of 86

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x946504eb,0x01d59f12</date><accdate>0x946504eb,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x946504eb,0x01d59f12</date><accdate>0x946504eb,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xmlProcess: C:\Program Files\internet explorer\iexplore.exe

File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

Size (bytes): 653

Entropy (8bit): 5.141337698088038

Encrypted: false

MD5: E4AC6CEE77C4884AC0F0CEF401354CDB

SHA1: EA9898D216536ADFAE81794FF8B0D970F995ED37

SHA-256: 61DE5039F5817746A0BF1D8F979C02ED50D9FCF48D71100B335DBA66456BE605

SHA-512: B904B8B11A239E16BFA3764008485CA112FECA873A88C8FF2D7CAAEE38DCF570FE0B7DADB4C31968A7D84A7E6FAADB5EA5C74DC464BD8B90F7AF3A15D4C72669

Malicious: false

Reputation: low

Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x94678ff7,0x01d59f12</date><accdate>0x94678ff7,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x94678ff7,0x01d59f12</date><accdate>0x946c8d09,0x01d59f12</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.datProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: data

Size (bytes): 5740

Entropy (8bit): 2.7256437085303538

Encrypted: false

MD5: 34577AFFF2D723F8973D821E6C983567

SHA1: F94C33C703D3D119C9A0FADDEED2BA1818D93E98

SHA-256: 03449FAEE6D61F053AEB1ACA647013564913336DB6C06585FB1CA99DE527F163

SHA-512: D82838F45114C557EBA52C56A4CE62B5FAD93314E0C98A4DE978860E55909698D7347EB94D64AD13CC067F77B04F4794E3BE7FE9D15430017ABEAAEF660D82BF

Malicious: false

Reputation: low

Preview:9.h.t.t.p.s.:././.s.t.a.t.i.c...x.x...f.b.c.d.n...n.e.t./.r.s.r.c...p.h.p./.y.o./.r./.i.R.m.z.9.l.C.M.B.D.2...i.c.o.~............... .h.......(....... ..... ..........................hB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..hB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........................p..gB..gB..gB..gB..gB..gB..gB..gB..gB.............................gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB.............hC..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB....................gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..pN..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\0R0NR6WD.htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Size (bytes): 129786

Entropy (8bit): 5.703909212922824

Encrypted: false

MD5: 6A8E2A4AD3631BEE2FEF5D0523A5B78A

SHA1: 50877D9B7E6FC2B4F661724E9D039B7957CBFCD1

SHA-256: 5F25E197EAB227002139DD502934A89EF4FF3A46021A507B71DC565A801EF899

SHA-512: 4584B84E5C3ECC51FF2F27CAED84249D3C247404932EB57A2F6F8403C9BD9859C27CF80A19D9BC2968DF669732E194311FBC38630821CFF885B4B7F86008830B

Malicious: false

Reputation: low

Preview:<!DOCTYPE html>.<html lang="pt" id="facebook" class="no_js">.<head><meta charset="utf-8" /><meta name="referrer" content="default" id="meta_referrer" /><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\7569MWEP.htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Copyright Joe Security LLC 2019 Page 18 of 86

Size (bytes): 131605

Entropy (8bit): 5.713905056069737

Encrypted: false

MD5: 120112B3BFFB43EE7409E20CADD9B875

SHA1: AF5DA257222268A410570B3495B89DBB78FD4668

SHA-256: 27235A0C31522A229602F014311905B68921101C3D5DE64CD4E37756CBBC73C8

SHA-512: DF09F1160C452B183AA92A32AFC3D2F008272E27CA7009D517BA0B731B41EA2F0073740EB96EF4C709B807E270A45CD223A75AFC7F688C4999A03F1CB99CD682

Malicious: false

Reputation: low

Preview:<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ75ExhV2hnaK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\7569MWEP.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\7W_zzge2D8D[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 2100500

Entropy (8bit): 5.536832022878986

Encrypted: false

MD5: D4D9F81FE8D90B0EFB1E76DA7BD0D54A

SHA1: D6DCE8745C2A3EBDD6A2F46F4261CCF9B3D32E76

SHA-256: 57EA96FFC1BD8FC245FE2D9A81E33B609201366A9C16BF3497B3AB9F25ED74B6

SHA-512: 2744D9DB1B65F9A3EFB2AD78F0903711E9C513FDF062BB278401DE0FA3983FC96579257CAD3190EAB313230CA369637E42E952B48BAA7F06736D9AA7059FD576

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["iJOX7"]); }..__d("UFI2ViewOption",["qex"],(function(a,b,c,d,e,f){"use strict";a={isChronologicalOrder:function(a){var c=b("qex");if(a==="FRIENDS_COMMENTS"&&!c._("1080217"))return!1;switch(a){case"RECENT_ACTIVITY":case"RANKED_THREADED":case"RANKED_UNFILTERED":case"LIVE_STREAMING":case"RANKED_SUB_REPLIES":case"RANKED_REPLIES":return!1}return!0}};e.exports=a}),null);.__d("UFI2CommentsListState",["invariant","ErrorUtils","FBLogger","UFI2ViewOption","gkx"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();function h(a){var b=a.count,c=a.direction,d=a.error,e=a.hasMore,f=a.isLoading,g=a.pageSize;a=a.totalCount;if(a!=null&&a===0)return null;if(b===0)return null;return!e?null:{__type:"PAGER",count:Math.min(b,g),direction:c,status:{error:d,pending:f}}}function i(a){var b=a.count,c=a.expanded;a=a.minCountToShowCollapser;if(!c)return null;if(a==null)return null;return b<=a?null:{__type:"REPLIES_COLLAPSER",count:b}}function j(a){var b=a.error,c=a.e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\7W_zzge2D8D[2].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 1127601

Entropy (8bit): 5.6077344218742935

Encrypted: false

MD5: A947996A94E5B1C05B55B685AC6E5F9A

SHA1: A3AFFF18B6280E3380C008B1FE9333A516A06E3F

SHA-256: CAD7626955E7A11F96B1DE270A48797B9EE8AFE462AB7DE170A48509AEB0BD3A

SHA-512: 53FEDB4E519C7A6609D8D54CE29BDD84FCAA9D92C4C4B87E30821001B9DD0AE9E2687D7A601C8FAD748573E80972419EBC9D39548C36F979A00F4F05B3DD6FCE

Malicious: false

Reputation: low

Preview:WithGuard(c,null,[a],null,"UFI2ActiveLayerMonitor")}i=!1}function n(a){j!==a&&(j=a,m(a))}a={getLastActiveLayer:function(){return j},subscribe:function(a){__p&&__p();h.push(a);i&&k.push(a);l==null&&(l=new(b("SubscriptionsHandler"))(),l.addSubscriptions(b("UserActivity").subscribe(function(a,c){a=c.event;n(b("Parent").byClass(a.target,"uiLayer")||b("getDocumentScrollElement")())})));var c=!1;return{remove:function(){__p&&__p();if(c)return;var b=h.indexOf(a);b!==-1&&h.splice(b,1);if(i){b=k.indexOf(a);b!==-1&&k.splice(b,1)}h.length===0&&(l&&(l.release(),l=null));c=!0}}}};e.exports=a}),null);.__d("UFI2BluePrimerDialog.react",["React"],(function(a,b,c,d,e,f){"use strict";e.exports=function(a){var c=a.Component;a=a.props;return b("React").jsx(c,babelHelpers["extends"]({},a))}}),null);.__d("UFI2LocalUserAction",["EventEmitter"],(function(a,b,c,d,e,f){"use strict";e.exports=new(b("EventEmitter"))()}),null);.__d("UFI2PrimerDialogWrapper.react",["requireCond","cr:828359"],(function(a,b,c,d,e,f){"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\ErrorPageTemplate[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 2168

Entropy (8bit): 5.207912016937144

Encrypted: false

MD5: F4FE1CB77E758E1BA56B8A8EC20417C5

SHA1: F4EDA06901EDB98633A686B11D02F4925F827BF0

SHA-256: 8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F

SHA-512: 62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436

Copyright Joe Security LLC 2019 Page 19 of 86

Malicious: false

Reputation: low

Preview:.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\ErrorPageTemplate[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\GsNJNwuI-UM[1].gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 16 x 11

Size (bytes): 522

Entropy (8bit): 6.529006523416013

Encrypted: false

MD5: 707DB34C054F1D55F0FDA41F0E14BF06

SHA1: A44B5ADBBC6D1CABED018132378884E3A4982336

SHA-256: 7F4FBB61E5A1226B421109D4BFEB68B371B240BB6A0131C54581B777CB649908

SHA-512: 2DE1940B52E8AA3B0E4077F5A74CAF44EB322F3ED32D81005ABBD80B146FF6228773FAE938B0F06DB1F2395FDEDE4978F9D99E8328BD87B976E9B70568B2E1AC

Malicious: false

Reputation: low

Preview:GIF89a...........p...................Ro...................!..NETSCAPE2.0.....!.......,..........+..I...e...)."-..%..g..i..tio..~..0.......!.......,...........P.$.......wIT..!.......,..........2..)R.s.s.L..d.A.......".)...Y.lF.....y.M.(.U....!.......,..........>..I.HIT...R. .P..t....I1....H...Y....`.a....}L....&6..u..d".!.......,..........=..I...`.2.P..t..(."..P....,........w.......OhTJ.........!.......,..........3..I...e...P...(.d.R1..2r...\3...=.....>..24.`..J..!.......,............%......T..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttfProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: TrueType Font data, 18 tables, 1st "GDEF", 44544 names, language 0x800, type 9984 string

Size (bytes): 99175

Entropy (8bit): 6.474555991078843

Encrypted: false

MD5: 69ED9D86D75EC898DFFC095DA225781F

SHA1: 69BD3462993C946D0553F0F86682C51C6B8F208E

SHA-256: FCDAB7DDD9B9C65D09F1EFD560DDE49665C4F6F43C1E40091CDFA87B404DD818

SHA-512: 411EA72B578A0F1B92A4DFEB79690F2C508751F9190E032E4F0093BA8B1A0DF50C557FBFDF73E4EC2BA06F8791A25AD5E9488143553D91EF9FDC68FF8FC22475

Malicious: false

Reputation: low

Preview:........... GDEF......{....dGPOS......|<....GSUB7b.....8....OS/2t.#...r....`cmap......st...Lcvt 1..K..y....\fpgm..$...v.....gasp......{.....glyf.'.....,..j.hdmx......r|....head...r..n....6hhea......q....$hmtx..MO..n@....loca\v@z..l(....maxp......l.... name..:...z,....post.m.d..{.... prep...)..x|...S...d...(.............o......9........................EX../... >Y..EX../....>Y......9......9......9......9........9......9......01!!.!.......!.5.!.(.<..6......................}.w...x.^.^..^...............<......9.........EX../... >Y..EX../....>Y.....+X!...Y..../01.#.!.462...."&.~......J.JH.H......9KK97JJ....e...@.......%...EX../...">Y..../..../......./01..#.3..#.3..#...-#...w.}....}.....`...............EX../... >Y..EX../... >Y..EX../....>Y..EX../....>Y......9../.....+X!...Y............../.....+X!...Y...............................01.#.#.#5!.#5!.3.3.3.3.#.3.#.#.3.#...L.L...:...N.N.N.N..:..L.v.:....f....9....`...`....f.8.9...d.-.&...,...*-...9...EX../... >Y..EX../... >Y..EX.#/.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttfProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: QuArk archive data

Size (bytes): 7029

Entropy (8bit): 4.884455729801584

Encrypted: false

MD5: 58E196BA0E9AEF6C5428725610BB4877

SHA1: BCCD6B7ABB74D07823471007B9B02E961EFDACB1

SHA-256: 00895A426DE586C9FB7FCA40F2400E8CC89B7F94A4FE5FB9FDD8706419ECA64C

SHA-512: F3A2AC4CDC82F7F1A5FD56EF45725E136F9D352E7DD7FF593F6FFF87DFA0DD45801D9F99D31FB88F13E3DDA3FEC36F9324563B8050A633C70D1C9560AF0B4960

Malicious: false

Reputation: low

Preview:7...W.3.\.)...`.a.3.p...a...X.~.4...a...4...a...#.......Y."...........%.....B...(.......)...^.g.{...b...g.u.E.T.....w...^..._.H.U.......A.d.}.H.U.)...-.}.N.T...3...)...Z.!.....R.....9.V.......u...M...q...Y...U...I.....;.5...Q...t.2.....=...@...;...4.|._.H.{...\.5.K...a...v...p.......V...l...B.,.S.k.s.q.P.l.S.....3.....l.l.L.......6...U.`.....................3.......C...)...6...;...?.../...C...A...C...6...;...?.../...C...A.........J...s...s...s...s...s...s...@.E.z.n.z.n.z.n.z.n.j...j...j...j.....n...E...E...E...E...E.Q.i.Q.i.Q.i.Q.i.....?.-.?.-.?.-.?.-.?.-.?.-.(.4.[.=.[.=.[.=.[.=.H...H.{.H...H.....X.~.4.~.4.~.4.~.4.~.4...Y...Y...Y...Y.%...........l.......<.).................................3.......3.....f.................'...C........GOOG.@.."......f.... ........:... . .............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\N-He0del83q[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 16570

Copyright Joe Security LLC 2019 Page 20 of 86

Entropy (8bit): 5.3613411385368

Encrypted: false

MD5: 29FD90FFD198EE4F651C4E670E7AEED4

SHA1: BC7B08E4AE46562AA60C49D329DBD9475B1C5E4C

SHA-256: A01D3D57ED571DEFDAC75E8C3FCE1CDC854408270B877BBF5477AD98D964CFC8

SHA-512: 7CCD57D1E3B71C11701C5C5AA1A412AFD7F82BECCE268771FCAA9BF9123C0E25B135DCE436900B585BCA6377CCCA964A7C0D3BC7182A036E349E73230E508C5E

Malicious: false

Reputation: low

Preview:iif (self.CavalryLogger) { CavalryLogger.start_js(["BXuJY"]); }..__d("IdentityBadgeUtils",["cx","gkx"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();var h=function(a){switch(a){case"tipper":case"birthday_week_tipper":return b("gkx")("709988");case"sharer":return b("gkx")("709989");case"follower":return b("gkx")("833805"f (self.CavalryLogger) { CavalryLogger.start_js(["iydXG"]); }..__d("MercuryBootloadOnInteraction.react",["React","createCancelableFunction","promiseDone"],(function(a,b,c,d,e,f){"use strict";__p&&__p();a=function(a){__p&&__p();babelHelpers.inheritsLoose(c,a);function c(){__p&&__p();var c,d;for(var e=arguments.length,f=new Array(e),g=0;g<e;g++)f[g]=arguments[g];return(c=d=a.call.apply(a,[this].concat(f))||this,d.state={Component:null},d.$2=function(a){a=d.state.interactionType==="click"?"click":a.type;d.setState({interactionType:a},function(){b("promiseDone")(d.props.loader.load(),function(a){d.props.takeOverRender?d.props.takeOverRender(function(){return d.$1(a)}):d.$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\N-He0del83q[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Nmb_F6p7z4a[2].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 972657

Entropy (8bit): 5.431502624666816

Encrypted: false

MD5: 82CCE89D30DDB92D2BA56743DA82A4D2

SHA1: 149AE2951734112269072A85E572AE91E07D8040

SHA-256: E69C1F56D59D1EBF1EF8629AC1D0A53600F8AC0C39D01A7374248AD7EEA04A41

SHA-512: 11B052EBF8AE7FDB49CC5FDEBBCCF8D8EDFAFB99C1A35BA725A0CAFE26104472C7BEE742B14767CB48BF16071B2A12ABFC644707B266A88F098ABC8CED0419DB

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["WZ2P0"]); }..__d("warning",["requireCond","cr:888908","cr:1105154"],(function(a,b,c,d,e,f){a=b("cr:888908");e.exports=a}),null);.__d("cometTestID",["testID"],(function(a,b,c,d,e,f){"use strict";e.exports=b("testID")}),null);.__d("CometSorryReaction",[],(function(a,b,c,d,e,f){"use strict";e.exports="data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' viewBox='0 0 16 16'%3e%3cdefs%3e%3clinearGradient id='a' x1='50%25' x2='50%25' y1='10.25%25' y2='100%25'%3e%3cstop offset='0%25' stop-color='%23FEEA70'/%3e%3cstop offset='100%25' stop-color='%23F69B30'/%3e%3c/linearGradient%3e%3clinearGradient id='d' x1='50%25' x2='50%25' y1='0%25' y2='100%25'%3e%3cstop offset='0%25' stop-color='%23472315'/%3e%3cstop offset='100%25' stop-color='%238B3A0E'/%3e%3c/linearGradient%3e%3clinearGradient id='e' x1='50%25' x2='50%25' y1='0%25' y2='100%25'%3e%3cstop offset='0%25' stop-color='%23191A33'/%3e%3cstop of

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\NxAfI9A4Tnd[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 28561

Entropy (8bit): 5.297943349052214

Encrypted: false

MD5: 7795C1DD936B9B25CD5DA7BD46AA143A

SHA1: 9A5C20D2CED2D0E93276424A26602BAA31B33A13

SHA-256: 9B0EB048787AD108D23A0B1818B891112F165FD535CD7A354554276960B07DC7

SHA-512: 5B8CB0955E33B9739A826B53658C57471B8721A794ED1652173070127E3825A45CBEE913E41B6BF12CB47CC95646EDD88CAC2F1E4C1BC87733437F41816FFAB8

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["69HNu"]); }..__d("ResetScrollOnUnload",["Run"],(function(a,b,c,d,e,f){a={disableScrollRestoration:function(){b("Run").onUnload(function(){window.history.scrollRestoration="manual"})},init:function(a){b("Run").onUnload(function(){window.history.scrollRestoration="manual",a.style.opacity="0",window.scrollTo(0,0)})}};e.exports=a}),null);.__d("NavigationMenubarInteractionsTypedLogger",["Banzai","GeneratedLoggerUtils","nullthrows"],(function(a,b,c,d,e,f){"use strict";__p&&__p();a=function(){__p&&__p();function a(){this.$1={}}var c=a.prototype;c.log=function(){b("GeneratedLoggerUtils").log("logger:NavigationMenubarInteractionsLoggerConfig",this.$1,b("Banzai").BASIC)};c.logVital=function(){b("GeneratedLoggerUtils").log("logger:NavigationMenubarInteractionsLoggerConfig",this.$1,b("Banzai").VITAL)};c.logImmediately=function(){b("GeneratedLoggerUtils").log("logger:NavigationMenubarInteractionsLoggerConfig",this.$1,{signal:!0})};c.clear=function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\TOPRBCQQ.htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: UTF-8 Unicode text, with very long lines

Size (bytes): 112072

Entropy (8bit): 5.715775486275064

Encrypted: false

MD5: C738E2F9F11311D6FFC3EB7E602E66F1

SHA1: 0720831643AD3456871F97069CD8850EF53B0BC2

SHA-256: C44EA02B5900E5D213CE5C30AE40B3D404BC9940CA35665BE2A57D87E6BDD55E

SHA-512: 9D221BE8D0FFE26D4F43372BA28C82C820D9C0D6BCB52AA8E3402FF284035C0D963843B5D3A72FEB7AFDBA0F37291D7EE582BA94CB06DCFE3C8A34D09462413C

Copyright Joe Security LLC 2019 Page 21 of 86

Malicious: false

Reputation: low

Preview:artillery_navigation_timing_level_2":false,"artillery_profiler_on":false,"artillery_merge_max_distance_sec":1,"artillery_merge_max_duration_sec":1,"user_timing":false},1237],["EventConfig",[],{"sampling":{"bandwidth":0,"play":0,"playing":0,"progress":0,"pause":0,"ended":0,"seeked":0,"seeking":0,"waiting":0,"loadedmetadata":0,"canplay":0,"selectionchange":0,"change":0,"timeupdate":2000000,"adaptation":0,"focus":0,"blur":0,"load":0,"error":0,"message":0,"abort":0,"storage":0,"scroll":200000,"mousemove":20000,"mouseover":10000,"mouseout":10000,"mousewheel":1,"MSPointerMove":10000,"keydown":0.1,"click":0.02,"mouseup":0.02,"__100ms":0.001,"__default":5000,"__min":100,"__interactionDefault":200,"__eventDefault":100000},"page_sampling_boost":1,"interaction_regexes":{"BlueBarAccountChevronMenu":" _5lxs(?: .*)?$","BlueBarHomeButton":" _bluebarLinkHome__interaction-root(?: .*)?$","BlueBarProfileLink":" _1k67(?: .*)?$","ReactComposerSproutMedia":" _1pnt(?: .*)?$","ReactComposerSproutAlbum":" _1pn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\TOPRBCQQ.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\W26AGHB0.gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 1 x 1

Size (bytes): 42

Entropy (8bit): 3.0241026136709444

Encrypted: false

MD5: B4682377DDFBE4E7DABFDDB2E543E842

SHA1: 328E472721A93345801ED5533240EAC2D1F8498C

SHA-256: 6D8BA81D1B60A18707722A1F2B62DAD48A6ACCED95A1933F49A68B5016620B93

SHA-512: 202612457D9042FE853DAAB3DDCC1F0F960C5FFDBE8462FA435713E4D1D85FF0C3F197DAF8DBA15BDA9F5266D7E1F9ECAEEE045CBC156A4892D2F931FE6FA1BB

Malicious: false

Reputation: low

Preview:GIF89a.............!.......,...........2.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\a0_D8GQCNT9[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 6288

Entropy (8bit): 5.311246685620681

Encrypted: false

MD5: 46A5FC5D734BE71841D41414D89B62DC

SHA1: 6B58CE4148A2C3A4C07F05DC3F3343CFB8516D90

SHA-256: 182D51634A832C01172213F0CD1E9602E65855234061C4B596FF83613CC790EB

SHA-512: 7A63642486AA1DDE325F0EFA0ECE4111C400BE01E5D5BC0B98EC02831DEC910B3899BCA4CC931E163BC99964F6205317EF84692EA9D31EC1F7D036F094805904

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["oGIPB"]); }..__d("DUPLeftNavSublist.react",["cx","Animation","CSS","Ease","React","ReactDOM","Style"],(function(a,b,c,d,e,f,g){__p&&__p();a=b("React").PropTypes;var h=160,i=35,j=b("Ease").makeElasticOut(1,1.6);c=function(a){"use strict";__p&&__p();babelHelpers.inheritsLoose(c,a);function c(){return a.apply(this,arguments)||this}var d=c.prototype;d.UNSAFE_componentWillReceiveProps=function(a){b("React").Children.count(a.children)>0&&(a.expanded&&!this.props.expanded?new(b("Animation"))(b("ReactDOM").findDOMNode(this)).from("height",0).to("height","auto").ease(j).show().duration(h+i*a.children.length).go():!a.expanded&&this.props.expanded&&b("Style").set(b("ReactDOM").findDOMNode(this),"height",0))};d.componentDidMount=function(){b("CSS").hide(b("ReactDOM").findDOMNode(this))};d.render=function(){return b("React").jsx("div",{className:"_b_3",id:this.props.id,children:this.props.children})};return c}(b("React").Component);c.propTypes={exp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\anchor[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines

Size (bytes): 12168

Entropy (8bit): 5.929696677715641

Encrypted: false

MD5: 6900011AC0D171928D37CEDB2A5C1E6B

SHA1: D26759B1F2A800B5F67DC443CD22C8B5383B8ED6

SHA-256: 7EF4A3895E09D252CE39D5E3665A00EC7A8B68C65A2D47AD8EC067698B5FB09F

SHA-512: 91540EEAA5A226096B6FF601325231D5D2268E974B16AE0307C5C10F8E36DADA92DBBB307C00DEB9064AD038F19FABB9C99AC69492262BD4FA03256932AE9129

Malicious: false

Reputation: low

Preview:<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<style type="text/css">.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: local('Roboto Regular'), local('Roboto-Regular'), url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 500;. src: local('Roboto Medium'), local('Roboto-Medium'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 900;. src: local('Roboto Black'), local('Roboto-Black'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf) format('truetype');.}..</style>.<link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/styles__ltr.css"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\api[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Copyright Joe Security LLC 2019 Page 22 of 86

Size (bytes): 729

Entropy (8bit): 5.307100676703662

Encrypted: false

MD5: 8E559D3F7B47CE093BFF7944209EE7FF

SHA1: 9579F3461B3BC631EED79E5CF6D7C9DDBDDA0F12

SHA-256: 3211CD82CE26FEC042B2543617D3138A366D470FA74ED56788C3B0956C9F9FFB

SHA-512: 832F28065A2BEE6AF74970D238D6A7569050C903D4B7BC718777E9E26AC1F0431F1D7051F154781CA0A5DA7F77163DB565C5E8C0DD6FF3709CAE649BC26E007A

Malicious: false

Reputation: low

Preview:/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};(cfg['enterprise']=cfg['enterprise']||[]).push(false);(cfg['render']=cfg['render']||[]).push('onload');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true;po.src='https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/recaptcha__en.js';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s); })();

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\api[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\background_gradient[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3

Size (bytes): 453

Entropy (8bit): 5.019973044227213

Encrypted: false

MD5: 20F0110ED5E4E0D5384A496E4880139B

SHA1: 51F5FC61D8BF19100DF0F8AADAA57FCD9C086255

SHA-256: 1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B

SHA-512: 5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A

Malicious: false

Reputation: low

Preview:......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bframe[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines

Size (bytes): 20249

Entropy (8bit): 5.613044805453472

Encrypted: false

MD5: 449DABCD4D86C99B441FFACB4D03D827

SHA1: 62A13AC058C56C65C6FCE4D1DF189E56A9B9B6BB

SHA-256: 5949F1F93EDE5C10992CC024D6FDEFC7C7D5E0E6E1B72965E2A3051D6737D854

SHA-512: 1303D49A9D86A350FA8053AC0E1EF76E6A54829B49C1E2AF290E7CAA7F8F272969C0A72A7731DDDC4BECB19DCC66C9BFC5800C3E1EB73896862DF5E20AC3B5F1

Malicious: false

Reputation: low

Preview:<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">..<title>reCAPTCHA</title>.<style type="text/css">.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: local('Roboto Regular'), local('Roboto-Regular'), url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 500;. src: local('Roboto Medium'), local('Roboto-Medium'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 900;. src: local('Roboto Black'), local('Roboto-Black'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf) format('truetype');.}..</style>.<link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\errorPageStrings[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 18880

Entropy (8bit): 5.164796203267696

Encrypted: false

MD5: 336CC54EB5B8B017FF58FE451B00E9E9

SHA1: C011825AEBDDC219E740FEDC09ED3B5607BAF2D0

SHA-256: 3C1C6295B4F22D9B2E6BED404914BD6AA83C3E8FF33011D13C3F72BD4B1DF7B6

SHA-512: D1E60FC2DBBD4ECFC77960FFAF5BF6A5107390C2CB6A4F8F7E8D9A8149D0B2CFF2047AAD9848622B146B2798B3B76C245836C012C8F5656741CCF3FD530830BB

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 23 of 86

Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\errorPageStrings[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\facebook[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines, with no line terminators

Size (bytes): 1041

Entropy (8bit): 5.383783156664559

Encrypted: false

MD5: 15E02851AAD36F8C987B1F8D48CDD70E

SHA1: D8276458C6B3E6C5C1D327EA4A9E0F38D79864F7

SHA-256: EA53B12A1CD7B4AA814E3FD5FF3D978564AE68A12AE922843CDC4CFBB2B8902B

SHA-512: 59A20ABC7F15149472F3FCFF8E6B5C2DC328237223443BD73E8B4D85B154000A639610E34119F118DCFC15B1A049955E0AA0489BDC1E131221C936DE1137FB7F

Malicious: false

Reputation: low

Preview:<html><head><title>Redirecting...</title><script type="text/javascript">/*<![CDATA[*/(function(){function si_cj(m){setTimeout(function(){new Image().src="https:\/\/error.facebook.com\/common\/scribe_endpoint.php?c=si_clickjacking&t=1532"+"&m="+m;},5000);}if(top!=self){try{if(parent!=top){throw 1;}var si_cj_d=["apps.facebook.com","apps.beta.facebook.com"];var href=top.location.href.toLowerCase();for(var i=0;i<si_cj_d.length;i++){if (href.indexOf(si_cj_d[i])>=0){throw 1;}}si_cj("3 ");}catch(e){si_cj("1 \t");window.document.write("\u003Cstyle>body * {display:none !important;}\u003C\/style>\u003Ca href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display:block !important;padding:10px\">Go to Facebook.com\u003C\/a>");/*LONLYbJP*/}}}())/* */</script><script>window.location.replace("https:\/\/agent.joinf.cn\/login\/identify\/?ctx=recover&ars=royal_blue_bar");</script><meta http-equiv="refresh" content="0;url=https://www.facebook.com/login/identify/?ctx=recover&amp;ars=ro

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\forbidframing[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 5764

Entropy (8bit): 4.101264567053427

Encrypted: false

MD5: 9E572A1EA30034178D90F727A7E6FF07

SHA1: 898D9C224D9AC4D481BCEFE00AED7C1CC6EEDBFF

SHA-256: 266E62F256CC201FBF00A7FCCFB00541C4B80A15E7BE497BA6C0C3408378CF90

SHA-512: 76787486E5EC337B6D86F9F0B6BE6F032D78F75DDF822FF5DE0654D01310C821BA46BA32A11E347E424C2055B8EFAA04E3CFDEBF0B874DE97B8E856797A2034E

Malicious: false

Reputation: low

Preview:.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="LTR">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css" >.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>Framing Forbidden</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onload="initUnframeContent();">.... <table width="450" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="red_x.png" id="infoIcon" alt="Info icon">.. </td>.. <td id="unableDisplayAlign" valign="middle" align=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hsts-pixel[1].gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 1 x 1

Size (bytes): 129

Entropy (8bit): 2.7374910194847146

Encrypted: false

MD5: DE658DFAC8CD9A064973E5F2B15CC2BB

SHA1: BBADA5C0D3C5419AE0E2151762581DE7DC584217

SHA-256: 06D9D619915BC999F01FBD1B283A9DB8F1BC5CE9B216FF335CC1B349EB239517

SHA-512: 89E05A260B8A382E0B7713805DE8EFD057C1CCE52A845F5DFD89DCFD4CE3A30DA6141E6B4B733234BCB54371B2300BA8993AE21DD1C83CF0F6340866FC88CBA6

Malicious: false

Reputation: low

Preview:GIF89a.............!.......,...........D..;GIF89a.............!.......,...........D..;GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hsts-pixel[2].gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 1 x 1

Size (bytes): 43

Entropy (8bit): 2.7374910194847146

Copyright Joe Security LLC 2019 Page 24 of 86

Encrypted: false

MD5: DF3E567D6F16D040326C7A0EA29A4F41

SHA1: EA7DF583983133B62712B5E73BFFBCD45CC53736

SHA-256: 548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87

SHA-512: B2CA25A3311DC42942E046EB1A27038B71D689925B7D6B3EBB4D7CD2C7B9A0C7DE3D10175790AC060DC3F8ACF3C1708C336626BE06879097F4D0ECAA7F567041

Malicious: false

Reputation: low

Preview:GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hsts-pixel[2].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\httpErrorPagesScripts[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 48420

Entropy (8bit): 5.451485481468043

Encrypted: false

MD5: D7963BFBD51BED910372E9D252C30CA2

SHA1: 6AB5A3E9B78874E7600B3D9DB1035DF60E333860

SHA-256: 182B0112F6FADB33E7E77D31CA0685D690ED03875108591E391AFCC56E70D799

SHA-512: 301BB249FF524CD914B91F7611B479635AB1F947A170E9F713FD457EFFA0EF3919EF8D4E21F6458A065453BDD9585700ABE98242ABBC7A5F9A8A6E82FF90D51D

Malicious: false

Reputation: low

Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\iRmz9lCMBD2[1].icoProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel

Size (bytes): 5430

Entropy (8bit): 2.469721072067586

Encrypted: false

MD5: D2850D31B1CDEC91CB6ED249D992F740

SHA1: 4890F422BC6D645479F1689DD7DB859D69AFFBFA

SHA-256: 4A464D3F412ADDA640EF04B79E9E70B8AA446BDFFFFA0E8554FB91A13F97010D

SHA-512: F5EB7B89681F999B3E29894D144D6A288071ED059A95B1B7ECED9F38BE436486757919CD6E8D68B6ABC982A1A22C0859F959FF044FF7C55415D26D4031043DF3

Malicious: false

Reputation: low

Preview:............ .h...&... .... .........(....... ..... ..........................hB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..hB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........................p..gB..gB..gB..gB..gB..gB..gB..gB..gB.............................gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..........gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB.............hC..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB....................gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..pN................gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..gB..g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\iframe[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines

Size (bytes): 25716

Entropy (8bit): 5.5950326113206925

Encrypted: false

MD5: 23E9D96D893B6FAF8B126007CACB440D

SHA1: 1CA5247A9A69264DE24ED0EFB7CBB2167F53B28A

SHA-256: 5898FF559AC13E27FFDECF17F721C89F65C86DF239CB9686E3760E905D4811C0

SHA-512: 9C004BFD90B729D4C27E4E8466DA2614E411BF5AEAA789A9A9EF70E6B4083388820E05C10D13510D44074F2206352DC0CBCE64558812B6B35E9850AE95877183

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 25 of 86

Preview:<!DOCTYPE html><html class=""><head><meta charset="utf-8" /><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"defer_cookies":true});</script><title>Facebook</title><script src="https://www.google.com/recaptcha/api.js"></script><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yo/l/0,cross/53WuK3r6-Bj.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="/6wss" />.<link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yI/l/0,cross/yLg62FiDjTD.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="KebV6" />.<link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/MNdyihBa-5e.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="cvPzX" />.<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yj/r/ByFjTuPCeTM.js?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="q66WY"></script>.<script>require("TimeSliceI

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\iframe[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\invalidcert[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 2747

Entropy (8bit): 4.6225918717514975

Encrypted: false

MD5: B57B31E5FF628B5C319C902C1388164D

SHA1: 33E30D7CC1BC64D8C966B65F8701A3473CBF9A40

SHA-256: 5F6258FE7C308635635E500903D767572372A0AEA4947C1A4BD61B4687F14036

SHA-512: 077B400E107BD83A18AE46416658AD36561B2FEB87D967A957D8E67DDCB34AF83D198C5C1C422EC80803CC8B3DD70A788DD983F275B78B937FF3ECF89919C378

Malicious: false

Reputation: low

Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="newErrorPageTemplate.css">.. <meta http-equiv="x-ua-compatible" content="IE=edge">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>This site isn&rsquo;t secure</title>.... <script src="invalidcert.js" language="javascript" type="text/javascript">.. </script>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.. <body onLoad="BodyLoad(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="invalidcert_mainTitle" class="title" style="color: #a90000;">This site is not secure</div>.. <div id="invalidcert_subError" class="BodyTextBlockStyle">.. This might mean that someon

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\red_x[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced

Size (bytes): 5139

Entropy (8bit): 7.927219122489655

Encrypted: false

MD5: 5A37A6D25E0B9CB542C80097210E49AB

SHA1: B07F05BB9E942E898E64934DD23706902D562B35

SHA-256: E161E38AFD5F01A372D22A205D0824A6A95FAD33F214149D17F62291F741AB6C

SHA-512: A6E594409F191A1E0B6F4F208616687214C6BE5D9C70959344C1F63B2FFBA28371274E90F953385393B7EBA52B7B4467ED87025CC3F769BA6F2B97BC30BFA7B3

Malicious: false

Reputation: low

Preview:.PNG........IHDR...0...0.....W.......IDATx^.Y.tTe....RK......D..6.......(.*G..d;c..8.`........3.....2"Qq.g@.0.aK.I.V.R{.en..?.N<8.8...%.{......+....^.j<...$..('.......F..'.....7...7._A:.......6...0X^^.V2jTV^^......+L<.w...Q]]]...G....}kk......N..V........4.......3gfO.<.P..Xw7.g."x.4.jk...G..........UQ...1p.8%/.:`.9r......kok...x..........I~:.o.Y\.....V..4....o.....P.f..m..T.....c."-;...6t...O=...c...h.M.,((.w..._q..'..G..._.....7.>u..h{......8z.i..H.6.zO...].}.0.!X..L].....=`.0M..3.D.Q._s.*(.U\lVWW7n.=..D....r..$....,]Z........UUp....4D...z{;.....7T..Z0M.2.q....t)..a.....{....g?./..o...s..)b... .U...../Y2...._z....G.B.....B..$i..L..#..,..+ s...A.bX.`@7.)"@.'M.G.EzQ..u....kj..>"l.#?a.E./..b..7m.UWB!.?..........$*..I..0. m).8'..P..h..k@...]..C..{.*L..qm9...W_.yX.....@.Kh..7/^<..Q.~=..N....;..D4ZD%i...B....0O.f.....ua1a5(.........~..>. .#.i.&.|.(....H~.'...pE..Ekx.Yd^r.b'O"~..RHDe..P...n... ....%lA.....a.b..F.i.X..a.....i,....f.q...7=.`[..l.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\red_x[2]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced

Size (bytes): 5139

Entropy (8bit): 7.927219122489655

Encrypted: false

MD5: 5A37A6D25E0B9CB542C80097210E49AB

SHA1: B07F05BB9E942E898E64934DD23706902D562B35

SHA-256: E161E38AFD5F01A372D22A205D0824A6A95FAD33F214149D17F62291F741AB6C

SHA-512: A6E594409F191A1E0B6F4F208616687214C6BE5D9C70959344C1F63B2FFBA28371274E90F953385393B7EBA52B7B4467ED87025CC3F769BA6F2B97BC30BFA7B3

Malicious: false

Reputation: low

Preview:.PNG........IHDR...0...0.....W.......IDATx^.Y.tTe....RK......D..6.......(.*G..d;c..8.`........3.....2"Qq.g@.0.aK.I.V.R{.en..?.N<8.8...%.{......+....^.j<...$..('.......F..'.....7...7._A:.......6...0X^^.V2jTV^^......+L<.w...Q]]]...G....}kk......N..V........4.......3gfO.<.P..Xw7.g."x.4.jk...G..........UQ...1p.8%/.:`.9r......kok...x..........I~:.o.Y\.....V..4....o.....P.f..m..T.....c."-;...6t...O=...c...h.M.,((.w..._q..'..G..._.....7.>u..h{......8z.i..H.6.zO...].}.0.!X..L].....=`.0M..3.D.Q._s.*(.U\lVWW7n.=..D....r..$....,]Z........UUp....4D...z{;.....7T..Z0M.2.q....t)..a.....{....g?./..o...s..)b... .U...../Y2...._z....G.B.....B..$i..L..#..,..+ s...A.bX.`@7.)"@.'M.G.EzQ..u....kj..>"l.#?a.E./..b..7m.UWB!.?..........$*..I..0. m).8'..P..h..k@...]..C..{.*L..qm9...W_.yX.....@.Kh..7/^<..Q.~=..N....;..D4ZD%i...B....0O.f.....ua1a5(.........~..>. .#.i.&.|.(....H~.'...pE..Ekx.Yd^r.b'O"~..RHDe..P...n... ....%lA.....a.b..F.i.X..a.....i,....f.q...7=.`[..l.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\referer_frame[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with no line terminators

Size (bytes): 156

Copyright Joe Security LLC 2019 Page 26 of 86

Entropy (8bit): 4.792098860976927

Encrypted: false

MD5: F05C9FA3A77F12F7CCDFD74DC99F7DF3

SHA1: 771AB81725E4D7AFC28A3C209CE8AEB9ECB70DF6

SHA-256: 54A3283B7C16D7876F3EA151F5AAEF808007B0C7FCC31C67A9C25E016754B1F3

SHA-512: 8F5E2A2CF2ED03662144ABD459E805DFC4986B16ACB547FE04964A1874D91ABBF2EFB01CEB520FF4A0B6B04746AAB2C29B533622D02CA05C03C8B9D4A422D246

Malicious: false

Reputation: low

Preview:<!DOCTYPE html><html><script>document.domain = 'facebook.com';</script></html><!DOCTYPE html><html><script>document.domain = 'facebook.com';</script></html>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\referer_frame[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\shieldcheck[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: MS Windows icon resource - 4 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel

Size (bytes): 18290

Entropy (8bit): 5.251158595044684

Encrypted: false

MD5: B79F47673FAC7FFB2A3685461F9C9236

SHA1: D1D86CE3067725920A326AC07B080748D0CA2BDD

SHA-256: 207917F7072627786A13EF0B4641F7522D1BEFA4032A144638675D7BF29E6759

SHA-512: 9C0CD4D87D1B3B90645BC1729E9A3EF8023D43923EFC40C608986B4B114CE38D1ADA74C1902F50A22D083A26C84955AA9F9AE4BE0D922F00363F3F78145D156E

Malicious: false

Reputation: low

Preview:......00.... ..%..F... .... ......%........ ......6........ .h....@..(...0...`..... ................................................................................................................................................................................................................................................................................................................'...+...,...,...)...!...............................................................................................................................................................&OOO.XXX.\\\.[[[.[[[.WWW.LLL....c...0...&................................................................................................................................................YYY.nnn.............................XXX.TTT. S...-....................................................................................................................................;;;4ddd...........................................XXX.@@@...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: assembler source, ASCII text, with very long lines

Size (bytes): 277366

Entropy (8bit): 5.3731456845152605

Encrypted: false

MD5: A3AD6D7DAD77F233DBB890AE6A11F11D

SHA1: 68625D41BAD635E72FFB6DD9051634BCFD395B91

SHA-256: DE5197B7F0451B152B20D977EA610452FF3CC65B777A30764C985855F5A299C7

SHA-512: 671CF33E97044AEFA4C5D9A9C06DDB3D509AB3CA1F005C62C0A48D611DCDB496C34ED943335C67950A0F9DD0B73855E0270ED7BE84B2CD4132A5E4C1D6716648

Malicious: false

Reputation: low

Preview:._3_s0._3_s0{border:0;display:flex;height:44px;min-width:600px;position:relative;text-align:left;top:0;transition:top .3s, height .3s;z-index:301}.hideBanner ._3_s0,.fixedBody ._3_s0{display:none}._3_s0._1tof{position:absolute;width:100%;z-index:400}._3_s0._1toe{height:0;overflow:hidden}._3_s0 ._608m{align-self:flex-end;margin:0 auto;max-width:981px;min-width:100px;padding:0 12px;width:100%}.sidebarMode ._3_s0 ._608m{padding-right:214px}._3_s0 ._tb6{align-items:center;height:44px}._3_s0 ._608n{display:flex}._3_s0 ._3bcp{overflow:visible}._3bcs{flex:1 0 0px}._3bct{position:relative}._3bct::before{content:'';display:block;height:18px;left:-1px;position:absolute;top:4px;width:1px}._3_s0 ._3bcv{font:Helvetica, Arial, sans-serif;font-size:12px;font-weight:bold;line-height:24px}._3_s0 ._3bcy{line-height:24px}._3_s0 ._3bcz{border-radius:4px;padding:1px 4px}._1toc._1toc{border-radius:2px;box-shadow:0 0 0 2px #3578E5, 0 0 0 4px #91b4fd;overflow:hidden}._2yq ._3_s0 ._608m,._2xk0 ._3_s0 ._608m{ma

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[1].png

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: PNG image data, 674 x 411, 8-bit/color RGBA, non-interlaced

Size (bytes): 128434

Entropy (8bit): 7.994608835983053

Encrypted: true

MD5: 32CE7AECC990F6246618E226D36EFCF7

SHA1: C46700C2DF59E9E2BAEBF2A7C602ED7D65004901

SHA-256: 7A435FCD8D870876DA6F6AF66CEC6FE1EC4B300B3F7F381B1784D9E2F6EA2001

SHA-512: 3138D59AEB59C1E1B2818A09A31BDEA01C045016FA9E489BAEB2314E0AFE753BFB97B87F3C054522642ABB3F9FEFF43362BE72897B4B099FBBF973F901CB128B

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 27 of 86

Preview:.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<....IDATx....$.Y.....&..9hw..Y.$[.lcl0..\l.`...0.....p...&=26......GY.%[Z.Z..v..<.fvr.....=.....=.vv...Z.]U]u.Tu....'..H$..D".Xb.Q'........D".H$.....D.qE....D"]M.E.D".H$..D J".H$..D".%.H$..D"..DI$..D".H..$..D".H$..(.D".H$......H$..D"......$..D".H$.Q..D".H$..(.D".H$..D J".H$..D".%.H$...bQ.0.D J".H.$$..T.z.q.b..'.%.H$..D....>.Q..D".H.W.o.].}..FS.DI$..D"U.El......D J".H$.5.j..-...+..q:.$.Q.~.$.H..z}d....6.zH$..k...b@"..A.D".....Q..D.......#.H..q}a..$.i./N.:...B........t=b+Y.@.D"X$.H$......DIt.Y.u..|...$.]wh..\ .%.V....ol...p.t.!.H.}m....@....t.u./t.%......f.A.Q.N.........+...&H#...6..D".6..V...Wx.Z..'ta%..O.[........i.&.Ht]].m8..W..D.....+.. u-C.].I$.F|.]....(......V.s..-..D.k....(..(.w.....DZ....ry..@.tM_.V.b.Z.N...H.k...D"...El...S..H$..D"...Z.+h.`.D".o.D".....s....-I;.....A..D..S. ...L".H$..D.. z.R8.DO.$..D.@...Q..z...u...D".".H..$..D".#.H..t.^j.t# .Ht}$.H....E...$.i#.....O".H..D../.t.$.H.@I".H.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[1].png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[2].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 100957

Entropy (8bit): 5.418460840621537

Encrypted: false

MD5: 65EE94CD9934138D80C7EC5D74BB0636

SHA1: C7E7210E31174D7E814956DE59C25E04366B3CE1

SHA-256: 4D2400795C0F731C5C71EC4948B9DC729F6C403C643D3C5A68429B65CEC599A8

SHA-512: C5704A8DBA2AA3F4F1B356FF8F6E0811512EE5A09BC9735DEDEF8ED9F2DA160D9135AD58455B1FB5374BBD03C47270697738B06DBEC218DF6110DE2DF35DF990

Malicious: false

Reputation: low

Preview:4-hy ._3ixn{background-color:rgba(0, 0, 0, .4)}.._10{height:0;left:0;position:fixed;right:0;top:0;z-index:202}.platform_dialog ._10{position:absolute}._1yv{box-shadow:0 2px 26px rgba(0, 0, 0, .3), 0 0 0 1px rgba(0, 0, 0, .1);margin:0 auto 40px;position:relative}._t{background-color:#fff;position:relative}._1yw{background-color:#6d84b4;border:1px solid #365899;border-bottom:0;color:#fff;font-size:14px;font-weight:bold}._13,._14{border-color:#555;border-style:solid;border-width:0 1px}._13:first-child{border-top-width:1px}._13:last-child{border-bottom-width:1px}._14{border-bottom-width:1px}..uiLayer{outline:none}.._57-x{padding:36px 0;text-align:center}.._53ip ._53iv{padding:15px}._53ip ._53ij{border:1px solid #8c8c8c;border:1px solid rgba(0, 0, 0, .45);border-bottom:1px solid #666;box-shadow:0 3px 8px rgba(0, 0, 0, .3)}._53ip ._572u{padding:6px 7px 6px 8px}._53ip ._5v-0{padding-bottom:10px}._53ip ._53il{padding-top:10px}._53ip ._53im{padding-right:10px}._53ip ._53ik{padding-bottom:10px}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[3].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 22189

Entropy (8bit): 5.377945656405696

Encrypted: false

MD5: F2EEE3233F2244AE328D22A9D2DB11CC

SHA1: 3D5D55A790771E29F4D6962DFE6CD75DA26EBB70

SHA-256: 7951CF164D48C096E23398E6E55603AEB8371FBA4E2FD76F5C1F94FD834A4323

SHA-512: 3545F32AC8AFC0DB6CD7F0BF46C901358E29FED96D01E656D4706C3C64A8BED6AB1E9A7348567275691D0987AD3A1921974BBE34C7A942A4E5747791A7B5CBD0

Malicious: false

Reputation: low

Preview:n:0 -61px;float:left;height:17px;margin-top:5px;width:12px}#captcha_response{padding:3px}.._5633{font-size:13px;max-width:300px;padding:13px}._2zot{max-width:300px;padding:16px}._2zou{color:#1d2129;font-size:14px;font-weight:bold;line-height:17px;margin-bottom:12px}._2zow{color:#5b5c5e;font-size:13px}._2acm{margin-bottom:-10px}._2acn{font-size:12px;line-height:14px;padding-top:6px}._2acn ._2aco{color:#1c1e21;font-size:12px;line-height:14px}._2acn ._2acp{color:#fa3e3e}._2acn ._2acq{color:#42b72a}._2acn ._2act{color:#616770;font-size:12px;line-height:14px;min-height:30px;padding-top:2px}._2acn._1pd1{background:none;color:#fa3e3e}._1pd0{color:red;font-size:14px;font-weight:bold;line-height:17px;max-width:400px;padding:6px 6px 6px 0}._1pd0 a{color:red;text-decoration:underline}._1ixn ._1pd0{margin-top:-10px}._1ixn ._1pc_{display:none;margin-top:-10px}._1ixn._5634 ._1pc_{display:block}._1pc- ._1iy_ ._5633{display:none}._5633._5634{color:#fff}._1pc_ ._5633._5634{background:none;color:red;fon

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[4].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 91617

Entropy (8bit): 5.468755545840658

Encrypted: false

MD5: 7E8C5B4484AFCFEF475A99EA9B8C7375

SHA1: 7AA3C6343DAA99A9030FB917BD2B368A959575BB

SHA-256: 06F46617CAE3AC135BC2183D66ED2DA83A41729C1360E429665005FE97639EF8

SHA-512: 50ECD4CAAE24FF50E443307D4B261B686C4BB9ABBE55301E36C7493BFC0955287DE911BDF24711C8471A8E9940B893145AE64B8D8DC5E94980E61BF0F1DD5BFD

Malicious: false

Reputation: low

Preview:(/rsrc.php/v3/y_/r/Ll6wlsOT5Z4.png);background-repeat:no-repeat;background-size:auto;background-position:0 -42px}._50-1._50z-:active,._50-1._42fs{background-image:url(/rsrc.php/v3/y_/r/Ll6wlsOT5Z4.png);background-repeat:no-repeat;background-size:auto;background-position:0 -42px}._50-1._50z_{background-image:url(/rsrc.php/v3/y_/r/Ll6wlsOT5Z4.png);background-repeat:no-repeat;background-size:auto;background-position:0 -21px}._50-1._50z_:hover{background-image:url(/rsrc.php/v3/y_/r/Ll6wlsOT5Z4.png);background-repeat:no-repeat;background-size:auto;background-position:0 -63px}._8k_v._50zy._50-1{background-image:url(/rsrc.php/v3/yh/r/ekiMN2iZ1gH.png);background-position:unset;background-size:24px 24px;height:24px;width:24px}.._5upp{background-color:transparent;border:0 none;cursor:pointer;font-size:0 !important;overflow:hidden;padding:0;vertical-align:middle}.highContrast ._5upp{font-size:11px !important;height:auto;width:auto}.._50f3{font-size:12px;line-height:16px}._50f4{font-size:14px;line

Copyright Joe Security LLC 2019 Page 28 of 86

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[5].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 1203

Entropy (8bit): 4.7154524487898835

Encrypted: false

MD5: 71544915E02101F099D6A5832AF826ED

SHA1: E673CDA57EF224171DCD45EC1F4F73EEE0DF2BD7

SHA-256: 6DD597854BA9D25EED437789ED122AE165F9FA014410EDB86B4D28085CE98FE5

SHA-512: 3A1C34CD9EB4341A0F5EF3F6E74B98D5C8E5AED756EAA02824592352AC4D1375F50A1EE6ECDF8085D072B06759F8DD3ED0D5A0129FA2AA8B7575252BDA63D272

Malicious: false

Reputation: low

Preview::#365899;border-color:#29487d}.uiButtonConfirm:active,.uiButtonConfirm.uiButtonDepressed{background-color:#29487d;border-color:#29487d}form.async_saving .uiButton.uiButtonConfirm,.uiButtonConfirm.uiButtonDisabled,.uiButtonConfirm.uiButtonDisabled:active,.uiButtonConfirm.uiButtonDisabled:focus,.uiButtonConfirm.uiButtonDisabled:hover{background-color:#9cb4d8;border-color:#9cb4d8}form.async_saving .uiButton.uiButtonSpecial .uiButtonText,form.async_saving .uiButton.uiButtonSpecial input,form.async_saving .uiButton.uiButtonConfirm .uiButtonText,form.async_saving .uiButton.uiButtonConfirm input,.uiButtonSpecial .uiButtonText,.uiButtonSpecial input,.uiButtonSpecial.uiButtonDisabled .uiButtonText,.uiButtonSpecial.uiButtonDisabled input,.uiButtonConfirm .uiButtonText,.uiButtonConfirm input,.uiButtonConfirm.uiButtonDisabled .uiButtonText,.uiButtonConfirm.uiButtonDisabled input{color:#fff}form.async_saving .uiButton,.uiButtonDisabled,.uiButtonDisabled:active,.uiButtonDisabled:focus,.uiButtonDisab

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\static[6].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 3946

Entropy (8bit): 5.2775628282150056

Encrypted: false

MD5: 45583C4239A75D4D92921F177E7098FF

SHA1: BF8E7D7903020A681CEA20E2C81748F4183A093E

SHA-256: 16C5243D7F35C074CA2AEBA1E0FD3844CB72E2081854DA675F8C642C92072D11

SHA-512: 456F93F8A497F81434BAA16271BF2364A5B287FE8E4A14E6A16A72CF5ED79CCA4A3A74C42747D253051152950C34B9C7856C9F74A4E2B0860B9C7B2772B0A1A8

Malicious: false

Reputation: low

Preview:.fbForBusinessWrapper{margin:0 auto;width:980px}.fbForBusinessContent{border-bottom:1px solid #f2f2f2;position:relative}.fbForBusinessNoBorder{border-bottom:none}.fbForBusinessRightCol img{background-color:#ccc;border:5px solid #fafafa;float:right;padding:1px}.fbBusinessHomeVideo{background-color:#fff;border:1px solid #ccc}.fbForBusinessContent img,.fbForBusinessFloatedLeft{display:block;float:left}.fbForBusinessPageHeader{margin-top:40px}.fbForBusinessHomePageHeaderText{margin-top:50px}.fbMarketingMenu{list-style:none;margin:0 0 20px 0;padding:0}.fbMarketingMenu a{border-top:1px solid #e5e5e5;display:block;font-size:13px}.fbForBusinessMenuLast a{border-bottom:1px solid #e5e5e5}.fbMarketingMenu a.currentPage,.fbMarketingMenu a:hover{background:#F5F6F7 url(/rsrc.php/v3/yE/r/JQgQHls27pw.png) no-repeat center right;text-decoration:none}.fbForBusinessHelpfulLinks ul{list-style:none;margin-left:0;padding-left:0}.fbForBusinessHelpfulLinks ul li{font-size:11px;line-height:1.5}.fbForBusinessHe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\update[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Size (bytes): 150236

Entropy (8bit): 5.6790833518844455

Encrypted: false

MD5: BB68326AB949321C0D2CAED37CABDB82

SHA1: 59A93D359C6C2D55EEE8ED3D725713093DDB39D5

SHA-256: C26613C33BE6F0EB9E4DBB6D7CE2476EF5404192A766ED16201C7FEEE4C02099

SHA-512: 711C35806487E940CA2E4C5DBA15237F48862BDC0179AF227084AC8833F79EFC4CFAE0853A3AD33994045877E3E5053F3EB6CA936B88E126B055670B6908D9B9

Malicious: false

Reputation: low

Preview:<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ75ExhV2hnaK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\webworker[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with no line terminators

Size (bytes): 102

Entropy (8bit): 4.880013455878573

Encrypted: false

MD5: A862AD4909E8489D94DF3C57232CF8B0

SHA1: 7DF90F39B5E23BF52C5A507B8F0B69FFA49DFBCC

Copyright Joe Security LLC 2019 Page 29 of 86

SHA-256: CB3C497139AE397DE30A289E13E912F29069193AB6D5B44E3AE5212D3BDA8DA8

SHA-512: 45A8E5E120BEB84AC68B68E90241B99645FAEE7441E94670E27ABBC2707EEA07DF88E4259A50E0D4CBB97E2FD773B1736EFE6904DF0FD8E7D3D3EA37FEE13FE9

Malicious: false

Reputation: low

Preview:importScripts('https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/recaptcha__en.js');

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\webworker[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\webworker[2].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with no line terminators

Size (bytes): 102

Entropy (8bit): 4.880013455878573

Encrypted: false

MD5: A862AD4909E8489D94DF3C57232CF8B0

SHA1: 7DF90F39B5E23BF52C5A507B8F0B69FFA49DFBCC

SHA-256: CB3C497139AE397DE30A289E13E912F29069193AB6D5B44E3AE5212D3BDA8DA8

SHA-512: 45A8E5E120BEB84AC68B68E90241B99645FAEE7441E94670E27ABBC2707EEA07DF88E4259A50E0D4CBB97E2FD773B1736EFE6904DF0FD8E7D3D3EA37FEE13FE9

Malicious: false

Reputation: low

Preview:importScripts('https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/recaptcha__en.js');

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\2WTNpTnlfW7[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 73617

Entropy (8bit): 5.518741319973243

Encrypted: false

MD5: B346638146C98EE0C1038B7375FB64B3

SHA1: 04CA9FB1579E9917A04BF05CCC0427BFCAECBF31

SHA-256: 84B02E6894E4A95B3D9EE7A1C06F663A4D0E87950865BDF4DB35568819F40148

SHA-512: 99A4946B200B311AB7F87C7ACEEDE18AAA20A08B856F1F5818FFDE347F3AC60173A2BB5BB47A7A285B5D526F005851A053C12A80BE37542F59E41D5D1CD04381

Malicious: false

Reputation: low

Preview:;height:1px;margin-left:8px;width:189px}._4ejc{background-color:#e9ebee}._3tf{padding-left:12px;padding-top:2px}._2xo._3tj,._2xo._3tk{display:none}._1cgn{display:inline-block}._1cgo{background:#3b5998;border-radius:3px;display:block;height:6px;opacity:.5;width:6px}._2xp ._1cgo{opacity:1}._3sy:hover ._53qx{background-image:url(/rsrc.php/v3/yV/r/nYN5Om6ilwl.png);background-repeat:no-repeat;background-size:auto;background-position:-15px -149px}._3sy:hover ._53qy{background-image:url(/rsrc.php/v3/yV/r/nYN5Om6ilwl.png);background-repeat:no-repeat;background-size:auto;background-position:-18px -379px}._gu1{margin-left:-6px;margin-right:-6px}._3tj,._3tk{display:inline;height:12px;position:absolute;top:20px;width:8px;z-index:4}._53qy{background-image:url(/rsrc.php/v3/yV/r/nYN5Om6ilwl.png);background-repeat:no-repeat;background-size:auto;background-position:-17px -397px}._53qx{background-image:url(/rsrc.php/v3/yV/r/nYN5Om6ilwl.png);background-repeat:no-repeat;background-size:auto;background-pos

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\32213527_1720875981299142_7601737152052854784_n[1].pngProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: PNG image data, 56 x 56, 8-bit/color RGBA, non-interlaced

Size (bytes): 5644

Entropy (8bit): 7.404002460860178

Encrypted: false

MD5: 7945FAB65F43CC4095AF537FDE0AE8EC

SHA1: 35B2D0A19F68928891D7461D22CDE51B5F60DB56

SHA-256: C267CF85D83DAC40D205245F3644F432F918455AC4F882BB8691A4F86ADECE38

SHA-512: 49AFA11ADCD62394574F3390D8F198AA8BA42405D050E9286BC956E1BE06A06FDCCE5DFA15B71D1C50F6D534B2A32D8D8324E7FC8F64B108A1B1204C477D59FF

Malicious: false

Reputation: low

Preview:.PNG........IHDR...8...8.......;.....tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:370E241A4A5511E89148E8D8B1CAB690" xmpMM:DocumentID="xmp.did:370E241B4A5511E89148E8D8B1CAB690"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:370E24184A5511E89148E8D8B1CAB690" stRef:documentID="xmp.did:370E24194A5511E89148E8D8B1CAB690"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...d....IDATx..Z1K.@.NbA7..7WA...3..nf-.......B...C.,.n...].\.......\!.\{..z...|$M..}y..H..$....x[nD...A.V.:...

Copyright Joe Security LLC 2019 Page 30 of 86

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\46twG_p7jIg[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 13441

Entropy (8bit): 5.338512459703956

Encrypted: false

MD5: 4FAF998117ED5BA4107F4493E3F8D06E

SHA1: F432C640E89F390BE9E5F84A08E1E7A26DCDAD23

SHA-256: 0E00D38E5A3CBFB9D4AB7516BBF80909480ACF33B61C522600CEA1950FEF8568

SHA-512: 9440F28EEE8D4D6136B2E35C2256A168D706509176F54E030E694FB1E01E5B2A3A3B14492E7F35945A893A35E742DC0D2EB02BC06458C2A26601D4A33F81785A

Malicious: false

Reputation: low

Preview:f(i===!0||i===b("PageTransitionsRegistrar").DELAY_HISTORY){var j={sender:this,uri:c,id:e};try{b("Arbiter").inform("page_transition",j)}catch(a){}return i}else g.splice(h,1)}}return!1},disableTransitions:function(){z=!0},disableScrollAnimation:function(){A=!0},_hasBootloadErrors:function(){return b("Bootloader").getErrorUrls().size>0},unifyURI:function(){this._init(),s=u=w,x=v},transitionComplete:function(a){a===void 0&&(a=!1);this._init();y=!1;B._executeCompletionCallbacks();B.unifyURI();a||s&&B.restoreScrollPosition(s);try{document.activeElement&&document.activeElement.nodeName==="A"&&document.activeElement.blur()}catch(a){}},_executeCompletionCallbacks:function(){var a=b("PageTransitionsRegistrar")._getCompletionCallbacks();a.length>0&&(b("PageTransitionsRegistrar")._resetCompletionCallbacks(),a.forEach(function(a){return a()}))},registerCompletionCallback:b("PageTransitionsRegistrar").registerCompletionCallback,rewriteCurrentURI:function(a,c){__p&&__p();this._init();var d=b("PageTra

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\53WuK3r6-Bj[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text

Size (bytes): 92

Entropy (8bit): 4.897225989287647

Encrypted: false

MD5: D5B608FC45625AB55CE9A7545E8D513F

SHA1: C1C62D289C0AA2398E2A19880193F398CEA65796

SHA-256: 34E6BFF36C5A68EF538B704734507D0F4FFBAD1E23F58275E5821EF494E9C617

SHA-512: 1D2B1A330617E284395444B09C1D23CECA773DE430F54D1FD71547EE1A627E56074D024820C9E48DC373D381C5919B8ABEB15369611329845C3ADE1E0547D650

Malicious: false

Reputation: low

Preview:._7t5v{margin:0}..#bootloader__6wss{height:42px;}.bootloader__6wss{display:block!important;}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\7W_zzge2D8D[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 1470239

Entropy (8bit): 5.512966585182578

Encrypted: false

MD5: 70D015A25782B3C9A586F20CAC0B4115

SHA1: 200FF689AF99734837F428BF8DAB00B0237F41DA

SHA-256: 84A945E432E7761F1AEAAB57673E01B3021C4E1DE03D68C79A2A7ED462AA23FE

SHA-512: 211DAEE72EE261214083155167E45AA196F0A07C625D90CD87A84DE8F5BC665AEE691143F641FD6319EE3AF5E4F08A8FE18EBC5E7041F1506D1972194F2A26F7

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["iJOX7"]); }..__d("UFI2ViewOption",["qex"],(function(a,b,c,d,e,f){"use strict";a={isChronologicalOrder:function(a){var c=b("qex");if(a==="FRIENDS_COMMENTS"&&!c._("1080217"))return!1;switch(a){case"RECENT_ACTIVITY":case"RANKED_THREADED":case"RANKED_UNFILTERED":case"LIVE_STREAMING":case"RANKED_SUB_REPLIES":case"RANKED_REPLIES":return!1}return!0}};e.exports=a}),null);.__d("UFI2CommentsListState",["invariant","ErrorUtils","FBLogger","UFI2ViewOption","gkx"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();function h(a){var b=a.count,c=a.direction,d=a.error,e=a.hasMore,f=a.isLoading,g=a.pageSize;a=a.totalCount;if(a!=null&&a===0)return null;if(b===0)return null;return!e?null:{__type:"PAGER",count:Math.min(b,g),direction:c,status:{error:d,pending:f}}}function i(a){var b=a.count,c=a.expanded;a=a.minCountToShowCollapser;if(!c)return null;if(a==null)return null;return b<=a?null:{__type:"REPLIES_COLLAPSER",count:b}}function j(a){var b=a.error,c=a.e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\9VJ3J79N.gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 1 x 1

Size (bytes): 42

Entropy (8bit): 3.0241026136709444

Encrypted: false

MD5: B4682377DDFBE4E7DABFDDB2E543E842

SHA1: 328E472721A93345801ED5533240EAC2D1F8498C

SHA-256: 6D8BA81D1B60A18707722A1F2B62DAD48A6ACCED95A1933F49A68B5016620B93

SHA-512: 202612457D9042FE853DAAB3DDCC1F0F960C5FFDBE8462FA435713E4D1D85FF0C3F197DAF8DBA15BDA9F5266D7E1F9ECAEEE045CBC156A4892D2F931FE6FA1BB

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 31 of 86

Preview:GIF89a.............!.......,...........2.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\9VJ3J79N.gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\EIBLZYAZ.htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Size (bytes): 128884

Entropy (8bit): 5.697944420738502

Encrypted: false

MD5: A7F8C6F06296E8A7E68FB6D5CC0B1748

SHA1: 7478F1A8D704AC0D57B32E85831C3916F7F5562D

SHA-256: 7CABA592CA659A912BC88A23AE90FF733B8AD363ED1BB931403FA10B51A2B3C6

SHA-512: D8D65F4FF1E9308D5095F5A2D62FB93A579905D8FE14AE99E6E7EEC4E4B755F90CF138DD586320EB6CF2977C06307BBEEB134FC93DCAE9D91037638831A73BB5

Malicious: false

Reputation: low

Preview:<!DOCTYPE html>.<html lang="fr" id="facebook" class="no_js">.<head><meta charset="utf-8" /><meta name="referrer" content="default" id="meta_referrer" /><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\G7XzcaS1QmM[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: assembler source, ASCII text, with very long lines

Size (bytes): 40559

Entropy (8bit): 5.299128697378859

Encrypted: false

MD5: E7DAEE3856CAC034345985CABF8A5E44

SHA1: 97DC3E314618D7CAB303C2F0139EB0B125C93A13

SHA-256: D913361E0F24CB09735DD026A37A8E6F991438574C226705DEF782158988C642

SHA-512: D9C7F6EA8DB1C969095D6E85DC763EFD0F41983F3E4CC9B6B6E488B076EA97AD762E310E5C38D5457E3137AA390AAE12B68F0605F7ABE0DC89BFF7FB9C0A9FB0

Malicious: false

Reputation: low

Preview:._3_s0._3_s0{border:0;display:flex;height:44px;min-width:600px;position:relative;text-align:left;top:0;transition:top .3s, height .3s;z-index:301}.hideBanner ._3_s0,.fixedBody ._3_s0{display:none}._3_s0._1tof{position:absolute;width:100%;z-index:400}._3_s0._1toe{height:0;overflow:hidden}._3_s0 ._608m{align-self:flex-end;margin:0 auto;max-width:981px;min-width:100px;padding:0 12px;width:100%}.sidebarMode ._3_s0 ._608m{padding-right:214px}._3_s0 ._tb6{align-items:center;height:44px}._3_s0 ._608n{display:flex}._3_s0 ._3bcp{overflow:visible}._3bcs{flex:1 0 0px}._3bct{position:relative}._3bct::before{content:'';display:block;height:18px;left:-1px;position:absolute;top:4px;width:1px}._3_s0 ._3bcv{font:Helvetica, Arial, sans-serif;font-size:12px;font-weight:bold;line-height:24px}._3_s0 ._3bcy{line-height:24px}._3_s0 ._3bcz{border-radius:4px;padding:1px 4px}._1toc._1toc{border-radius:2px;box-shadow:0 0 0 2px #3578E5, 0 0 0 4px #91b4fd;overflow:hidden}._2yq ._3_s0 ._608m,._2xk0 ._3_s0 ._608m{ma

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\RCJbNX5Ogbs[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 30644

Entropy (8bit): 5.271329427653729

Encrypted: false

MD5: DECC2D9EBA27F0A81AF9A3839CBED25D

SHA1: 51AC49493DFE1D0DF0C58103F4CB9C1CA21B8B62

SHA-256: 85B12676A1C40FCC2122E0E9E818C5CBA56FD6E436632C75809301FE2B4A56E5

SHA-512: 679B4EA60B098D954CBB33B1A64DD5384AC08189ED552CC80A0F65B6F3347A49DEE1C03AC6B44D583236F25900201CCAC5B9B37F8F0184A32FAB5359973373E6

Malicious: false

Reputation: low

Preview:Nb(b,c,d,a){var e=Object.create(P);e.size=b;e._root=c;e.__ownerID=d;e.__hash=a;e.__altered=!1;return e}var Ob;function Pb(){return Ob||(Ob=Nb(0))}function Qb(a,b,c){var d,e;if(!a._root){if(c===g)return a;e=1;d=new Fb(a.__ownerID,[[b,c]])}else{var f=j(h),k=j(i);d=Rb(a._root,a.__ownerID,0,void 0,b,c,f,k);if(!k.value)return a;e=a.size+(f.value?c===g?-1:1:0)}if(a.__ownerID){a.size=e;a._root=d;a.__hash=void 0;a.__altered=!0;return a}return d?Nb(e,d):Pb()}function Rb(a,b,c,d,e,f,h,i){if(!a){if(f===g)return a;k(i);k(h);return new Jb(b,d,[e,f])}return a.update(b,c,d,e,f,h,i)}function Sb(a){return a.constructor===Jb||a.constructor===Ib}function Tb(a,b,c,e,g){if(a.keyHash===e)return new Ib(b,e,[a.entry,g]);var h=(c===0?a.keyHash:a.keyHash>>>c)&f,i=(c===0?e:e>>>c)&f;e=h===i?[Tb(a,b,c+d,e,g)]:(c=new Jb(b,e,g),h<i?[a,c]:[c,a]);return new Gb(b,1<<h|1<<i,e)}function Ub(a,b,c,d){a||(a=new l());c=new Jb(a,K(c),[c,d]);for(var d=0;d<b.length;d++){var e=b[d];c=c.update(a,0,void 0,e[0],e[1])}return c}funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\anchor[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines

Size (bytes): 24023

Copyright Joe Security LLC 2019 Page 32 of 86

Entropy (8bit): 5.934309042036346

Encrypted: false

MD5: 9226A2B31E2D1285C8B910B459BCB7B7

SHA1: 8039CE323F01D128255F32FF875891CD2D91D54F

SHA-256: 1C21F67A5A11BA4E4E439D5C6C96E9EAE14F0D2E003C9DA95758B69357B51044

SHA-512: FF464DD9A7A26FA244EC73CEA15AA0802533A76C52DD035AF83E0CD97DBD2B2E66D86D442DDAAF7FD4B3CF8C9A86FFA8D8F811D0DE9D2D5283303621212C967D

Malicious: false

Reputation: low

Preview:<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<style type="text/css">.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: local('Roboto Regular'), local('Roboto-Regular'), url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 500;. src: local('Roboto Medium'), local('Roboto-Medium'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 900;. src: local('Roboto Black'), local('Roboto-Black'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf) format('truetype');.}..</style>.<link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/styles__ltr.css"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\anchor[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\api[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 729

Entropy (8bit): 5.307100676703662

Encrypted: false

MD5: 8E559D3F7B47CE093BFF7944209EE7FF

SHA1: 9579F3461B3BC631EED79E5CF6D7C9DDBDDA0F12

SHA-256: 3211CD82CE26FEC042B2543617D3138A366D470FA74ED56788C3B0956C9F9FFB

SHA-512: 832F28065A2BEE6AF74970D238D6A7569050C903D4B7BC718777E9E26AC1F0431F1D7051F154781CA0A5DA7F77163DB565C5E8C0DD6FF3709CAE649BC26E007A

Malicious: false

Reputation: low

Preview:/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};(cfg['enterprise']=cfg['enterprise']||[]).push(false);(cfg['render']=cfg['render']||[]).push('onload');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true;po.src='https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/recaptcha__en.js';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s); })();

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\b6E9gAus05g[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 143812

Entropy (8bit): 5.441344883596137

Encrypted: false

MD5: 434A94F8678D5ED84ECA8BC372EF3933

SHA1: 37C99E1585108243DB8FBB91227E78D8CCF15926

SHA-256: 001214D50A3B6B30053D0D9A9C1A5475CA8DB8C16B3EC1D5FF49B245D734CB11

SHA-512: F471092B410C68EC1CC003919D08C646CB71285B2B12A7FDD8B136E15CB9511B84D6B4A468D43C0ED99E70A8E3C27BACC9B75DD84785D030709E77BF7464FB46

Malicious: false

Reputation: low

Preview:tils","nullthrows"],(function(a,b,c,d,e,f){"use strict";__p&&__p();a=function(){__p&&__p();function a(){this.$1={}}var c=a.prototype;c.log=function(){b("GeneratedLoggerUtils").log("vpsp_proxy:VideoPlayerShakaPerformanceLoggerConfig",this.$1,b("Banzai").BASIC)};c.logVital=function(){b("GeneratedLoggerUtils").log("vpsp_proxy:VideoPlayerShakaPerformanceLoggerConfig",this.$1,b("Banzai").VITAL)};c.logImmediately=function(){b("GeneratedLoggerUtils").log("vpsp_proxy:VideoPlayerShakaPerformanceLoggerConfig",this.$1,{signal:!0})};c.clear=function(){this.$1={};return this};c.getData=function(){return babelHelpers["extends"]({},this.$1)};c.updateData=function(a){this.$1=babelHelpers["extends"]({},this.$1,a);return this};c.setAccessToken=function(a){this.$1.access_token=a;return this};c.setAdditionalBufferedRanges=function(a){this.$1.additional_buffered_ranges=a;return this};c.setAppendedBufferMs=function(a){this.$1.appended_buffer_ms=a;return this};c.setBandwidthEstimate=function(a){this.$1.bandw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\background_gradient[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3

Size (bytes): 453

Entropy (8bit): 5.019973044227213

Encrypted: false

MD5: 20F0110ED5E4E0D5384A496E4880139B

SHA1: 51F5FC61D8BF19100DF0F8AADAA57FCD9C086255

SHA-256: 1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B

SHA-512: 5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A

Malicious: false

Copyright Joe Security LLC 2019 Page 33 of 86

Reputation: low

Preview:......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\background_gradient[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\eQUWlompwsJ[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: C source, ASCII text, with very long lines

Size (bytes): 134189

Entropy (8bit): 5.388270430821032

Encrypted: false

MD5: DC55EA77ECD7AE6860D02A32552E803A

SHA1: 7924DA04807CFDA0565070B827BB2196CC3E2E33

SHA-256: C56BC3F2BC5017D7366DFC6684A06BCF0BA8BD02179C8EBB65AE0C16D19189B2

SHA-512: 8CFC5EC2A2866A1AF784F572F63978F709D2A2CC3773DDDB1BF940B7B5F24CB888035DC0ABB766BF65A7F897639C1AE95CCA9ABB2FE1B3900676C19BA88CBEF5

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["vpZab"]); }..__d("PixelRatioConst",[],(function(a,b,c,d,e,f){e.exports={cookieName:"dpr"}}),null);.__d("TimezoneAutoset",["AsyncRequest","DateConsts","FBLogger","emptyFunction","killswitch"],(function(a,b,c,d,e,f){__p&&__p();var g=(c=b("DateConsts")).HOUR_PER_DAY,h=c.MIN_PER_HOUR,i=c.MS_PER_SEC,j=c.SEC_PER_MIN,k=!1;function l(a){var c=h*g,d=new Date(),e=d.getTimezoneOffset();d=d.getTime()/i;var f=15;a=a-d;d=Math.round(a/(f*j))*f;d!=0&&b("FBLogger")("TimezoneAutoset").warn("Adjusting timezone offset for clock skew. Browser offset: %s. Raw skew %s. Rounded skew %s",e,a,d);f=Math.round(e+d)%c;f>12*h?f-=c:f<-14*h&&(f+=c);return f}function a(a,b,c){m({serverTimestamp:a,serverTimezone:null,serverGmtOffset:b,forceUpdate:c})}function m(a){__p&&__p();var c=a.serverTimestamp,d=a.serverTimezone,e=a.serverGmtOffset;a=a.forceUpdate;if(!c||e==null)return;if(k)return;k=!0;c=-l(c);var f=b("killswitch")("TIMEZONE_SET_IANA_ZONE_NAME")?null:n();if(a||c!=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\facebook[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Size (bytes): 130689

Entropy (8bit): 5.710361225153427

Encrypted: false

MD5: A05E1880E0D3D317BD2610595AC3DA10

SHA1: E02DBF9A31BEBCA97B1AC1E8044EAF1D1B7BCA47

SHA-256: 97E76EED0D588A94DD824F38C272525944101D1149E33FABEE38F69AFCBCC994

SHA-512: 155C4DB103339595D20AA4CA22E9BCC199EE174DEC00C1CBE233B8E0EC666F945F45DFB30E10F948955182FBD6CE1816E291A7F918524E6BF74B2831A92A7D43

Malicious: false

Reputation: low

Preview:<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ75ExhV2hnaK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\hsts-pixel[1].gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 1 x 1

Size (bytes): 86

Entropy (8bit): 2.7374910194847146

Encrypted: false

MD5: 1A6177096ABF1F34E0368C14CBE5ABB4

SHA1: B2FD9CEB38886E882C536AAAC271D66010BE3F94

SHA-256: AF1F7333005242BDE96A22450229B5EBE670CB46EF8C3DEF185638AEA555AB4C

SHA-512: D2E710278A3A91612F655E85BA3407AEF607ED6CFBBAAF48CF3C0FC282270A14196CCE8F315CF1C6D903A8BBBC71729332520AB4F79F113DB149958D2F2192C5

Malicious: false

Reputation: low

Preview:GIF89a.............!.......,...........D..;GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\iframe[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines

Size (bytes): 25716

Entropy (8bit): 5.587503946243955

Encrypted: false

MD5: 42CC5412A02AFBA7CD1F6B61BE52D940

Copyright Joe Security LLC 2019 Page 34 of 86

SHA1: 43BBBEAB628AF5F4936376BDBD2513FD5C87E349

SHA-256: 4F69057D0D04537D3698BE7E69403DD5B55C4700245A6E9C880FEB4C36C555A6

SHA-512: DB5E17F2295650FD8B46B67D2383152494204FFAD3ACEEB4FA4055C5FAE4BD0E7B311BA895C7CC4E73E8BBB5C8F01D99088BDA21BACF70D0DE79B8765F7E403C

Malicious: false

Reputation: low

Preview:<!DOCTYPE html><html class=""><head><meta charset="utf-8" /><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"defer_cookies":true});</script><title>Facebook</title><script src="https://www.google.com/recaptcha/api.js"></script><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yo/l/0,cross/53WuK3r6-Bj.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="/6wss" />.<link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yI/l/0,cross/yLg62FiDjTD.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="KebV6" />.<link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/MNdyihBa-5e.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="cvPzX" />.<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yj/r/ByFjTuPCeTM.js?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="q66WY"></script>.<script>require("TimeSliceI

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\iframe[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\invalidcert[1]Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 19690

Entropy (8bit): 5.4554138039640305

Encrypted: false

MD5: 605CD6F5424CACBAFEA622F1C706350F

SHA1: C27D0EC6C1CEB9B688B9A28D9E728E62637D2E40

SHA-256: 782ACB868EB3552668197C2CD706639D869D12B8AA38EAF6AC81587FF3B2B7BD

SHA-512: D4A7E00BA1FB4C3BECD52C1AEBA34C52C08A78EFBAE4CAB01C88A61ADCA32428B9C003B609023511605E72B9C802FC6B9305733F92ED5802BDACFDCD6199BE8C

Malicious: false

Reputation: low

Preview:...function CertError()..{..error = '0';..DocQuery=document.location.search;..BeginError = DocQuery.indexOf("SSLError=");..if (BeginError > 0)..{..BeginError += 9;..EndError = DocQuery.indexOf("&", BeginError);..if (EndError > 0)..{..error = DocQuery.substring(BeginError,EndError);..}..else..{..error = DocQuery.substring(BeginError);..}..}..return error;..}..function PreventIgnoreCertErrors()..{..Policy = '0';..DocQuery=document.location.search;..BeginPolicy = DocQuery.indexOf("PreventIgnoreCertErrors=")+24;..if (BeginPolicy > 0)..{..EndPolicy = DocQuery.indexOf("&", BeginPolicy);..if (EndPolicy > 0)..{..Policy = DocQuery.substring(BeginPolicy,EndPolicy);..}..else..{..Policy = DocQuery.substring(BeginPolicy);..}..}..return Policy;..}..function closePage() {..window.close();..}..function BodyLoad()..{..var iError = CertError();..var iPolicy = PreventIgnoreCertErrors();..var sRealPageUrl = RealPageURL();..var iCertUnknownCA = 16777216;..var iCertExpired = 67108864;..var iCertCNMismatch

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\lZ86cv9aR90[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 115567

Entropy (8bit): 5.787756542652454

Encrypted: false

MD5: 0523AEAC81811CFDA231FD8ECC59E4B7

SHA1: 10DFF54A6A8ECEB8E308E2BFDC4CC439F8803E4B

SHA-256: AFBB75EB37C47616458084B752A34EAEFB7CC25BBE612ED1787D80BD0AAA636F

SHA-512: 95FDF4FD0B8BBF14E23A2304C4A1340A884272AB40D14C53AACE365F1AE5D57E7E50DD4BBF9B0DEFAE15FCE7676371E28B31E8C0E7C4853AEB07C42E593073CE

Malicious: false

Reputation: low

Preview:B2c6IeXPt8BRO/ZmpoeGYbR1/D2B8Oast2+Dt3Ae7zFXag6mOrG6rtsqGhH6KiseurGqpj7HagHqF1LLNqG2ssY3V1H3V1YixrGmq0LqFyHg77B/dWrQoB4fddNAr7wvtadvpydwH3nfmXFVQG+5/+cgXBBg778vhedvekdwGslwoO+1j4Xnb3pHcS91eXCvsSFvc994VJqgUTwPsf+6QFDvcwfcdjdvkjxxKs0HzR94DOE7ThtRVqrr10yxvr3c3ryx8TbPcU+zfOnvsw91X3OfdxBToG+wn7TFjHUL5YpBnerMLF1xrjRdb7AfsKPzM2Q7hW0mceE7Qra0FLKxpYnV2uaB7z+CgVE6x1oYCorhrDt7/Wz7xbT0heYENsHmiabp51oAg8+9MVE7SFm4icnBrZzL7asB7Ocs5WzTwINE9GVkIbSVyvuHcfDvsx9/l2+Ah3AfdF+IkVjoqq+zjOoEH3KY+P9zN0BdIH+zN0h47X9yhHoWz7NoeK+wv3CmFR9yU8BYYH+yc9t1AFDvvYfbAKjhVMCg772PsrpAq+FXQK+9h99wT3gbAK9/QVTAr78QRMCg772Psrdveod/eQ9wQSu/cCWtAT8Mr39RVMCnX7whUT6HQK+4d99wT4/HevCvc492AVn/iSBTkGovySBXX7XRWAlpiFnBsT4KuhpaqodaVrnwr7h2yf+Oj3BK8K9xH4cxV0/JIF3QZ3+JIFTvddFRPggYCGfXwabqJxrKuhpaiqdaVren6FgIAeDvsmffcE+K3KEt7CbPcCzcMT6Pdg92AVZKhwqK4ar6ybwKIexKPFqOka5D3l+xFoc4aGdx5MB5Cio5CoG+vBU05VYXdYdR9Qc1tuTBpZtWW2cB5d+1AVgJaYhZwbE9iqoqWqqHSlbJ8K+yZ9yvit9wQStsPN9wJswhPo90b4dBWybqZuaBpnantWdB5Sc1FuLRoy2TH3Ea6jkJCfHsoHhnRzhm4bK1XDyMG1n76hH8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\referer_frame[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with no line terminators

Size (bytes): 156

Entropy (8bit): 4.792098860976927

Encrypted: false

MD5: F05C9FA3A77F12F7CCDFD74DC99F7DF3

SHA1: 771AB81725E4D7AFC28A3C209CE8AEB9ECB70DF6

SHA-256: 54A3283B7C16D7876F3EA151F5AAEF808007B0C7FCC31C67A9C25E016754B1F3

SHA-512: 8F5E2A2CF2ED03662144ABD459E805DFC4986B16ACB547FE04964A1874D91ABBF2EFB01CEB520FF4A0B6B04746AAB2C29B533622D02CA05C03C8B9D4A422D246

Malicious: false

Copyright Joe Security LLC 2019 Page 35 of 86

Reputation: low

Preview:<!DOCTYPE html><html><script>document.domain = 'facebook.com';</script></html><!DOCTYPE html><html><script>document.domain = 'facebook.com';</script></html>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\referer_frame[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\static[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 19510

Entropy (8bit): 5.295198951648273

Encrypted: false

MD5: D4B3958B4E088D79B3A59C276A9EEC1C

SHA1: 29ABE3D222ABFE176A81094BBD59827A2B57FD1B

SHA-256: 11819581E0AD0B6D0065858C924D051BCEEB97C01BBA5EDAA68A32DA77D021BE

SHA-512: C64D0B6D989F8F031CFC98758F072C0E5C4F92646DB01BFBE5D9306FFE60E18AB66E2BB7756D1349B248D143E5F8AEFB67730D3B94CE68B70B744D069ADF0C21

Malicious: false

Reputation: low

Preview:.._5tkn{background-color:#fff}._5tkn a{color:inherit;text-decoration:underline}._5tkn a:hover{text-decoration:none}._28_g{margin:0 auto;width:1000px}._28_h{background:#000}._5tko,._5tkp{display:inline-block;vertical-align:top}._5tko{top:48px;width:324px}._5tkp{border-left:1px solid #dde1e8;width:674px}._3x93{padding:0 0 100px 48px}._3x94{margin-bottom:24px}._xpp{margin:30px 0}._xpq{display:inline-block;height:56px;margin-left:18px;width:5px}._xpr{display:inline-block;margin:-3px 0 0;padding-left:18px;vertical-align:top;width:512px}._1tvy{padding:14px}body[dir=rtl] ._1tvy.img,body[dir=rtl] ._3h8s i,body[dir=rtl] ._575i i{transform:scaleX(-1)}._q4w{padding-right:34px}._5-x{display:none}._b_1:hover ._5-x{display:inline-block}._5-2{display:inline-block}._b_1:hover ._5-2{display:none}._1tvz{color:#4b4f56;cursor:pointer;font-family:Lucida Grande, Tahoma, Verdana, Arial, sans-serif;margin:auto 0;overflow:hidden;padding-left:12px;position:relative;width:312px}._b_1{border-bottom:1px solid #c7c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\static[2].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 1288

Entropy (8bit): 5.389528309340463

Encrypted: false

MD5: E19FBE2B5DB731FE6D838536355A3429

SHA1: 5C7304E20568F122425A46394B5982D5F9993EF8

SHA-256: 8088DAF4BB071141F2B0C4A06A37ED00088EA981D4D370AF189B4FCF1719EC54

SHA-512: 9B6280D0DBE7C7C3386C0FA4BF07233CB343668FC8C95B04F025842C2FE27AF77F0A35A3EFF1BFFEF094E90799AB3586BA2E2731A38EA7170EFAA359254FE3A7

Malicious: false

Reputation: low

Preview:ckground-color:#fcd872}._1-r8 ._t3o:hover ._t3q{color:#e1a43b}._1-r8 ._t3o:hover ._17la{background-color:#e1a43b}._1-r8 ._t3q{color:#fcd872}._1-r8 .__35:hover{background-color:#e1a43b}._1-r8 ._83p{color:#fcd872}._1-r8 ._83p:hover{background-color:#fcd872;color:#fff}..sp_ytT7zHccmZQ{background-image:url(/rsrc.php/v3/y8/r/W7ScNkQaJC6.png);background-size:auto;background-repeat:no-repeat;display:inline-block;height:41px;width:41px}.sp_ytT7zHccmZQ.sx_2df7e7{background-position:0 0}.sp_ytT7zHccmZQ.sx_305fc6{background-position:0 -42px}.sp_ytT7zHccmZQ.sx_5f52ed{width:7px;height:11px;background-position:-29px -420px}.sp_ytT7zHccmZQ.sx_e38f88{width:28px;height:28px;background-position:0 -420px}.sp_ytT7zHccmZQ.sx_2af63d{width:28px;height:28px;background-position:0 -449px}.sp_ytT7zHccmZQ.sx_9c3933{background-position:0 -84px}.sp_ytT7zHccmZQ.sx_fd2e69{background-position:0 -126px}.sp_ytT7zHccmZQ.sx_58412b{background-position:0 -168px}.sp_ytT7zHccmZQ.sx_bdc914{background-position:0 -210px}.sp_ytT7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\static[3].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 13831

Entropy (8bit): 5.419071803298527

Encrypted: false

MD5: 9A63D518D925C663485275812DA1E9AE

SHA1: 17E497E872142E6AD177F4961A245F07653E10ED

SHA-256: F1AD11572B156C67F813E4A9E461F0DF0A7B5F16FA0DAF8DCCEC91A22A38157E

SHA-512: 3888D846585B9B368B4B4E5A821567F2817DA33735DFC95766D23D7C98D7FCD798136B53980C4286CC59BD66E8F40D0BDF1A63E14DC2154A6619D09C2A7EF529

Malicious: false

Reputation: low

Preview:div._2as{height:57px;padding:0}._5fd9{display:none;text-align:center}._5fd9,._2ay{padding:16px 0}._2ay,._2ay:hover{display:block;padding-left:28px;text-decoration:none}.async_saving ._5fd9{display:block}.async_saving ._2ay{display:none}.._pu-{background-color:#f5f6f7;border-bottom:1px solid #dddfe2;border-top:1px solid #dddfe2}._pu_:hover{background-color:#f5f6f7}._pv0{vertical-align:middle}._pu- ._pv0{height:50px}._pu_ ._pv0{height:60px}._pu_ ._pv1{text-align:center}._62_k{border-bottom:solid #fff;border-width:1px 0;color:#ccc;font-size:22px;font-weight:bold;padding:60px 0;text-align:center}.._275p{font-size:12px;line-height:16px;margin-top:8px}._275q{color:#4b4f56;font-size:11px;font-weight:bold;line-height:15px;margin-bottom:4px}._4w02{max-height:365px;overflow-x:hidden;overflow-y:auto}..groupAddMemberTypeaheadBox .plusIcon{left:8px;position:absolute;top:7px;z-index:2}.groupAddMemberTypeaheadBox{margin-top:10px;padding-right:4px;padding-top:0;position:relative}.groupAddMemberTypeahe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\styles__ltr[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Copyright Joe Security LLC 2019 Page 36 of 86

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 139838

Entropy (8bit): 6.080690295781074

Encrypted: false

MD5: 9DDC9BCA973CBEBDE3F58D5A44338877

SHA1: 8EED61EFDE8FC465379F09529D60B777C74DE302

SHA-256: DEC9ADBC5FB4C035613375864CC8A7A179223D6351A2EC3AE29E0D5BB5FD0CED

SHA-512: 74422748383350D78899F4865CDC2D2917A0E7CCDB4BDC669FB26456DE646A63AEDC2838BD022AD1A5032BC75B694557A67B8F96B751C3645660C8FB711A0798

Malicious: false

Reputation: low

Preview:.goog-inline-block{position:relative;display:-moz-inline-box;display:inline-block}* html .goog-inline-block{display:inline}*:first-child+html .goog-inline-block{display:inline}.jfk-radiobutton{display:inline-block;outline:none;padding:5px 7px;position:relative}.jfk-radiobutton-radio{-webkit-border-radius:50%;-moz-border-radius:50%;border-radius:50%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;background:url(//ssl.gstatic.com/ui/v1/radiobutton/unchecked.png) -3px -3px;background:rgba(255,255,255,0);border:1px solid rgba(198,198,198,1);height:15px;left:7px;margin:0;outline:none;position:absolute;text-align:left;top:6px;width:15px}.jfk-radiobutton:active .jfk-radiobutton-radio{background:rgba(235,235,235,1);border-color:rgba(182,182,182,1)}.jfk-radiobutton:hover .jfk-radiobutton-radio{-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,.1);box-shadow:inset 0 1px 1px rgba(0,0,0,.1);border-color:rgba(182,182,182,1)}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\styles__ltr[1].css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\update[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Size (bytes): 130931

Entropy (8bit): 5.635919763529904

Encrypted: false

MD5: 8929EF79E47BB143B2F503C6E53D780D

SHA1: 53B3B41F77A88E11AB627D25B97E013CC898D19B

SHA-256: CD37693B53F1853496BA1DF9C39A7BD22AE6FF6678F300675A0074BBFDC5533A

SHA-512: 6145781FAE2BDCE7C06956378550DD013009706AFC94E7C9E5FE62A936D7BF548B9C76351423B511F4381BD66FF9103352BC5720D85EFF50C84EF63CF179B4A5

Malicious: false

Reputation: low

Preview:<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ75ExhV2hnaK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\webworker[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with no line terminators

Size (bytes): 102

Entropy (8bit): 4.880013455878573

Encrypted: false

MD5: A862AD4909E8489D94DF3C57232CF8B0

SHA1: 7DF90F39B5E23BF52C5A507B8F0B69FFA49DFBCC

SHA-256: CB3C497139AE397DE30A289E13E912F29069193AB6D5B44E3AE5212D3BDA8DA8

SHA-512: 45A8E5E120BEB84AC68B68E90241B99645FAEE7441E94670E27ABBC2707EEA07DF88E4259A50E0D4CBB97E2FD773B1736EFE6904DF0FD8E7D3D3EA37FEE13FE9

Malicious: false

Reputation: low

Preview:importScripts('https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/recaptcha__en.js');

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\yLg62FiDjTD[1].cssProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 423673

Entropy (8bit): 5.48815027864896

Encrypted: false

MD5: 1EC6D78082BEBD210BA938879F6A0C10

SHA1: 5E95284DE7B26B15C04EFC301835F297EB8E5198

SHA-256: C56CE71EC1C0B6BF991C1032F5E5996F5D0D3CF5AACBF41E51CEE64EC04F6584

SHA-512: 8A9F0FB5650A1CCC67B7CF512A8E971C1C4AA695DE2BEBE537C8CC8059BDA343D031230FECCD377EDCC64793C45D7D17CD16EA2025FB092E832C8C0E0FFC4F13

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 37 of 86

Preview:.fbPageBanner{position:relative;z-index:301}.hideBanner .fbPageBanner,.fixedBody .fbPageBanner{display:none}@media (min-width: 480px){.fbPageBannerInner{margin:auto;max-width:950px;min-width:920px}}.sidebarMode .fbPageBannerInner{left:-102px;position:relative}.._2_qm{position:relative}._2_qm::after{border:1px solid rgba(0, 0, 0, .1);bottom:0;content:'';left:0;pointer-events:none;position:absolute;right:-2px;top:0}html ._2_qn:hover{text-decoration:none}html ._35ph{pointer-events:none;position:absolute}._2_qo{padding:44px 0;position:relative;text-align:center}._19wj{padding:24px 0;position:relative;text-align:center}html ._2_qp:only-child{display:inline-block}._2_qp{border:4px solid #fff;border-radius:4px;box-shadow:0 4px 6px rgba(0, 0, 0, .1);height:364px;margin:0 auto;width:364px}._4nos{border:4px solid #fff;border-radius:50%;box-shadow:0 4px 6px rgba(0, 0, 0, .1);height:400px;margin:0 auto;width:400px}.._1tt._1tt._1tt{background:#f5f6f7;overflow:hidden;position:relative}._1tt::after{a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\yLg62FiDjTD[1].css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\0lUsxssk6yc[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 168944

Entropy (8bit): 5.61254395698402

Encrypted: false

MD5: A9425708211692AD62CF3F2A7B12D7F9

SHA1: 56FD9ABAFD8C8207AAC13D63B95CA47C92D8412F

SHA-256: 6388D11870FCEFDE98941A78AFFA71DF2B5A6C5A845FA3C096C636D5037D7DA9

SHA-512: 508E38FC6EC46BC91AD1B084F395274B380E2E1E137091757D4C464953271A9844355A97D79760F06B0E2BC4D47DEE4544DF4EA6F668EE8B845D4BD2FA46B00D

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["jxPJX"]); }..__d("FBRTCMessageType",[],(function(a,b,c,d,e,f){e.exports={JOIN:0,SERVER_MEDIA_UPDATE:1,HANGUP:2,ICE_CANDIDATE:3,RING:4,DISMISS:5,CONFERENCE_STATE:6,ADD_PARTICIPANTS:7,SUBSCRIPTION:8,CLIENT_MEDIA_UPDATE:9,DATA_MESSAGE:10,REMOVE_PARTICIPANTS:11,PING:18,P2P_if (self.CavalryLogger) { CavalryLogger.start_js(["igtiN"]); }..__d("XUICardSection.react",["cx","React","XUIBlock","joinClasses"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();a=function(a){__p&&__p();babelHelpers.inheritsLoose(c,a);function c(){return a.apply(this,arguments)||this}var d=c.prototype;d.render=functionif (self.CavalryLogger) { CavalryLogger.start_js(["FT3j9"]); }..__d("MessagingTag",[],(function(a,b,c,d,e,f){e.exports={GROUPS:"groups",UNREAD:"unread",FLAGGED:"flagged",ACTION_ARCHIVED:"action:archived",INBOX:"inbox",MARKETPLACE_FOLDER:"marketplace_folder",OTHER:"other",PENDING:"pending",MONTAGE:"montage",PAGES:"pages"PROTOCOL:19,UPDATE:20,NOTIFY:21,CONN

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\1U-D-BJnUfo[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 104241

Entropy (8bit): 5.686924929966148

Encrypted: false

MD5: 533D39110E0AF330A375AA1D97EEDD2C

SHA1: 6232033F09954247355F671E5F450EAFD263B009

SHA-256: 8DA4C7D3CCC04BB234ADF5CAC09D86A9059DC40C6B3110A006AFAA9817D08603

SHA-512: 5F7B821125553FA6BF86CB845FC78773275FAFF212D19D027C263539266BD4D9563669816134B3D23D62B89B996EE241DA1C37CEBF707ABFE762EDEA823C329E

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["D3rkb"]); }..__d("UsernameFormatToken",[],(function(a,b,c,d,e,f){e.exports={FIRST:"{first}",MIDDLE:"{middle}",LAST:"{last}"}}),null);.__d("XReCaptchaLogActionsController",["XController"],(function(a,b,c,d,e,f){e.exports=b("XController").create("/captcha/recaptcha_log_actions/",{})}),null);.__d("Recaptcha",["fbt","AsyncRequest","Bootloader","CaptchaClientConfig","CSS","CurrentLocale","DOM","Event","Keys","XReCaptchaLogActionsController","ge"],(function(a,b,c,d,e,f,g){__p&&__p();var h,i={tabindex:0,callback:null},j={en_US:"en",en_GB:"en",en_PI:"en",nl_NL:"nl",nl_BE:"nl",fr_FR:"fr",fr_CA:"fr",de_DE:"de",es_LA:"es",es_ES:"es",es_CL:"es",es_CO:"es",es_MX:"es",es_VE:"es",ru_RU:"ru",tr_TR:"tr"},k=!1,l={widget:null,timer_id:-1,fail_timer_id:-1,type:"image",ajax_verify_cb:null,audio_only:!1,$:function(a){if(typeof a==="string")return document.getElementById(a);else return a},setFocusOnLoad:function(a){k=a},create:function(a,c){l.destroy(),a&&(l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\3POIJHDF.gifProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: GIF image data, version 89a, 1 x 1

Size (bytes): 42

Entropy (8bit): 3.0241026136709444

Encrypted: false

MD5: B4682377DDFBE4E7DABFDDB2E543E842

SHA1: 328E472721A93345801ED5533240EAC2D1F8498C

SHA-256: 6D8BA81D1B60A18707722A1F2B62DAD48A6ACCED95A1933F49A68B5016620B93

SHA-512: 202612457D9042FE853DAAB3DDCC1F0F960C5FFDBE8462FA435713E4D1D85FF0C3F197DAF8DBA15BDA9F5266D7E1F9ECAEEE045CBC156A4892D2F931FE6FA1BB

Malicious: false

Reputation: low

Preview:GIF89a.............!.......,...........2.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\7W_zzge2D8D[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 2100021

Entropy (8bit): 5.536859509702373

Copyright Joe Security LLC 2019 Page 38 of 86

Encrypted: false

MD5: FE36B9175622FAB4741EF3CF5A2E0075

SHA1: 33F6AD90934F879F768E1D90DAD0C351F9B18FD6

SHA-256: AA37F2058D8EEB8F208007B4540535AC54E9DF8CE56651B45DC5CD7E799BD7F6

SHA-512: 6BBE023B00BF7FDC815E4F85FDE691CAAC262042D3AB7187C1043F5E3429C014954247DAF0014D1037DC233C46A4424C8F6AFC7FCDF9E411BF115819692A96B9

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["iJOX7"]); }..__d("UFI2ViewOption",["qex"],(function(a,b,c,d,e,f){"use strict";a={isChronologicalOrder:function(a){var c=b("qex");if(a==="FRIENDS_COMMENTS"&&!c._("1080217"))return!1;switch(a){case"RECENT_ACTIVITY":case"RANKED_THREADED":case"RANKED_UNFILTERED":case"LIVE_STREAMING":case"RANKED_SUB_REPLIES":case"RANKED_REPLIES":return!1}return!0}};e.exports=a}),null);.__d("UFI2CommentsListState",["invariant","ErrorUtils","FBLogger","UFI2ViewOption","gkx"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();function h(a){var b=a.count,c=a.direction,d=a.error,e=a.hasMore,f=a.isLoading,g=a.pageSize;a=a.totalCount;if(a!=null&&a===0)return null;if(b===0)return null;return!e?null:{__type:"PAGER",count:Math.min(b,g),direction:c,status:{error:d,pending:f}}}function i(a){var b=a.count,c=a.expanded;a=a.minCountToShowCollapser;if(!c)return null;if(a==null)return null;return b<=a?null:{__type:"REPLIES_COLLAPSER",count:b}}function j(a){var b=a.error,c=a.e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\7W_zzge2D8D[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\ByFjTuPCeTM[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 337335

Entropy (8bit): 5.408884034277675

Encrypted: false

MD5: 5EF53892E2DCE25E1B1A62C75DCF0F66

SHA1: 610AD7DC614E71BDBCF8910023985401A1E7177B

SHA-256: DC1E21A231F6F4D318DB2C2447035B1B54C6EA77BA115A650913CF67A230A67A

SHA-512: 031F11ED4C8C66FC263DD016605D879119A357E5CBE66F8A38E96A93702DD81EF9D69B172E80886438597290BFACCD63737F7A735B02A3E0C94CE7F57A0644A9

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["q66WY"]); }..self.__DEV__=self.__DEV__||0,self.emptyFunction=function(){};."use strict";.Array.from||(Array.from=function(a){if(a==null)throw new TypeError("Object is null or undefined");var b=arguments[1],c=arguments[2],d=this,e=Object(a),f=typeof Symbol==="function"?typeof Symbol==="function"?Symbol.iterator:"@@iterator":"@@iterator",g=typeof b==="function",h=typeof e[f]==="function",i=0,j,k;if(h){j=typeof d==="function"?new d():[];var l=e[f](),m;while(!(m=l.next()).done)k=m.value,g&&(k=b.call(c,k,i)),j[i]=k,i+=1;j.length=i;return j}var n=e.length;(isNaN(n)||n<0)&&(n=0);j=typeof d==="function"?new d(n):new Array(n);while(i<n)k=e[i],g&&(k=b.call(c,k,i)),j[i]=k,i+=1;j.length=i;return j});.Array.isArray||(Array.isArray=function(a){return Object.prototype.toString.call(a)=="[object Array]"});."use strict";(function(a){function b(a,b){if(this==null)throw new TypeError("Array.prototype.findIndex called on null or undefined");if(typeof a!==

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\DzWAqG4WWLL[3].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 157429

Entropy (8bit): 5.441039265594268

Encrypted: false

MD5: 5977DA53721AAE1897E71E0252A37A69

SHA1: 3594C74FE8AF33B65628591625F64D04761DA75E

SHA-256: DFB52E686B1FAE13945A7BDE986E89A4D6C8B5659C4575FBC68E50A410566A09

SHA-512: 07959D65E678EB08FEC4C7A58C95756323B880C1E0920184392694EF28CAE137F3423AA70D23EE49345171B409BD125BC0E31979E7F50466FC6D0BF566B0FDBE

Malicious: false

Reputation: low

Preview:if (self.CavalryLogger) { CavalryLogger.start_js(["FT3j9"]); }..__d("MessagingTag",[],(function(a,b,c,d,e,f){e.exports={GROUPS:"groups",UNREAD:"unread",FLAGGED:"flagged",ACTION_ARCHIVED:"action:archived",INBOX:"inbox",MARKETPLACE_FOLDER:"marketplace_folder",OTHER:"other",PENDING:"pending",MONTAGE:"montage",PAGES:"pages",PAGE_BACKGROUND:"page_background",ACTION_COPIED_MESSAGE:"action:copy_message",ACTION_COPIED_SELF_MESSAGE:"copy_self_message",ACTION_COPIED_ATTACHMENT:"action:copy_attachment",ACTION_COPIED_SELF_ATTACHMENT:"copy_self_attachment",EVENT:"event",SENT:"sent",SPAM:"spam",UPDATES:"broadcasts_inbox",BCC:"header:bcc",FILTERED_CONTENT:"filtered_content",FILTERED_CONTENT_BH:"filtered_content_bh",FILTERED_CONTENT_ACCOUNT:"filtered_content_account",FILTERED_CONTENT_QUASAR:"filtered_content_quasar",FILTERED_CONTENT_INVALID_APP:"filtered_content_invalid_app",ONE_WAY_MESSAGE:"one_way_message",UNAVAILABLE_ATTACHMENT:"unavailable_attachment",ARCHIVED:"archived",EMAIL:"email",VOICEMAIL:"v

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\N929ROG9.htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, UTF-8 Unicode text, with very long lines

Size (bytes): 130276

Entropy (8bit): 5.69987131888833

Encrypted: false

MD5: A33A3782E96C53171B467F7A918AD85E

SHA1: 32A8E63973143AC0B7D3672CAD7005DC875F085D

SHA-256: 89109845323CC9FD82D551905D2E9173C9927A0B3B738E00888C746F3A6C8763

SHA-512: 3DAB12A847C9A2ECF1109316271CD33414E6529F2F4A89E437B60A908E973D1E799C7EECC61E68D24575CDFF132BD24DBF6923FFB33214CF259684678F6F65DB

Malicious: false

Reputation: low

Copyright Joe Security LLC 2019 Page 39 of 86

Preview:<!DOCTYPE html>.<html lang="de" id="facebook" class="no_js">.<head><meta charset="utf-8" /><meta name="referrer" content="default" id="meta_referrer" /><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"defer_cookies":true,"ajaxpipe_token":"AXgb0AVThAlwv3dL","timeslice_heartbeat_config":{"pollIntervalMs":33,"idleGapThresholdMs":60,"ignoredTimesliceNames":{"requestAnimationFrame":true,"Event listenHandler mousemove":true,"Event listenHandler mouseover":true,"Event listenHandler mouseout":true,"Event listenHandler scroll":true},"isHeartbeatEnabled":true,"isArtilleryOn":false},"shouldLogCounters":true,"timeslice_categories":{"react_render":true,"reflow":true},"sample_continuation_stacktraces":true,"dom_mutation_flag":true,"stack_trace_limit":30,"deferred_stack_trace_rate":1000,"timesliceBufferSize":5000,"show_invariant_decoder":

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\N929ROG9.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\SgyPmYUaN1c[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines

Size (bytes): 123985

Entropy (8bit): 5.376325430349131

Encrypted: false

MD5: 0FDBF1F0FA9443271165DC0DBEA2439C

SHA1: 9A2A5623E8AA34793339E3A48B6D0459971A48A5

SHA-256: F9E887E3C857AD2BA3A8352045D0EE7F86D2539A00E1CA2F61F1589BCDD06686

SHA-512: 0395165CB71137D6264D7A312A32A04AC0175FF912FC7E472DC2C9F7AB060FFF0267DEBCE658D49ACA771D35A14E7C13F7B495FFF3C4EBFA0500D321FB33A48D

Malicious: false

Reputation: low

Preview:ar e=B.fiber;null!==c;){if(c===e||c.alternate===e)return!0;a:{var f=c.tag;if((5===f||21===f)&&(f=c.dependencies,null!==f&&(f=f.responders,null!==f&&f.has(d)))){f=!0;break a}f=!1}if(f)break;c=c["return"]}}return!1},isTargetWithinNode:function(c,d){__p&&__p();Xb();var e=A(c),f=A(d);if(null!=e&&null!=f){for(c=f.alternate;null!==e;){if(e===f||e===c)return!0;e=e["return"]}return!1}return d.contains(c)},addRootEventTypes:function(c){Xb();Ob(c,Rb);for(var d=0;d<c.length;d++)Zb(c[d],B)},removeRootEventTypes:function(c){Xb();for(var d=0;d<c.length;d++){var e=c[d],f=Pb.get(e),g=B.rootEventTypes;null!==g&&g["delete"](e);void 0!==f&&f["delete"](B)}},getActiveDocument:c,objectAssign:Object.assign,getTimeStamp:function(){Xb();return Qb},isTargetWithinHostComponent:function(c,d){Xb();for(c=A(c);null!==c;){if(5===c.tag&&c.type===d)return!0;c=c["return"]}return!1},continuePropagation:function(){Sb=1},enqueueStateRestore:yb,getResponderNode:function(){Xb();var c=B.fiber;return 21===c.tag?null:c.stateNod

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\W7ScNkQaJC6[1].pngProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: PNG image data, 42 x 478, 8-bit/color RGBA, non-interlaced

Size (bytes): 7640

Entropy (8bit): 7.939332071293501

Encrypted: false

MD5: 804065959FF8F08920443F12993EA550

SHA1: 4929D19811BBBB8EC4F7E1195FC0EEAE1F0BA5FD

SHA-256: 4EF2364A004404434E22AA89D10FBBD5E19DCBF0C92BDB44F28529D113B278F7

SHA-512: 5ED3BBA503F5F9E75D77A429249E733BA0FCF839F8A11BD36557BFF95959BAB851608E0076F1788673E34251C58A49DE88C7D2E1C81956A0DBC27D16039F7988

Malicious: false

Reputation: low

Preview:.PNG........IHDR...*...............IDATx^.]....=U.=...."..a.-.(...M...5....."Q4.h4....L$A$.....%H4/..BPpA.......a...}.VU....uoU...W........O.u...{j....z.iu$V...O.f...h.M..C.....p..k...RM...&@..}....Hh.e0...ch.G0..ZH{i.....S...v*..5......Vf.k.>.0ik.7dcH....x,...\..\.P.`%.......Z.f....0....xM..6oX......>...{.F.X@.04...._..r.u..3Uv.)g........2..........0a[....f%:l.p...``|r`.....i..]N.H-.._.fL.....k..S.[.-ZD... .e..qQ.....c*+.lT%.j_^.{.........[...#K.z.JE&.Hj...u9.....q.C..a.c......G..h......T...r.}^...Sy..a.,.y.Km..v=...zc..~..[7...+.v.N]..1..F,kZ,...'....z...5rmi^...&..f=.RQ.a....$v=O......W...Xq.A[........&.....$i.`.7i..dU.......,j.y....6f..a..`.y.u..u..%.r...d..i.ix...K..xy.a`~.Jy..T.wZyy.N^H.q./m....;....yZ.....kwj.....Y..0f..qK.~.g..KG..[......|...hr.V..`Tn...0D.0..n.&H.].D...q....1....z..=...Z...]./..T.l*I.a<....<l~..o.6RKK...+V-tC6.I......a.k..1Nb%..mT.")..$..?]..l.g..Y..I..BR.L~..>...+YO$EF..-`..9.M".|`e.).]..>C.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Y9JKDI5U.htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: UTF-8 Unicode text, with very long lines

Size (bytes): 114587

Entropy (8bit): 5.683974087518189

Encrypted: false

MD5: 512C3938362721B5A958313A6730DF7B

SHA1: 6B7443C2507BA2A7F3178BF4775B31EBBAFA0F83

SHA-256: 0740AFB46A0DEDAF9F99FFA11F6E8528DBC7379939933AB27100AB6983BD67C8

SHA-512: B6119519683731CB7DE1CA775E56451F629931041AF31EBC8AB287A3E9A11E024252C43225B284C2A8AFBAE930F98F17326975AC317CCEA168C244609D3CB2AD

Malicious: false

Reputation: low

Preview:I5_ynGDUBFCCD6SwkItggSJVaDA"]},-1],["URLFragmentPreludeConfig",[],{"hashtagRedirect":true,"fragBlacklist":["nonce","access_token","oauth_token","xs","checkpoint_data","code"]},137],["BigPipeExperiments",[],{"link_images_to_pagelets":false,"enable_bigpipe_plugins":false},907],["BootloaderConfig",[],{"jsRetries":null,"jsRetryAbortNum":2,"jsRetryAbortTime":5,"payloadEndpointURI":"https:\/\/it-it.facebook.com\/ajax\/bootloader-endpoint\/","preloadBE":false,"assumeNotNonblocking":false,"trackUnpredictedBEResources":true,"shouldCoalesceModuleRequestsMadeInSameTick":true,"staggerJsDownloads":false,"preloader_num_preloads":0,"preloader_preload_after_dd":false,"preloader_num_loads":1,"preloader_enabled":false,"retryQueuedBootloads":false,"silentDups":false,"asyncPreloadBoost":true},329],["CSSLoaderConfig",[],{"timeout":5000,"modulePrefix":"BLCSS:"},619],["CookieCoreConfig",[],{"a11y":{},"act":{},"c_user":{},"dpr":{"t":604800},"js_ver":{"t":604800},"locale":{"t":604800},"m_pixel_ratio":{"t":6048

Copyright Joe Security LLC 2019 Page 40 of 86

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\anchor[1].htmProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: HTML document, ASCII text, with very long lines

Size (bytes): 12008

Entropy (8bit): 5.9388364967885945

Encrypted: false

MD5: 83EDC7ADEF725052BBE2BD343B974EBD

SHA1: D22EDF8A982CF0F967492E7AA419971A74B7D06C

SHA-256: 2C43AB4235791A6E4F5574E533432D67194000F201E8676CB1E92A018686F699

SHA-512: A603259757C37C29E9F6BC7BE40915C54CBD89A285AF4E47C5EDC796D87BCAD296241F11C1E1F1DFF189223255DB1AEE420B58CDB3207F8C7D6E1E98FD6EDCD0

Malicious: false

Reputation: low

Preview:<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<style type="text/css">.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: local('Roboto Regular'), local('Roboto-Regular'), url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 500;. src: local('Roboto Medium'), local('Roboto-Medium'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 900;. src: local('Roboto Black'), local('Roboto-Black'), url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf) format('truetype');.}..</style>.<link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/styles__ltr.css"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\api[1].jsProcess: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File Type: ASCII text, with very long lines, with no line terminators

Size (bytes): 729

Entropy (8bit): 5.307100676703662

Encrypted: false

MD5: 8E559D3F7B47CE093BFF7944209EE7FF

SHA1: 9579F3461B3BC631EED79E5CF6D7C9DDBDDA0F12

SHA-256: 3211CD82CE26FEC042B2543617D3138A366D470FA74ED56788C3B0956C9F9FFB

SHA-512: 832F28065A2BEE6AF74970D238D6A7569050C903D4B7BC718777E9E26AC1F0431F1D7051F154781CA0A5DA7F77163DB565C5E8C0DD6FF3709CAE649BC26E007A

Malicious: false

Reputation: low

Preview:/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};(cfg['enterprise']=cfg['enterprise']||[]).push(false);(cfg['render']=cfg['render']||[]).push('onload');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true;po.src='https://www.gstatic.com/recaptcha/releases/75nbHAdFrusJCwoMVGTXoHoM/recaptcha__en.js';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s); })();

Name IP Active Malicious Antivirus Detection Reputation

fbsbx.com 185.60.216.35 true false high

star.c10r.facebook.com 185.60.216.15 true false high

scontent.xx.fbcdn.net 185.60.216.19 true false high

scontent-hkg3-2.xx.fbcdn.net 157.240.15.22 true false high

www.joinfproxy.com 47.91.149.178 true false 3%, Virustotal, Browse unknown

facebook.com 185.60.216.35 true false high

fbcdn.net 185.60.216.35 true false high

z-m.c10r.facebook.com 185.60.216.36 true false high

atlas.c10r.facebook.com 185.60.216.6 true false high

agent.joinf.cn 47.91.149.178 true true 10%, Virustotal, Browse unknown

pt-pt.facebook.com unknown unknown false high

cx.atdmt.com unknown unknown false high

sq-al.facebook.com unknown unknown false high

it-it.facebook.com unknown unknown false high

connect.facebook.net unknown unknown false high

pixel.facebook.com unknown unknown false high

static.xx.fbcdn.net unknown unknown false high

de-de.facebook.com unknown unknown false high

fr-fr.facebook.com unknown unknown false high

Domains and IPs

Contacted Domains

Contacted URLsCopyright Joe Security LLC 2019 Page 41 of 86

Name Malicious Antivirus Detection Reputation

agent.joinf.cn/static/rsrc.php/v3/yN/r/YSGcJgI3134.js?_nc_x=Ij3Wp8lg5Kz true Avira URL Cloud: phishing unknown

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lJL2wvMCxjcm9zcy95TGc2MkZpRGpURC5jc3M/X25jX3g9SWozV3A4bGc1S3o=

true Google Safe Browsing: phishing unknown

www.joinfproxy.com/images/marketing/cookies/www/tools_active.png false Avira URL Cloud: phishing unknown

agent.joinf.cn/static/rsrc.php/v3ivK94/yW/l/en_US/-fNtMGApV03.js?_nc_x=Ij3Wp8lg5Kz true Avira URL Cloud: phishing unknown

agent.joinf.cn/rsrc.php/v3/yj/r/AE-e0Vw8Uhd.png true Avira URL Cloud: phishing unknown

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3l5L2wvMCxjcm9zcy9vQWx1M09BVjF2US5jc3M/X25jX3g9SWozV3A4bGc1S3o=

true Google Safe Browsing: phishing unknown

www.joinfproxy.com/ false 3%, Virustotal, BrowseAvira URL Cloud: phishing

unknown

agent.joinf.cn/static/rsrc.php/v3iqES4/yN/l/en_US/lIJrOY0twaO.js?_nc_x=Ij3Wp8lg5Kz true Avira URL Cloud: phishing unknown

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lrL2wvMCxjcm9zcy9HN1h6Y2FTMVFtTS5jc3M/X25jX3g9SWozV3A4bGc1S3o=

true Google Safe Browsing: phishing unknown

www.joinfproxy.com/policies/cookies/ false Avira URL Cloud: phishing unknown

agent.joinf.cn/static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3ltL3Ivb180bk5kYlppczkucG5n

true Google Safe Browsing: phishing unknown

agent.joinf.cn/static/rsrc.php/v3/yQ/r/SgyPmYUaN1c.js?_nc_x=Ij3Wp8lg5Kz true Avira URL Cloud: phishing unknown

Name Source Malicious Antivirus Detection Reputation

https://sq-al.faceb iexplore.exe false Avira URL Cloud: safe unknown

search.chol.com/favicon.ico iexplore.exe false high

www.mercadolivre.com.br/ iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

www.merlin.com.pl/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

unknown

www.joinfproxy.com/?sk=inbox7http://www.joinfproxy.com/images/icons/app/messages.ico

iexplore.exe false Avira URL Cloud: phishing unknown

www.dailymail.co.uk/ iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

www.joinfproxy.com/?sk=nf3http://www.joinfproxy.com/images/icons/

iexplore.exe false Avira URL Cloud: phishing unknown

https://static.xx.fbcdn.net/rsrc.php/v3/yA/r/dQ_TzJobF0o.js?_nc_x=Ij3Wp8lg5Kz

iexplore.exe false high

https://static.xx.fbcdn.net/rsrc.php/v3/yj/r/ByFjTuPCeTM.js?_nc_x=Ij3Wp8lg5Kz

iexplore.exe, bframe[1].htm.2.dr false high

https://sq-al.facebook iexplore.exe false Avira URL Cloud: safe unknown

agent.joinf.cn/images/icons/app/events.ico iexplore.exe true Avira URL Cloud: phishing unknown

https://pt-pt.face iexplore.exe false Avira URL Cloud: safe unknown

fr.search.yahoo.com/ iexplore.exe false high

in.search.yahoo.com/ iexplore.exe false high

https://fr-fr.messenger.com/ EIBLZYAZ.htm.2.dr false high

img.shopzilla.com/shopzilla/shopzilla.ico iexplore.exe false high

https://agent.joinf.cn/login/identify/?ctx=recover&ars=royal_blue_barJlY292ZXIvaW5pdGlhdGU/bHd2PTExM

~DF7A2EF64569FC7E1B.TMP.1.dr true Avira URL Cloud: phishing unknown

https://static.xx.fbcdn.net/rsrc.php/yo/r/iRmz9lCMBD2.icoiexplore.exe, ~DF7A2EF64569FC7E1B.TMP.1.dr, imagestore.dat.2.dr

false high

msk.afisha.ru/ iexplore.exe false high

www.reddit.com/ msapplication.xml4.1.dr false high

busca.igbusca.com.br//app/static/images/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

https://static.xx.fbcdn.net/rsrc.php/v3/y6/l/0 bframe[1].htm.2.dr false high

agent.joinf.cn/?sk=nf/http://agent.joinf.cn/images/icons/app/

iexplore.exe true Avira URL Cloud: phishing unknown

https://it-it.facebook {B4DC9C65-0B05-11EA-AADB-C25F135D3C65}.dat.1.dr

false Avira URL Cloud: safe unknown

www.ya.com/favicon.ico iexplore.exe false high

www.etmall.com.tw/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

it.search.dada.net/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

agent.joinf.cn/facebook/policies/cookies/ cookies[1].htm.2.dr true Avira URL Cloud: phishing unknown

URLs from Memory and Binaries

Copyright Joe Security LLC 2019 Page 42 of 86

search.hanafos.com/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

cgi.search.biglobe.ne.jp/favicon.ico iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

ocsp.pki.goog/gts1o10 iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

unknown

search.msn.co.jp/results.aspx?q= iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

buscar.ozu.es/ iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0 bframe[1].htm.2.dr false high

ocsp.pki.goog/gsr202 iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

unknown

https://pki.goog/repository/0 iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

unknown

www.joinfproxy.com/about/privacy/updateRoot {B4DC9C65-0B05-11EA-AADB-C25F135D3C65}.dat.1.dr

false Avira URL Cloud: phishing unknown

www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity

iexplore.exe false high

https://static.xx.fbcdn.net/rsrc.php/v3/yI/r/LRVea4fy2y9.js?_nc_x=Ij3Wp8lg5Kz

iexplore.exe false high

www.ask.com/ iexplore.exe false high

https://agent.joinf.cn/policies/cookies/ iexplore.exe true Avira URL Cloud: phishing unknown

www.google.it/ iexplore.exe false high

search.auction.co.kr/ iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

www.amazon.de/ iexplore.exe false high

sads.myspace.com/ iexplore.exe false high

https://s.update.fbsbx.com/2/843748/utils.html?ti= e24e1pKT5YP[1].js.2.dr false high

www.pchome.com.tw/favicon.ico iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

browse.guardian.co.uk/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

crl.pki.goog/gsr2/gsr2.crl0? iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

unknown

https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/b6E9gAus05g.js?_nc_x=Ij3Wp8lg5Kz

iexplore.exe false high

google.pchome.com.tw/ iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

list.taobao.com/browse/search_visual.htm?n=15&q= iexplore.exe false high

www.rambler.ru/favicon.ico iexplore.exe false high

https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/iGksp69foR_.js?_nc_x=Ij3Wp8lg5Kz

iexplore.exe false high

www.garagefonts.comhttp://www.joshuadarden.comhttps://www.garagefonts.comFreightSans

dat762B.tmp.2.dr false Avira URL Cloud: safe unknown

uk.search.yahoo.com/ iexplore.exe false high

www.ozu.es/favicon.ico iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

search.sify.com/ iexplore.exe false high

openimage.interpark.com/interpark.ico iexplore.exe false high

search.yahoo.co.jp/favicon.ico iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

www.gmarket.co.kr/ iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

www.joinfproxy.com/legal/terms/updateover&ars=royal_blue_barJlY292ZXIvaW5pdGlhdGU/bHd2PTExMCZ

~DF7A2EF64569FC7E1B.TMP.1.dr false Avira URL Cloud: phishing unknown

search.nifty.com/ iexplore.exe false high

https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0 bframe[1].htm.2.dr false high

www.google.si/ iexplore.exe false high

www.soso.com/ iexplore.exe false high

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL2hlbHAvMTk1MjI3OTIxMjUyNDAw

update[1].htm.2.dr true Avira URL Cloud: phishing unknown

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL2hlbHAvaW50ZWxsZWN0dWFsX3By

update[1].htm.2.dr true Avira URL Cloud: phishing unknown

busca.orange.es/ iexplore.exe false high

cnweb.search.live.com/results.aspx?q= iexplore.exe false high

Name Source Malicious Antivirus Detection Reputation

Copyright Joe Security LLC 2019 Page 43 of 86

www.twitter.com/ msapplication.xml5.1.dr false high

auto.search.msn.com/response.asp?MT= iexplore.exe false high

www.target.com/ iexplore.exe false high

https://static.xx.fbcdn.net/rsrc.php/v3/yo/l/0 iframe[1].htm0.2.dr, iframe[1].htm.2.dr false high

https://static.xx.fbcdn.net/rsrc.php/v3/yi/r/OBaVg52wtTZ.pngTOPRBCQQ.htm.2.dr false high

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29tL2hlbHAvY29udGFjdC8yNTk1MTg3MTQ3

iexplore.exe true Avira URL Cloud: phishing unknown

agent.joinf.cn/facebook?u=aH&r=R0cHM6Ly93d3cuZmFjZWJvb2suY29t

iexplore.exe true Avira URL Cloud: phishing unknown

search.orange.co.uk/favicon.ico iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

www.iask.com/ iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

search.centrum.cz/favicon.ico iexplore.exe false high

service2.bfast.com/ iexplore.exe false 0%, Virustotal, BrowseURL Reputation: safe

low

ariadna.elmundo.es/ iexplore.exe false high

www.news.com.au/favicon.ico iexplore.exe false 0%, Virustotal, BrowseAvira URL Cloud: safe

low

www.cdiscount.com/ iexplore.exe false high

www.tiscali.it/favicon.ico iexplore.exe false high

it.search.yahoo.com/ iexplore.exe false high

www.ceneo.pl/favicon.ico iexplore.exe false high

www.servicios.clarin.com/ iexplore.exe false high

Name Source Malicious Antivirus Detection Reputation

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Country Flag ASN ASN Name Malicious

47.91.149.178 United States 45102 unknown true

185.60.216.6 Ireland 32934 unknown false

185.60.216.19 Ireland 32934 unknown false

185.60.216.35 Ireland 32934 unknown false

185.60.216.36 Ireland 32934 unknown false

157.240.15.22 United States 32934 unknown false

185.60.216.15 Ireland 32934 unknown false

Contacted IPs

Public

Copyright Joe Security LLC 2019 Page 44 of 86

Static File Info

No static file info

Network Port Distribution

Total Packets: 67

• 53 (DNS)

• 80 (HTTP)

Network Behavior

Timestamp Source Port Dest Port Source IP Dest IP

Nov 19, 2019 11:49:35.891938925 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:35.892390013 CET 49714 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:36.225436926 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.225725889 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:36.226774931 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:36.231400013 CET 80 49714 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.231662035 CET 49714 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:36.560228109 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750426054 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750454903 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750468016 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750479937 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750492096 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750504017 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750514984 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.750524998 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.751337051 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.751389027 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:36.752312899 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.085818052 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085853100 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085895061 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085916996 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085935116 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085952044 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085969925 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.085988045 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.086004972 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.086023092 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.086040974 CET 80 49715 47.91.149.178 192.168.2.5

TCP Packets

Copyright Joe Security LLC 2019 Page 45 of 86

Nov 19, 2019 11:49:37.086081982 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.086385965 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.413372040 CET 49716 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.415570974 CET 49717 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.416826010 CET 49718 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.419056892 CET 49719 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.419724941 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419754982 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419771910 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419787884 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419873953 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419893980 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419912100 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419929981 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.419934988 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.420010090 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.420030117 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.420048952 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.420067072 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.420137882 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.421391010 CET 49720 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.423955917 CET 49721 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.740263939 CET 80 49719 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.744482040 CET 49719 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.750534058 CET 80 49716 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.750791073 CET 49716 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.753448963 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753474951 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753493071 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753505945 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753518105 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753530025 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753890991 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753912926 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.753962040 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.753990889 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754004002 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754015923 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754029036 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754041910 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754054070 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754065037 CET 80 49718 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.754138947 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.754677057 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.754801989 CET 49718 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.759246111 CET 80 49720 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.759569883 CET 49720 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.761802912 CET 80 49721 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.762063980 CET 49721 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:37.768733978 CET 80 49717 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:37.769005060 CET 49717 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.007592916 CET 49717 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.008619070 CET 49721 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.009865999 CET 49720 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.012952089 CET 49719 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.017383099 CET 49716 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.021445990 CET 49718 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.022581100 CET 49722 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.023341894 CET 49723 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.087865114 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088030100 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088053942 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088071108 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088085890 CET 80 49715 47.91.149.178 192.168.2.5

Timestamp Source Port Dest Port Source IP Dest IP

Copyright Joe Security LLC 2019 Page 46 of 86

Nov 19, 2019 11:49:38.088099957 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088113070 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088126898 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088131905 CET 49715 80 192.168.2.5 47.91.149.178

Nov 19, 2019 11:49:38.088140011 CET 80 49715 47.91.149.178 192.168.2.5

Nov 19, 2019 11:49:38.088155031 CET 80 49715 47.91.149.178 192.168.2.5

Timestamp Source Port Dest Port Source IP Dest IP

Timestamp Source Port Dest Port Source IP Dest IP

Nov 19, 2019 11:49:34.036386013 CET 52588 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:34.071762085 CET 53 52588 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:35.522537947 CET 65023 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:35.874118090 CET 53 65023 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:37.000458002 CET 55971 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:37.343982935 CET 53 55971 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:38.060834885 CET 49832 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:38.098078966 CET 53 49832 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:38.119072914 CET 53295 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:38.154145956 CET 53 53295 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:38.343662024 CET 56580 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:38.379194021 CET 53 56580 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:38.542232990 CET 62656 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:38.577048063 CET 53 62656 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:38.740999937 CET 60252 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:38.775857925 CET 53 60252 8.8.8.8 192.168.2.5

Nov 19, 2019 11:49:55.484703064 CET 60799 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:49:55.519766092 CET 53 60799 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:04.030963898 CET 49526 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:04.056344986 CET 53 49526 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:04.649698019 CET 62631 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:04.675117970 CET 53 62631 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:05.038561106 CET 49526 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:05.063942909 CET 53 49526 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:05.643994093 CET 62631 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:05.669429064 CET 53 62631 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:06.051414013 CET 49526 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:06.076755047 CET 53 49526 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:06.652525902 CET 62631 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:06.678041935 CET 53 62631 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:08.070595980 CET 49526 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:08.095987082 CET 53 49526 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:08.658091068 CET 62631 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:08.683518887 CET 53 62631 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:12.089787006 CET 49526 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:12.115166903 CET 53 49526 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:12.669357061 CET 62631 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:12.694765091 CET 53 62631 8.8.8.8 192.168.2.5

Nov 19, 2019 11:50:28.803518057 CET 60941 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:50:29.146650076 CET 53 60941 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:02.765186071 CET 62000 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:02.802969933 CET 53 62000 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:03.085506916 CET 55384 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:03.122356892 CET 53 55384 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:06.613114119 CET 60015 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:06.648487091 CET 53 60015 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:09.160711050 CET 62002 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:09.196171045 CET 53 62002 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:09.432104111 CET 53698 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:09.457412958 CET 53 53698 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:09.715004921 CET 57346 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:09.740542889 CET 53 57346 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:10.766544104 CET 49178 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:10.800203085 CET 53 49178 8.8.8.8 192.168.2.5

UDP Packets

Copyright Joe Security LLC 2019 Page 47 of 86

Nov 19, 2019 11:51:15.731463909 CET 54942 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:15.766516924 CET 53 54942 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:23.060081005 CET 49398 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:23.095483065 CET 53 49398 8.8.8.8 192.168.2.5

Nov 19, 2019 11:51:28.816099882 CET 49849 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:51:28.850986958 CET 53 49849 8.8.8.8 192.168.2.5

Nov 19, 2019 11:52:11.769804001 CET 61206 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:52:11.795223951 CET 53 61206 8.8.8.8 192.168.2.5

Nov 19, 2019 11:52:12.161809921 CET 62729 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:52:12.187175989 CET 53 62729 8.8.8.8 192.168.2.5

Nov 19, 2019 11:52:12.909183025 CET 65311 53 192.168.2.5 8.8.8.8

Nov 19, 2019 11:52:12.934689999 CET 53 65311 8.8.8.8 192.168.2.5

Timestamp Source Port Dest Port Source IP Dest IP

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Nov 19, 2019 11:49:35.522537947 CET 192.168.2.5 8.8.8.8 0xe50b Standard query (0)

www.joinfproxy.com

A (IP address) IN (0x0001)

Nov 19, 2019 11:49:37.000458002 CET 192.168.2.5 8.8.8.8 0x236f Standard query (0)

agent.joinf.cn A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.060834885 CET 192.168.2.5 8.8.8.8 0xb734 Standard query (0)

scontent-hkg3-2.xx.fbcdn.net

A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.119072914 CET 192.168.2.5 8.8.8.8 0xa58e Standard query (0)

facebook.com A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.343662024 CET 192.168.2.5 8.8.8.8 0x33c6 Standard query (0)

fbcdn.net A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.542232990 CET 192.168.2.5 8.8.8.8 0xcb36 Standard query (0)

fbsbx.com A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.740999937 CET 192.168.2.5 8.8.8.8 0xa081 Standard query (0)

connect.facebook.net

A (IP address) IN (0x0001)

Nov 19, 2019 11:49:55.484703064 CET 192.168.2.5 8.8.8.8 0x3005 Standard query (0)

pixel.facebook.com

A (IP address) IN (0x0001)

Nov 19, 2019 11:50:28.803518057 CET 192.168.2.5 8.8.8.8 0x5fb6 Standard query (0)

agent.joinf.cn A (IP address) IN (0x0001)

Nov 19, 2019 11:51:02.765186071 CET 192.168.2.5 8.8.8.8 0xbfe6 Standard query (0)

de-de.facebook.com

A (IP address) IN (0x0001)

Nov 19, 2019 11:51:03.085506916 CET 192.168.2.5 8.8.8.8 0x7042 Standard query (0)

static.xx.fbcdn.net

A (IP address) IN (0x0001)

Nov 19, 2019 11:51:06.613114119 CET 192.168.2.5 8.8.8.8 0x96cb Standard query (0)

fr-fr.facebook.com

A (IP address) IN (0x0001)

Nov 19, 2019 11:51:09.160711050 CET 192.168.2.5 8.8.8.8 0x552f Standard query (0)

cx.atdmt.com A (IP address) IN (0x0001)

Nov 19, 2019 11:51:15.731463909 CET 192.168.2.5 8.8.8.8 0x5383 Standard query (0)

it-it.facebook.com A (IP address) IN (0x0001)

Nov 19, 2019 11:51:23.060081005 CET 192.168.2.5 8.8.8.8 0xffa3 Standard query (0)

pt-pt.facebook.com

A (IP address) IN (0x0001)

Nov 19, 2019 11:51:28.816099882 CET 192.168.2.5 8.8.8.8 0x3864 Standard query (0)

sq-al.facebook.com

A (IP address) IN (0x0001)

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Nov 19, 2019 11:49:35.874118090 CET

8.8.8.8 192.168.2.5 0xe50b No error (0) www.joinfproxy.com

47.91.149.178 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:37.343982935 CET

8.8.8.8 192.168.2.5 0x236f No error (0) agent.joinf.cn 47.91.149.178 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.098078966 CET

8.8.8.8 192.168.2.5 0xb734 No error (0) scontent-hkg3-2.xx.fbcdn.net

157.240.15.22 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.154145956 CET

8.8.8.8 192.168.2.5 0xa58e No error (0) facebook.com 185.60.216.35 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.379194021 CET

8.8.8.8 192.168.2.5 0x33c6 No error (0) fbcdn.net 185.60.216.35 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.577048063 CET

8.8.8.8 192.168.2.5 0xcb36 No error (0) fbsbx.com 185.60.216.35 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:38.775857925 CET

8.8.8.8 192.168.2.5 0xa081 No error (0) connect.facebook.net

scontent.xx.fbcdn.net CNAME (Canonical name)

IN (0x0001)

DNS Queries

DNS Answers

Copyright Joe Security LLC 2019 Page 48 of 86

Nov 19, 2019 11:49:38.775857925 CET

8.8.8.8 192.168.2.5 0xa081 No error (0) scontent.xx.fbcdn.net

185.60.216.19 A (IP address) IN (0x0001)

Nov 19, 2019 11:49:55.519766092 CET

8.8.8.8 192.168.2.5 0x3005 No error (0) pixel.facebook.com

z-m.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:49:55.519766092 CET

8.8.8.8 192.168.2.5 0x3005 No error (0) z-m.c10r.facebook.com

185.60.216.36 A (IP address) IN (0x0001)

Nov 19, 2019 11:50:29.146650076 CET

8.8.8.8 192.168.2.5 0x5fb6 No error (0) agent.joinf.cn 47.91.149.178 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:02.802969933 CET

8.8.8.8 192.168.2.5 0xbfe6 No error (0) de-de.facebook.com

star.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:02.802969933 CET

8.8.8.8 192.168.2.5 0xbfe6 No error (0) star.facebook.com

star.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:02.802969933 CET

8.8.8.8 192.168.2.5 0xbfe6 No error (0) star.c10r.facebook.com

185.60.216.15 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:03.122356892 CET

8.8.8.8 192.168.2.5 0x7042 No error (0) static.xx.fbcdn.net

scontent.xx.fbcdn.net CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:03.122356892 CET

8.8.8.8 192.168.2.5 0x7042 No error (0) scontent.xx.fbcdn.net

185.60.216.19 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:06.648487091 CET

8.8.8.8 192.168.2.5 0x96cb No error (0) fr-fr.facebook.com

star.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:06.648487091 CET

8.8.8.8 192.168.2.5 0x96cb No error (0) star.facebook.com

star.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:06.648487091 CET

8.8.8.8 192.168.2.5 0x96cb No error (0) star.c10r.facebook.com

185.60.216.15 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:09.196171045 CET

8.8.8.8 192.168.2.5 0x552f No error (0) cx.atdmt.com atlas.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:09.196171045 CET

8.8.8.8 192.168.2.5 0x552f No error (0) atlas.c10r.facebook.com

185.60.216.6 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:15.766516924 CET

8.8.8.8 192.168.2.5 0x5383 No error (0) it-it.facebook.com

star.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:15.766516924 CET

8.8.8.8 192.168.2.5 0x5383 No error (0) star.facebook.com

star.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:15.766516924 CET

8.8.8.8 192.168.2.5 0x5383 No error (0) star.c10r.facebook.com

185.60.216.15 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:23.095483065 CET

8.8.8.8 192.168.2.5 0xffa3 No error (0) pt-pt.facebook.com

star.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:23.095483065 CET

8.8.8.8 192.168.2.5 0xffa3 No error (0) star.facebook.com

star.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:23.095483065 CET

8.8.8.8 192.168.2.5 0xffa3 No error (0) star.c10r.facebook.com

185.60.216.15 A (IP address) IN (0x0001)

Nov 19, 2019 11:51:28.850986958 CET

8.8.8.8 192.168.2.5 0x3864 No error (0) sq-al.facebook.com

star.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:28.850986958 CET

8.8.8.8 192.168.2.5 0x3864 No error (0) star.facebook.com

star.c10r.facebook.com CNAME (Canonical name)

IN (0x0001)

Nov 19, 2019 11:51:28.850986958 CET

8.8.8.8 192.168.2.5 0x3864 No error (0) star.c10r.facebook.com

185.60.216.15 A (IP address) IN (0x0001)

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

www.joinfproxy.comagent.joinf.cn

HTTP Request Dependency Graph

HTTP Packets

Copyright Joe Security LLC 2019 Page 49 of 86

Session ID Source IP Source Port Destination IP Destination Port Process

0 192.168.2.5 49715 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:36.226774931 CET

0 OUT GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.joinfproxy.comConnection: Keep-Alive

Nov 19, 2019 11:49:36.750426054 CET

2 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:36 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsP3P: CP="Facebook has no P3P policy fb.me/p3p"Cache-Control: private, no-cache, no-store, must-revalidatePragma: no-cacheStrict-Transport-Security: max-age=15552000; preloadVary: Accept-EncodingX-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 0Expires: Sat, 01 Jan 2000 00:00:00 GMTContent-Type: text/html;charset=utf-8X-FB-Debug: GVGE2oXlAC/wZukVAVEOy9oO73y0b3iZwXYVC6g2Q2UWQi9s/kViWbtvxbXHBlsjX7xWTaMPjZq0UqenI+Lvzw==Alt-Svc: h3-23=":443"; ma=3600Set-Cookie: fr=1eTjJVMiQZ9ySWbSf..Bd08jA.ka.AAA.0.0.Bd08jA.AWW0tbVB; expires=Mon, 17-Feb-2020 10:49:35 GMT; Max-Age=7775999; path=/; domain=.joinf.cn; httponlySet-Cookie: sb=wMjTXXZph9yITlS0rO9Qj_9z; expires=Thu, 18-Nov-2021 10:49:36 GMT; Max-Age=63072000; path=/; domain=.joinf.cn; httponlyKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedData Raw: 31 66 33 61 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 69 64 3d 22 66 61 63 65 62 6f 6f 6b 22 20 63 6c 61 73 73 3d 22 6e 6f 5f 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 22 20 69 64 3d 22 6d 65 74 61 5f 72 65 66 65 72 72 65 72 22 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 5f 63 73 74 61 72 74 3d 2b 6e 65 77 20 44 61 74 65 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 65 6e 76 46 6c 75 73 68 28 Data Ascii: 1f3a<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>function envFlush(

Session ID Source IP Source Port Destination IP Destination Port Process

1 192.168.2.5 49717 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.007592916 CET

60 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lnL2wvMCxjcm9zcy9kV21qSDN1OE5WRi5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 50 of 86

Nov 19, 2019 11:49:38.373991013 CET

155 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: RVg8QjmnXU2Skh8XfnCY/w==Cache-Control: public,max-age=31536000,immutableExpires: Tue, 17 Nov 2020 18:36:40 GMTX-FB-Debug: TqYWwQp0A+HiilzoZbXULfz2LE7p4vxn98HH8EexyzXwbVno9dsLYk7/2e2PkBbpDEhQW8rOsAOCyk20TEpakw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 3946Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 57 72 61 70 70 65 72 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 77 69 64 74 68 3a 39 38 30 70 78 7d 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 43 6f 6e 74 65 6e 74 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 66 32 66 32 66 32 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 4e 6f 42 6f 72 64 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 6e 6f 6e 65 7d 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 52 69 67 68 74 43 6f 6c 20 69 6d 67 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 62 6f 72 64 65 72 3a 35 70 78 20 73 6f 6c 69 64 20 23 66 61 66 61 66 61 3b 66 6c 6f 61 74 3a 72 69 67 68 74 3b 70 61 64 64 69 6e 67 3a 31 70 78 7d 2e 66 62 42 75 73 69 6e 65 73 73 48 6f 6d 65 56 69 64 65 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 7d 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 43 6f 6e 74 65 6e 74 20 69 6d 67 2c 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 46 6c 6f 61 74 65 64 4c 65 66 74 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 66 6c 6f 61 74 3a 6c 65 66 74 7d 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 50 61 67 65 48 65 61 64 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 30 70 78 7d 2e 66 62 46 6f 72 42 75 73 69 6e 65 73 73 48 6f 6d 65 50 61 67 65 48 65 61 64 65 72 54 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 30 70 78 7d 2e 66 62 4d 61 72 6b 65 74 69 6e 67 4d 65 6e 75 7b 6c 69 73 74 2d 73 74 79 Data Ascii: .fbForBusinessWrapper{margin:0 auto;width:980px}.fbForBusinessContent{border-bottom:1px solid #f2f2f2;position:relative}.fbForBusinessNoBorder{border-bottom:none}.fbForBusinessRightCol img{background-color:#ccc;border:5px solid #fafafa;float:right;padding:1px}.fbBusinessHomeVideo{background-color:#fff;border:1px solid #ccc}.fbForBusinessContent img,.fbForBusinessFloatedLeft{display:block;float:left}.fbForBusinessPageHeader{margin-top:40px}.fbForBusinessHomePageHeaderText{margin-top:50px}.fbMarketingMenu{list-sty

Nov 19, 2019 11:49:38.430510044 CET

185 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lUL2wvMCxjcm9zcy81aXNJV09EZjJyTy5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:38.795861959 CET

337 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 3kaS8SZ0PmPpP8bcotI4xg==Cache-Control: public,max-age=31536000,immutableExpires: Mon, 16 Nov 2020 05:11:49 GMTX-FB-Debug: +vyRvCOXEo+e0RoTyVHsgGd4/Tw79Kb2SLWM3oiiv76pboWxaH2jjbMLUucY5lBu2bv0CIR3BB+tOogukAWssQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 29316Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 2e 5f 31 62 6e 71 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 34 70 78 7d 2e 5f 31 62 6e 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 7d 0a 2e 5f 32 6e 75 67 7b 77 69 64 74 68 3a 32 30 30 7d 2e 5f 32 6e 75 68 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 0a 2e 5f 34 66 33 38 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 7d 2e 5f 35 5f 36 65 7b 63 6f 6c 6f 72 3a 23 34 62 34 66 35 36 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 7d 2e 5f 34 66 33 61 7b 63 6f 6c 6f 72 3a 23 34 62 34 66 35 36 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 34 70 78 7d 2e 5f 34 66 33 62 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 34 70 78 20 33 70 78 7d 2e 5f 37 61 69 31 7b 63 6f 6c 6f 72 3a 23 36 36 36 7d 2e 5f 31 6b 61 31 7b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 34 70 78 7d 2e 5f 34 6c 66 6d 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 7d 2e 5f 34 66 33 62 3a 68 6f 76 65 72 2c 2e 5f 34 66 33 62 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 64 65 31 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 5f 79 6f 7a 2c 2e 5f 31 75 36 71 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 5f 32 2d 63 767b 6d 61 78 2d 77 69 64 74 68 3a 36 34 30 70 78 7d 2e 5f 31 75 36 72 7b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 Data Ascii: ._1bnq{font-size:14px;font-weight:bold;padding-bottom:4px}._1bnr{font-size:14px}._2nug{width:200}._2nuh{position:relative}._4f38{margin-bottom:20px}._5_6e{color:#4b4f56;font-size:18px;margin-bottom:20px}._4f3a{color:#4b4f56;margin-bottom:4px}._4f3b{border-radius:2px;color:#666;display:flex;padding:4px 4px 3px}._7ai1{color:#666}._1ka1{margin-right:4px}._4lfm{margin-top:20px}._4f3b:hover,._4f3b:focus{background:#dadde1;text-decoration:none}._yoz,._1u6q{display:none}._2-cv{max-width:640px}._1u6r{align-items:cente

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 51 of 86

Nov 19, 2019 11:49:43.090621948 CET

1261 OUT GET /rsrc.php/v3/yl/r/O6NksE4uoLC.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:43.445282936 CET

1365 IN HTTP/1.1 200 OKDate: Fri, 15 Nov 2019 04:51:04 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/pngLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: oZtAJpOMBuP9WeB58KN3rA==Cache-Control: public,max-age=31536000,immutableExpires: Sat, 14 Nov 2020 04:51:04 GMTX-FB-Debug: 50jSD580wmN3+dHt68nQqc59d0Eqlts3kL6GiI0RxGzqvmEESoJtWYMwadMFcBqeN2uktZr13zfvxsLlD43ZIQ==Content-Length: 1163Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 16 00 00 00 4d 08 06 00 00 00 a2 fd 94 0f 00 00 04 52 49 44 41 54 58 47 ed 98 4d 88 96 55 14 c7 7f 33 0e 16 91 2d 34 2c 84 44 c2 85 b4 30 d1 69 53 d2 22 b2 11 0d 05 c5 42 c3 cd 1b 32 39 b5 68 0a 5a b6 10 5a b4 88 59 94 af 33 48 13 4a 4e 0b bf 50 31 9b b0 16 36 48 6d 0a 45 5c 48 0b 47 5a 58 86 a0 49 84 e4 8c fc 2f f7 be dd b9 de f3 7c bc 8e 34 8b 39 f0 f0 be f7 b9 f7 fc ef 79 ce 3d 9f b7 63 74 dd 5a 0c 5a 09 6c 01 5e 02 96 00 f3 81 eb c0 15 e0 0c 70 00 f8 39 c7 bb e6 c4 29 ba 32 13 4b 81 4f 81 dc 8e 0b 01 3d dd c0 7b c0 b7 40 2f 70 39 c5 e9 4c 5e 6c 02 7e 31 40 73 c2 bd 02 9c 03 36 14 01 6b f2 20 f0 a8 a5 1b e3 fd 63 9e ef d5 78 3e 48 ac cf ff 0a 48 bf a0 ea 1e 73 bd ce 75 16 8e 02 d0 6e e0 11 03 e5 34 d0 11 3d 1a e7 48 92 ef 89 81 57 00 d2 95 45 b2 86 98 d2 71 3c a7 03 97 35 39 89 65 52 45 24 2b 88 29 1d a7 bc 0e 4f c0 2f 97 00 3f 9e cc a7 e3 94 5d 76 ef 80 5b 0a 37 36 78 38 d2 bf ce 41 e3 22 5a 16 80 8b 74 16 00 9e f4 7f c2 6f 11 b0 33 57 49 2c 37 2d a3 f0 f9 55 84 f8 53 60 72 69 b9 63 d9 81 fc 54 b6 73 34 ef dc 5b 12 7f 5f 83 a9 ca 52 87 27 60 b9 71 19 c5 0e 52 b6 d6 e1 09 58 a1 ef 9b b2 d5 15 e7 e5 95 2e 94 06 97 de 09 dc ac c8 6c 2d fb 1b 10 8e a3 00 2c 85 6f 07 26 0c ae 49 20 3c b9 25 e2 13 ff af 29 b0 c6 c7 bd 7b df aa 29 b9 be 54 6e 7c 24 e6 4b c3 a4 26 57 f9 cc 50 05 ff 6b e0 d9 14 34 d8 71 0a 70 09 e8 f1 51 ea 0d e0 45 60 31 20 27 91 f1 2b e7 e9 90 14 bf cf 5b bb 77 4c dc 91 ea a6 9f ba 2e 1f 9f 67 a1 b6 9d a5 97 6c f8 6b 36 4b ff a7 d5 b2 2c ad 90 2a 6f 7a 0a 78 08 78 02 90 a5 a4 05 4a ad 2c fd 2f b0 06 18 04 7e 03 6e 03 7f 00 23 c0 73 c0 d5 e4 d4 2b 67 69 79 62 a8 cd 3e 00 c6 81 8f 3d 98 ec b9 95 ea a3 0d 2a 65 e9 53 9e 41 8e f1 91 77 12 d5 6b 81 2e 1a 76 ea b2 b4 32 88 95 a5 df 06 5e f7 25 57 28 1e c7 22 30 2b 09 bb 2c 2d 06 6b 81 0a 99 Data Ascii: PNGIHDRMRIDATXGMU3-4,D0iS"B29hZZY3HJNP16HmE\HGZXI/|49y=ctZZl^p9)2KO={@/p9L^l~1@s6k cx>HHsun4=HWEq<59eRE$+)O/?]v[76x8A"Zto3WI,7-US`ricTs4[_R'`qRX.l-,o&I <%){)Tn|$K&WPk4qpQE`1 '+[wL.glk6K,*ozxxJ,/~n#s+giyb>=*eSAwk.v2^%W("0+,-k

Nov 19, 2019 11:49:47.453804016 CET

3007 OUT GET /static/rsrc.php/v3ie_l4/yT/l/en_US/RCJbNX5Ogbs.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:47.810070038 CET

3089 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-UA-Compatible: IE=edgeVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: xM8pLAxbY7WMLv/K9TuQHQ==Cache-Control: public,max-age=31536000,immutableExpires: Mon, 16 Nov 2020 02:21:19 GMTX-FB-Debug: fPhJ2FtG2/FAo8N7pSpglfxiGzYOf7ja5Q/6DsMkgbpgvX30WLmo72wm2X3ST/MVZm8m4jn70GyvL6bNrKbTFQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 101201Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 Data Ascii: i

Nov 19, 2019 11:49:49.712685108 CET

4022 OUT GET /static/rsrc.php/v3/yQ/r/SgyPmYUaN1c.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 52 of 86

Nov 19, 2019 11:49:50.069499969 CET

4153 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:49 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: A78bE5dRWWAxO337AIfS9w==Cache-Control: public,max-age=31536000,immutableExpires: Tue, 17 Nov 2020 17:56:44 GMTX-FB-Debug: YqKs0qrMXGK1cdFXthe+mCfmxLtU2dyJX6lcddbIYNZghvqKDBSgAdUQV2lRI3KR5Hgp5zxEdnTalmkMk1ISwQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 161640Keep-Alive: timeout=5, max=96Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 59 32 33 62 39 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 72 65 71 75 65 73 74 49 64 6c 65 43 61 6c 6c 62 61 63 6b 42 6c 75 65 22 2c 5b 22 54 69 6d 65 72 53 74 6f 72 61 67 65 22 2c 22 54 69 6d 65 53 6c 69 63 65 22 2c 22 72 65 71 75 65 73 74 49 64 6c 65 43 61 6c 6c 62 61 63 6b 41 63 72 6f 73 73 54 72 61 6e 73 69 7469 6f 6e 73 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 76 61 72 20 65 3b 66 75 6e 63 74 69 6f 6e 20 66 28 61 29 7b 62 28 22 54 69 6d 65 72 53 74 6f 72 61 67 65 22 29 2e 75 6e 73 65 74 28 62 28 22 54 69 6d 65 72 53 74 6f 72 61 67 65 22 29 2e 49 44 4c 45 5f 43 41 4c 4c 42 41 43 4b 2c 65 29 2c 63 28 61 29 7d 62 28 22 54 69 6d 65 53 6c 69 63 65 22 29 2e 63 6f 70 79 47 75 61 72 64 46 6f 72 57 72 61 70 70 65 72 28 63 2c 66 29 3b 65 3d 62 28 22 72 65 71 75 65 73 74 49 64 6c 65 43 61 6c 6c 62 61 63 6b 41 63 72 6f 73 73 54 72 61 6e 73 69 74 69 6f 6e 73 22 29 2e 63 61 6c 6c 28 61 2c 66 2c 64 29 3b 62 28 22 54 69 6d 65 72 53 74 6f 72 61 67 65 22 29 2e 73 65 74 28 62 28 22 54 69 6d 65 72 53 74 6f 72 61 67 65 22 29 2e 49 44 4c 45 5f 43 41 4c 4c 42 41 43 4b 2c 65 29 3b 72 65 74 75 72 6e 20 65 7d 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 53 63 68 65 64 75 6c 65 72 2d 64 65 76 22 2c 5b 22 53 63 68 65 64 75 6c 65 72 46 65 61 74 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["Y23b9"]); }__d("requestIdleCallbackBlue",["TimerStorage","TimeSlice","requestIdleCallbackAcrossTransitions"],(function(a,b,c,d,e,f){e.exports=function(c,d){var e;function f(a){b("TimerStorage").unset(b("TimerStorage").IDLE_CALLBACK,e),c(a)}b("TimeSlice").copyGuardForWrapper(c,f);e=b("requestIdleCallbackAcrossTransitions").call(a,f,d);b("TimerStorage").set(b("TimerStorage").IDLE_CALLBACK,e);return e}}),null);__d("Scheduler-dev",["SchedulerFeat

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

10 192.168.2.5 49735 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:48.332392931 CET

3239 OUT GET /intern/common/referer_frame.php HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.joinfproxy.comConnection: Keep-Alive

Nov 19, 2019 11:49:48.855935097 CET

3491 IN HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsP3P: CP="Facebook has no P3P policy fb.me/p3p"Cache-Control: private, no-cache, no-store, must-revalidatePragma: no-cacheStrict-Transport-Security: max-age=15552000; preloadVary: Accept-EncodingX-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 0Expires: Sat, 01 Jan 2000 00:00:00 GMTContent-Type: text/html;charset=utf-8X-FB-Debug: zArmNbcj55va5871C9P4wBHT8qUIptEYeTPUV4+EURRse89dHyqtjzhv/FL89a4zbB4E9tyyjBcXLrnAD5NIHg==Alt-Svc: h3-23=":443"; ma=3600Set-Cookie: fr=1bvs6as95Ypswbfnx..Bd08jM.Iw.AAA.0.0.Bd08jM.AWXAqbqg; expires=Mon, 17-Feb-2020 10:49:47 GMT; Max-Age=7775999; path=/; domain=.joinf.cn; httponlyKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedData Raw: 34 32 30 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 69 64 3d 22 66 61 63 65 62 6f 6f 6b 22 20 63 6c 61 73 73 3d 22 6e 6f 5f 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 22 20 69 64 3d 22 6d 65 74 61 5f 72 65 66 65 72 72 65 72 22 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 5f 63 73 74 61 72 74 3d 2b 6e 65 77 20 44 61 74 65 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 65 6e 76 46 6c 75 73 68 28 61 29 7b 66 75 6e 63 74 69 6f 6e 20 62 28 62 29 7b 66 6f 72 28 76 61 72 20 63 20 69 6e 20 61 29 62 5b 63 5d 3d 61 5b 63 5d 7d 77 69 6e 64 6f 77 2e 72 65 71 75 69 72 65 4c 61 7a 79 3f 77 69 6e 64 6f 77 2e 72 65 71 75 69 72 65 4c 61 7a 79 28 5b 22 45 6e 76 22 5d 2c 62 29 3a 28 77 69 6e 64 6f 77 2e 45 6e 76 3d 77 69 6e 64 6f 77 2e 45 6e 76 7c 7c 7b 7d 2c 62 28 77 69 6e 64 6f 77 2e 45 Data Ascii: 420<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.E

Copyright Joe Security LLC 2019 Page 53 of 86

Session ID Source IP Source Port Destination IP Destination Port Process

11 192.168.2.5 49738 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:50.093059063 CET

4169 OUT GET /static/rsrc.php/v3iTQy4/yp/l/en_US/QLSN9IUafxl.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:50.435575962 CET

4248 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:50 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: bEiXSFu3r35kR+QRqCk+Pg==Cache-Control: public,max-age=31536000,immutableExpires: Mon, 16 Nov 2020 14:58:17 GMTX-FB-Debug: fqrzfDfh2bbmWghaPe+VC/jdyxI9ByDsFJNusKhqhh8mzGwyKAdDQcs8z7H+oYPfP5TZ0xFFuGvkuNnhOnnVpw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 44505Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 6e 42 6e 78 62 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 44 69 61 6c 6f 67 22 2c 5b 22 66 62 74 22 2c 22 41 6e 69 6d 61 74 69 6f 6e 22 2c 22 41 72 62 69 74 65 72 22 2c 22 41 73 79 6e 63 52 65 71 75 65 73 74 22 2c 22 42 75 74 74 6f 6e 22 2c 22 43 6f 6e 74 65 78 74 75 61 6c 54 68 69 6e 67 22 2c 22 43 53 53 22 2c 22 44 4f 4d 22 2c 22 45 6e 76 22 2c 22 45 76 65 6e 74 22 2c 22 46 6f 63 75 73 22 2c 22 46 6f 72 6d 22 2c 22 48 54 4d 4c 22 2c 22 4b 65 79 73 22 2c 22 4c 6f 63 61 6c 65 22 2c 22 50 61 67 65 54 72 61 6e 73 69 74 69 6f 6e 73 22 2c 22 50 61 72 65 6e 74 22 2c 22 52 75 6e 22 2c 22 53 74 79 6c 65 22 2c 22 55 52 49 22 2c 22 56 65 63 74 6f 72 22 2c 22 62 69 6e 64 22 2c 22 63 72 65 61 74 65 41 72 72 61 79 46 72 6f 6d 4d 69 78 65 64 22 2c 22 65 6d 70 74 79 46 75 6e 63 74 69 6f 6e 22 2c 22 67 65 74 4f 62 6a 65 63 74 56 61 6c 75 65 73 22 2c 22 67 65 74 4f 76 65 72 6c 61 79 5a 49 6e 64 65 78 22 2c 22 72 65 6d 6f 76 65 46 72 6f 6d 41 72 72 61 79 22 2c 22 73 68 69 65 6c 64 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 20 24 6d 6f 64 75 6c 65 5f 44 69 61 6c 6f 67 28 67 6c 6f 62 61 6c 2c 72 65 71 75 69 72 65 2c 72 65 71 75 69 72 65 44 79 6e 61 6d 69 63 2c 72 65 71 75 69 72 65 4c 61 7a 79 2c 6d 6f 64 75 6c 65 2c 65 78 70 6f 72 74 73 2c 66 62 74 29 7b 5f 5f 70 26 26 5f 5f 70 2829 3b 76 61 72 20 63 5f 45 6e 76 2c 63 5f 55 52 49 2c 5f 73 75 70 70 6f 72 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["nBnxb"]); }__d("Dialog",["fbt","Animation","Arbiter","AsyncRequest","Button","ContextualThing","CSS","DOM","Env","Event","Focus","Form","HTML","Keys","Locale","PageTransitions","Parent","Run","Style","URI","Vector","bind","createArrayFromMixed","emptyFunction","getObjectValues","getOverlayZIndex","removeFromArray","shield"],(function $module_Dialog(global,require,requireDynamic,requireLazy,module,exports,fbt){__p&&__p();var c_Env,c_URI,_suppor

Nov 19, 2019 11:49:51.700598955 CET

4390 OUT GET /static/rsrc.php/v3/y4/r/-PAXP-deijE.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:52.043493032 CET

4421 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:51 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/gifLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: YRyRbJo4R7CNEE1X8k7Jfg==Cache-Control: public,max-age=31536000,immutableExpires: Sat, 14 Nov 2020 17:54:06 GMTX-FB-Debug: I0aupOb34wp/FVVr2I779oPAdFiZla9/EHqikAV67J/qrrt61lRmJsr9lORs5Xj5DA0Bm3Ih8E2aSnyywbH8sA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 43Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 2f 61 6c 6f 6b 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a/alok!,D;

Session ID Source IP Source Port Destination IP Destination Port Process

12 192.168.2.5 49737 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Copyright Joe Security LLC 2019 Page 54 of 86

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:50.097790956 CET

4170 OUT GET /static/rsrc.php/v3ivK94/yW/l/en_US/-fNtMGApV03.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:50.442398071 CET

4260 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:50 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: a2mk8QBsK7gf96eBtC8S6w==Cache-Control: public,max-age=31536000,immutableExpires: Mon, 16 Nov 2020 14:30:19 GMTX-FB-Debug: OSmUSj+BfM+uo2Ne/xNTWCl9BU5QwvvjAM7qv7a67pxeo44uXoDTxxnF9Qrm9HsGuOkdrk2R/4AMk/FwXcWxfQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 14288Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 59 55 38 2b 6c 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 4d 65 73 73 65 6e 67 65 72 4d 51 54 54 47 61 74 69 6e 67 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 76 61 72 20 67 3d 7b 5f 66 6f 72 63 65 64 4f 66 66 3a 21 31 2c 69 73 45 6e 61 62 6c 65 64 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 21 67 2e 5f 66 6f 72 63 65 64 4f 66 66 7d 2c 74 75 72 6e 4f 66 66 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 5f 66 6f 72 63 65 64 4f 66 66 3d 21 30 7d 7d 3b 65 2e 65 78 70 6f 72 74 73 3d 67 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 69 73 41 64 73 45 78 63 65 6c 41 64 64 69 6e 55 52 49 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 76 61 72 20 67 3d 6e 65 77 20 52 65 67 45 78 70 28 22 28 5e 7c 5c 5c 2e 29 66 62 61 64 64 69 6e 73 5c 5c 2e 63 6f 6d 24 22 2c 22 69 22 29 2c 68 3d 5b 22 68 74 74 70 73 22 5d 3b 66 75 6e 63 74 69 6f 6e 20 61 28 61 29 7b 69 66 28 61 2e 69 73 45 6d 70 74 79 28 29 26 26 61 2e 74 6f 53 74 72 69 6e 67 28 29 21 3d 3d 22 23 22 29 72 65 74 75 72 6e 21 31 3b 72 65 74 75 72 6e 21 61 2e 67 65 74 44 6f 6d 61 69 6e 28 29 26 26 21 61 2e 67 65 74 50 72 6f 74 6f 63 6f 6c 28 29 3f 21 31 3a 68 2e 69 6e 64 65 78 4f 66 28 61 2e 67 65 74 50 72 6f 74 6f 63 6f 6c 28 29 29 21 3d 3d 2d 31 26 26 67 2e 74 65 73 74 28 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["YU8+l"]); }__d("MessengerMQTTGating",[],(function(a,b,c,d,e,f){"use strict";var g={_forcedOff:!1,isEnabled:function(){return!g._forcedOff},turnOff:function(){g._forcedOff=!0}};e.exports=g}),null);__d("isAdsExcelAddinURI",[],(function(a,b,c,d,e,f){var g=new RegExp("(^|\\.)fbaddins\\.com$","i"),h=["https"];function a(a){if(a.isEmpty()&&a.toString()!=="#")return!1;return!a.getDomain()&&!a.getProtocol()?!1:h.indexOf(a.getProtocol())!==-1&&g.test(

Nov 19, 2019 11:49:51.839150906 CET

4391 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lwL3IvVTRCMDZuTE1HUXQucG5n HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/intern/common/referer_frame.phpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 55 of 86

Nov 19, 2019 11:49:52.184067965 CET

4422 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:52 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/pngLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 5QrA65A8qw+cAvr9er3YXA==Cache-Control: public,max-age=31536000,immutableExpires: Sat, 07 Nov 2020 00:38:16 GMTX-FB-Debug: y99kM2x1gbU7jjkZoDbSyJRYP2xk9Ms1sbly6CVmprQDJnB/hwdWGVgErfRsod/9d1QI0Dhk3+mZDQbP5+RdPg==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 11134Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 1a 00 00 00 fa 08 06 00 00 00 7e 80 88 8c 00 00 20 00 49 44 41 54 78 9c ed dd 67 40 14 57 fb 36 f0 8b ba 0b bb f4 ba 2c 45 11 14 15 01 1b d6 d8 7b af 49 ec 2d 96 d8 7b 4d 34 26 d1 c4 12 bb 89 1a bb 89 f8 58 23 f6 de 22 d8 40 45 94 50 44 70 e9 28 4b db a5 2c e5 fd e0 5f 5f 0b bb cc c2 ce 36 ef df b7 c7 39 73 e6 36 0f 5c ce 9c 99 73 0e 40 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 d1 7d 06 6c 74 5a 5e 5e ce 46 b7 44 4b 88 d2 32 ed 83 83 4f 7e fd 6f c8 fd 0e 49 c9 49 1e af c5 f9 4e 45 45 45 9c b2 f2 32 43 43 03 c3 32 63 13 63 99 9d 15 ff 95 8b 50 28 6a d1 b4 e1 f5 af fa 0f d8 e3 ea ee f2 4a d3 75 13 66 0c 0c 54 1f 0b 14 34 84 91 94 a4 34 db e5 6b d6 ad 0d b9 fd 6f fb ac 5c a9 03 00 9e 12 a7 4b ac f9 66 59 6d da b4 bd b8 64 f6 f4 85 14 3a da 8d 82 86 a8 dd bd 47 11 fe 8b 97 fc b0 2d 2a 36 be 01 94 0b 17 79 24 75 bd 3d 9f ac 5c f1 c3 a4 c0 00 bf c7 2a e8 8f a8 18 05 0d 51 9b d4 d7 62 eb b1 e3 26 fd 13 f1 2c ba 09 54 13 30 1f 93 34 f6 f7 0d dd be 6d f3 60 81 9d 4d 36 0b fd 93 2a 62 23 68 0c 55 de 23 d1 79 3b f7 1d 18 d7 bc 75 e7 17 11 cf a2 db 82 9d 90 01 00 5e d8 e3 c8 4e cd 5b 77 7e b1 71 eb b6 59 2c 5d 83 68 09 ba a3 21 ef 94 94 c9 30 62 ec d4 e3 37 43 ee 76 01 7b 01 53 11 49 83 ba b5 c3 8f 06 ed 6a c7 37 b7 28 53 e3 75 49 05 e8 d1 89 b0 26 23 3b 97 d7 a7 ef a0 bb a2 d4 8c 1a 50 6f c8 bc 63 cd 37 13 1d ff 7b 7f bb 3a 75 bd e3 35 71 7d f2 06 05 0d 61 4d f3 b6 5d 22 45 a9 19 f5 95 39 c7 d9 49 80 46 fe f5 e1 59 cb 13 56 56 56 e0 f1 f8 28 2c 2c 44 56 d6 6b c4 3c 7f 89 88 c7 8f 91 96 9e aa 54 1d 5c 63 bc da f5 e7 1f fd da b5 6a 71 5b a9 13 89 ca 50 d0 Data Ascii: PNGIHDR~ IDATxg@W6,E{I-{M4&X#"@EPDp(K,__69s6\s@!B!B!B!B!B}ltZ^^FDK2O~oIINEEE2CC2ccP(jJufT44ko\KfYmd:G-*6y$u=\*Qb&,T04m`M6*b#hU#y;u^N[w~qY,]h!0b7Cv{SIj7(SuI&#;Poc7{:u5q}aM]"E9IFYVVV(,,DVk<T\cjq[P

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

13 192.168.2.5 49743 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:50:00.087872982 CET

4475 OUT POST /ajax/bz HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedReferer: http://www.joinfproxy.com/Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.joinfproxy.comContent-Length: 10805Connection: Keep-AliveCache-Control: no-cache

Nov 19, 2019 11:50:00.553596973 CET

4487 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:50:00 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsExpires: Sat, 01 Jan 2000 00:00:00 GMTX-XSS-Protection: 0X-Frame-Options: DENYPragma: no-cacheStrict-Transport-Security: max-age=15552000; preloadAccess-Control-Expose-Headers: X-FB-Debug, X-Loader-LengthAccess-Control-Allow-Credentials: trueX-Content-Type-Options: nosniffVary: OriginCache-Control: private, no-cache, no-store, must-revalidateAccess-Control-Allow-Origin: https://facebook.comAccess-Control-Allow-Methods: OPTIONSContent-Type: text/html; charset="utf-8"X-FB-Debug: rS0aoc1IOfhdqjwFk10jDBPKf4EzV79NUjE9R4FMFmjZfUXjT3fmKhEukfh4RvF62CUnIOzjpaglDLPY60v5cA==Alt-Svc: h3-23=":443"; ma=3600Content-Length: 0Keep-Alive: timeout=5, max=100Connection: Keep-Alive

Session ID Source IP Source Port Destination IP Destination Port Process

14 192.168.2.5 49744 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Copyright Joe Security LLC 2019 Page 56 of 86

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:50:29.491652012 CET

4491 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3lvL3IvaVJtejlsQ01CRDIuaWNv HTTP/1.1User-Agent: AutoItHost: agent.joinf.cn

Nov 19, 2019 11:50:29.831828117 CET

4492 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:50:29 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/x-iconLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 0oUNMbHN7JHLbtJJ2ZL3QA==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 08 Nov 2020 16:17:47 GMTX-FB-Debug: FzcBrjXFO5U/b0z53f3YIfB9T7kQ/CNzQ58BsVBDCDvnKO7peB02VMXw8V/Jkzf3cP7e8+WITRcHDhoD60dNjw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 5430Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b3 68 42 b5 b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b3 68 42 b5 b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c5 8c 70 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff d1 a4 8d ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 67 42 ff b2 Data Ascii: h& ( hBgBgBgBgBgBgBgBgBgBgBgBgBhBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBgBpgBgBgBgBgBgBgBgBgBgBgBgBgBgBgB

Session ID Source IP Source Port Destination IP Destination Port Process

15 192.168.2.5 49745 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

16 192.168.2.5 49746 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

17 192.168.2.5 49750 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

18 192.168.2.5 49752 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

19 192.168.2.5 49749 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 57 of 86

Session ID Source IP Source Port Destination IP Destination Port Process

2 192.168.2.5 49721 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.008619070 CET

60 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3k1L2wvMCxjcm9zcy9NTmR5aWhCYS01ZS5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:38.357106924 CET

109 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 62+Fg3dN4SmwJkxhV0FshQ==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 16:18:41 GMTX-FB-Debug: 2yTMnV+Lj/8eeZreCeaYN91xeu2XbiX3NZ6o80BU8ij+xlCZnRez5XJCUcaySVXHF4Qc3HZWsAkgvlHr2Gd/rA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 99334Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e 5f 37 6a 61 5f 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 5f 33 6e 34 32 2c 2e 5f 33 6e 34 33 2c 2e 5f 37 78 62 6c 2c 2e 5f 33 6e 62 34 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 31 36 70 78 3b 77 69 64 74 68 3a 31 36 70 78 7d 2e 5f 33 6e 34 32 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 72 73 72 63 2e 70 68 70 2f 76 33 2f 79 47 2f 72 2f 43 51 79 33 4f 6c 4c 66 73 36 35 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 61 75 74 6f 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 32 39 38 70 78 7d 2e 5f 37 78 62 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 72 73 72 63 2e 70 68 70 2f 76 33 2f 79 47 2f 72 2f 43 51 79 33 4f 6c 4c 66 73 36 35 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 61 75 74 6f 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 33 38 70 78 20 2d 31 35 36 70 78 7d 2e 5f 33 6e 34 33 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 72 73 72 63 2e 70 68 70 2f 76 33 2f 79 47 2f 72 2f 43 51 79 33 4f 6c 4c 66 73 36 35 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 61 75 74 6f 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 31 37 70 78 20 2d 32 31 33 70 78 Data Ascii: ._7ja_{display:block}._3n42,._3n43,._7xbl,._3nb4{display:block;height:16px;width:16px}._3n42{background-image:url(/rsrc.php/v3/yG/r/CQy3OlLfs65.png);background-repeat:no-repeat;background-size:auto;background-position:0 -298px}._7xbl{background-image:url(/rsrc.php/v3/yG/r/CQy3OlLfs65.png);background-repeat:no-repeat;background-size:auto;background-position:-38px -156px}._3n43{background-image:url(/rsrc.php/v3/yG/r/CQy3OlLfs65.png);background-repeat:no-repeat;background-size:auto;background-position:-17px -213px

Nov 19, 2019 11:49:43.086968899 CET

1261 OUT GET /rsrc.php/v3/yk/r/wNrDztRHHAl.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 58 of 86

Nov 19, 2019 11:49:43.426011086 CET

1327 IN HTTP/1.1 200 OKDate: Sat, 16 Nov 2019 12:49:28 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/pngLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: DpKmZivKAr0us1EpDHvTfw==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 12:49:28 GMTX-FB-Debug: YXUlGIbf6wsyt9XPjwqjh/W0Ci9Hh86FS1vWmaamK3swLqTt7nE4MZHBKkWxDR3/FpTQauS0cWn94EgP7b2Ppw==Content-Length: 18814Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 00 00 00 f8 08 06 00 00 00 1a 63 14 45 00 00 20 00 49 44 41 54 78 5e ed 9d 0b 98 5d 55 79 bf bf 7d 32 93 84 48 50 f1 86 f5 82 15 10 2a 88 88 34 0a c1 0a 43 84 fa d7 51 3b 36 1d e2 b5 c5 aa 10 bc 14 b5 b5 68 23 e2 d4 5a db 2a 5e 70 04 a5 b4 88 55 52 6c bc 8c d6 52 d3 10 5b a3 25 f5 42 11 f0 02 54 2d a0 c1 0b 22 d0 10 92 cc ec ff f3 9e b3 bf 73 d6 d9 67 ef 73 d6 99 ec e4 1c c2 6f 3d cf 3c 99 cc 59 fb db 6b bf6b 9f f5 5b eb 5b df 5a 2b b9 f3 ce 3b 53 53 12 01 11 10 01 11 10 01 11 b8 4f 13 a8 dd a7 4b af c2 8b 80 08 88 80 08 88 80 08 d4 09 48 d0 f5 22 88 80 08 88 80 08 88 c0 5e 40 40 82 be 17 54 a2 1e 41 04 44 40 04 44 40 04 24 e8 7a 07 44 40 04 44 40 04 44 60 2f 20 20 41 df 0b 2a 51 8f 20 02 22 20 02 22 20 02 12 74 bd 03 22 20 02 22 20 02 22 b0 17 10 90 a0 ef 05 95 a8 47 10 01 11 10 01 11 10 81 11 21 10 01 11 10 01 11 10 01 11 18 3c 81 cf 5d 79 43 cf 42 3c ef c4 43 4a f3 24 da 58 a6 27 3f 65 10 01 11 10 01 11 10 81 3d 42 e0 ca cd 3f b2 7d 97 2c ea b8 d7 dd 5b ef b5 13 97 1d d8 b5 0c 72 b9 ef 91 2a d2 4d 44 40 04 44 40 04 44 a0 37 01 44 7b eb b6 1d 6d 19 f9 7f 2f 31 e7 02 09 7a 6f be ca 21 02 22 20 02 22 20 02 7b 8c c0 33 8f 79 8c 6d df 31 5b bf 1f ff f2 ff 98 24 41 8f a1 a4 3c 22 20 02 22 20 02 22 b0 07 09 2c 7f ca a3 ea 62 ce bf b1 49 73 e8 b1 a4 94 4f 04 44 40 04 44 40 04 86 98 80 46 e8 43 5c 39 2a 9a 08 88 80 08 88 80 08 c4 12 90 a0 c7 92 52 3e 11 10 01 11 10 01 11 18 62 02 12 f4 21 ae 1c 15 4d 04 44 40 04 44 40 04 62 09 48 d0 63 49 29 9f 08 88 80 08 88 80 08 0c 31 01 09 fa 10 57 8e 8a 26 02 22 20 02 22 20 02 b1 04 24 e8 b1 a4 94 4f 04 44 40 04 44 40 04 86 98 80 04 7d 88 2b 47 45 13 01 11 10 01 11 10 81 58 02 12 f4 58 52 ca 27 02 22 20 02 22 20 02 43 4c 40 82 3e c4 95 a3 a2 89 80 08 88 80 08 88 40 2c 01 09 7a 2c 29 e5 13 01 11 10 01 11 10 81 Data Ascii: PNGIHDRcE IDATx^]Uy}2HP*4CQ;6h#Z*^pURlR[%BT-"sgso=<Ykk[[Z+;SSOKH"^@@TAD@D@$zD@D@D`/ A*Q " " t" " "G!<]yCB<CJ$X'?e=B?},[r*MD@D@D7D{m/1zo!" " {3ym1[$A<" " ",bIsOD@D@FC\9*R>b!MD@D@bHcI)1W&" " $OD@D@}+GEXXR'" " CL@>@,z,)

Nov 19, 2019 11:49:47.442831039 CET

3006 OUT GET /static/rsrc.php/v3/yz/r/1BjrYUERys4.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:47.781980991 CET

3077 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: Ku7cF7w+YEtw+GBSxWxIHw==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 18:55:58 GMTX-FB-Debug: ss7dpp1URLAxwaltTEdeV/H8Jq02GqzDKbf14tPV/YlhgEYtVcAtTrGy0YhTntJHd+/u6eWmVlzz+m5NzObAlg==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 501Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 6e 65 2b 4f 6c 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 49 45 50 69 6e 6e 65 64 53 69 74 65 22 2c 5b 22 41 72 62 69 74 65 72 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 6629 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 61 3d 7b 6c 69 73 74 65 6e 54 6f 4e 6f 74 69 66 69 63 61 74 69 6f 6e 73 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 76 61 72 20 63 3d 77 69 6e 64 6f 77 2e 65 78 74 65 72 6e 61 6c 2c 64 3d 21 31 3b 74 72 79 7b 64 3d 63 26 26 22 6d 73 49 73 53 69 74 65 4d 6f 64 65 22 69 6e 20 63 26 26 63 2e 6d 73 49 73 53 69 74 65 4d 6f 64 65 28 29 7d 63 61 74 63 68 28 61 29 7b 7d 69 66 28 64 29 7b 76 61 72 20 65 3d 7b 7d 3b 63 2e 6d 73 53 69 74 65 4d 6f 64 65 43 6c 65 61 72 49 63 6f 6e 4f 76 65 72 6c 61 79 28 29 3b 62 28 22 41 72 62 69 74 65 72 22 29 2e 73 75 62 73 63 72 69 62 65 28 22 6a 65 77 65 6c 2f 63 6f 75 6e 74 2d 75 70 64 61 74 65 64 22 2c 66 75 6e 63 74 69 6f 6e 28 62 2c 64 29 7b 65 5b 64 2e 6a 65 77 65 6c 5d 3d 64 2e 63 6f 75 6e 74 3b 62 3d 30 3b 66 6f 72 28 76 61 72 20 66 20 69 6e 20 65 29 62 2b 3d 65 5b 66 5d 3b 62 3e 30 3f 63 2e 6d 73 53 69 74 65 4d 6f 64 65 53 65 74 49 63 6f 6e 4f 76 65 72 6c 61 79 28 61 29 3a 63 2e 6d 73 53 69 74 65 4d 6f 64 65 43 6c 65 61 72 49 63 6f 6e 4f 76 65 72 6c 61 79 28 29 7d 29 7d 7d 7d 3b 65 2e 65 78 70 6f 72 74 73 3d 61 7d 29 2c 6e 75 6c 6c 29 3b Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["ne+Ol"]); }__d("IEPinnedSite",["Arbiter"],(function(a,b,c,d,e,f){__p&&__p();a={listenToNotifications:function(a){__p&&__p();var c=window.external,d=!1;try{d=c&&"msIsSiteMode"in c&&c.msIsSiteMode()}catch(a){}if(d){var e={};c.msSiteModeClearIconOverlay();b("Arbiter").subscribe("jewel/count-updated",function(b,d){e[d.jewel]=d.count;b=0;for(var f in e)b+=e[f];b>0?c.msSiteModeSetIconOverlay(a):c.msSiteModeClearIconOverlay()})}}};e.exports=a}),null);

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 59 of 86

Nov 19, 2019 11:49:47.869009018 CET

3101 OUT GET /static/rsrc.php/v3/yC/r/QVzj7eb7Sfv.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:48.208544016 CET

3208 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: UD3+hpc+mjcHrW7UMiZKpg==Cache-Control: public,max-age=31536000,immutableExpires: Tue, 17 Nov 2020 13:11:53 GMTX-FB-Debug: jmH3J0x53F96J2gwKCnLgv9BD4rDgrUVGZL43QaM0tj7SY7ummxS4HpHrhA/e9JJiFASuyXVk3c1d163So1kIQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 4470Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 42 58 75 4a 59 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 49 64 65 6e 74 69 74 79 42 61 64 67 65 55 74 69 6c 73 22 2c 5b 22 63 78 22 2c 22 67 6b 78 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 2c 67 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 5f 5f 70 26 26 5f 5f 70 28 29 3b 76 61 72 20 68 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 73 77 69 74 63 68 28 61 29 7b 63 61 73 65 22 74 69 70 70 65 72 22 3a 63 61 73 65 22 62 69 72 74 68 64 61 79 5f 77 65 65 6b 5f 74 69 70 70 65 72 22 3a 72 65 74 75 72 6e 20 62 28 22 67 6b 78 22 29 28 22 37 30 39 39 38 38 22 29 3b 63 61 73 65 22 73 68 61 72 65 72 22 3a 72 65 74 75 72 6e 20 62 28 22 67 6b 78 22 29 28 22 37 30 39 39 38 39 22 29 3b 63 61 73 65 22 66 6f 6c 6c 6f 77 65 72 22 3a 72 65 74 75 72 6e 20 62 28 22 67 6b 78 22 29 28 22 38 33 33 38 30 35 22 29 3b 63 61 73 65 22 77 6f 6f 64 68 65 6e 67 65 5f 73 75 62 6d 61 67 65 64 64 6f 6e 22 3a 72 65 74 75 72 6e 20 62 28 22 67 6b 78 22 29 28 22 31 31 31 33 30 37 30 22 29 3b 63 61 73 65 22 6f 72 69 67 69 6e 61 6c 22 3a 72 65 74 75 72 6e 20 62 28 22 67 6b 78 22 29 28 22 31 31 34 34 35 36 31 22 29 3b 63 61 73 65 22 74 6f 70 5f 66 61 6e 22 3a 63 61 73 65 22 66 72 65 71 75 65 6e 74 5f 77 61 74 63 68 65 72 22 3a 63 61 73 65 22 77 6f 6f 64 68 65 6e 67 65 22 3a 63 61 73 65 22 61 75 74 68 6f 72 22 3a 63 61 73 65 22 66 61 6e 5f 66 75 6e 64 69 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["BXuJY"]); }__d("IdentityBadgeUtils",["cx","gkx"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();var h=function(a){switch(a){case"tipper":case"birthday_week_tipper":return b("gkx")("709988");case"sharer":return b("gkx")("709989");case"follower":return b("gkx")("833805");case"woodhenge_submageddon":return b("gkx")("1113070");case"original":return b("gkx")("1144561");case"top_fan":case"frequent_watcher":case"woodhenge":case"author":case"fan_fundi

Nov 19, 2019 11:49:48.337340117 CET

3240 OUT GET /static/rsrc.php/v3i1md4/yp/l/en_US/1U-D-BJnUfo.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:48.677151918 CET

3395 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 8Bi3uHiJsS5xzeyQpQulJw==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 16:55:34 GMTX-FB-Debug: Dc5o4RwEs7gadDOwnWf2AtCezLiEIMm7BEdVIE+6dcqnRXlBCxM+PjO/COQacPwVk6izSG8yj45Cc/OEaTcsBA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 106070Keep-Alive: timeout=5, max=96Connection: Keep-AliveData Raw: 69 Data Ascii: i

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

20 192.168.2.5 49754 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 60 of 86

Session ID Source IP Source Port Destination IP Destination Port Process

21 192.168.2.5 49755 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

22 192.168.2.5 49761 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

23 192.168.2.5 49757 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

24 192.168.2.5 49759 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

25 192.168.2.5 49758 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

26 192.168.2.5 49760 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

3 192.168.2.5 49720 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.009865999 CET

61 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lJL2wvMCxjcm9zcy95TGc2MkZpRGpURC5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 61 of 86

Nov 19, 2019 11:49:38.359839916 CET

131 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-UA-Compatible: IE=edgeVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: DucpAogYFqxgTFsAK9GQ2w==Cache-Control: public,max-age=31536000,immutableExpires: Wed, 18 Nov 2020 09:35:18 GMTX-FB-Debug: fCmy11OMDaHPDlMC9OXeHsYpqxzsbyxcAdUlr6+VSfghu+qTDiUaM7VGFqgqPq2i8UDtan+QQqn1DTtE2YsBzg==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 115257Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e Data Ascii: .

Nov 19, 2019 11:49:43.083623886 CET

1261 OUT GET /rsrc.php/v3/yG/r/CQy3OlLfs65.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:43.423283100 CET

1315 IN HTTP/1.1 200 OKDate: Sat, 16 Nov 2019 12:17:14 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/pngLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: XkDhTf6xsx0KJxtyBPHAoQ==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 12:17:14 GMTX-FB-Debug: zbSWsD2J1S3y0l3PdI18LWvQTNY7RSh0SxjcBuQQ98IhtZfhMZNi9d0477kHWvHCbx75YHo7la2xnLQGMPXvNg==Content-Length: 12617Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 37 00 00 01 3b 08 06 00 00 00 79 6e 19 89 00 00 20 00 49 44 41 54 78 5e ed 5d 0f 98 53 c5 b5 9f 84 b0 52 ff b1 80 a2 2f 42 34 11 b1 b2 82 e2 bf b4 ae b2 b6 ab 52 2d f0 44 0b 4b 15 5a cd d6 a2 d7 07 f5 62 79 56 e3 b3 5f 1f c6 aa 3c 0d b6 cf 00 b6 c4 0a 5a 41 8b ad 88 b6 56 56 5d 65 ad 51 44 54 16 29 60 52 03 46 a5 75 51 41 14 58 72 df f7 1b 66 ae 73 6f e6 e6 fe 49 76 01 9f f3 7d f9 36 7b 33 f7 cc 39 77 ce 9c 39 ff e6 5c 42 be a4 ad b8 5b 23 81 2e a2 cd cf e0 f2 bf 56 c3 14 d9 0f fc 6f 55 d1 a9 26 71 20 a4 dc 47 44 1c c4 94 fb 54 95 48 af c0 40 0c 1e 50 0d 21 e4 40 42 c8 a1 8a a2 0c 58 bd 7a f5 84 cd 9b 37 ff 7a db b6 6d cf ee d8 b1 e3 ed dd bb 77 6f 29 16 8b 3b f0 c1 f7 1d 3b 76 ac df ba 75 eb 53 e8 83 be b8 07 f7 32 18 80 05 98 76 b3 5e 16 67 b0 a5 d7 26 12 75 f0 b4 69 d3 06 6c da b4 e9 67 db b7 6f 7f 41 f3 d8 b6 6d db f6 02 60 00 16 21 e4 60 f6 c0 3c 13 09 e2 7c 1e a8 e3 84 05 7e f3 9bdf 84 2e b9 e4 92 1b fa f4 e9 f3 03 0e a7 b3 b3 73 e7 3b ef bc b3 a1 bd bd 7d dd 6b af bd b6 69 d5 aa 55 1f ac 5f bf 7e 5b a1 50 d8 89 3e c1 60 b0 e6 f8 e3 8f 3f f4 f4 d3 4f 3f 62 c8 90 21 c1 ba ba ba c1 47 1f 7d f4 a0 40 20 80 19 a3 6d cb 96 2d f3 17 2f 5e fc cb 2b af bc 32 4f 08 e9 64 1f 57 eb d2 0b 71 78 92 94 0d b7 6c d9 f2 eb da da 5a 9d a8 b7 df 7e 7b f5 d2 a5 4b 5f 9a 31 63 c6 6b 1f 7e f8 21 10 72 dc 0e 3f fc f0 40 3c 1e 1f 3e 6a d4 a8 6f 1c 7b ec b1 27 f2 1b 3f fa e8 a3 f9 7d fa f4 99 42 08 c1 83 e1 44 3a 82 eb 86 38 2e 28 6a 16 2f 5e fc f5 91 23 47 de 7d d0 41 07 9d 85 51 d6 ac 59 b3 f2 b6 db 6e 7b 72 c1 82 05 1b 1d 8d 6a d3 69 e2 c4 89 03 6f b8 e1 86 0b 87 0c 19 72 0a ba 7e fa e9 a7 cb 9f 7a ea a9 9f 5c 72 c9 25 6b 19 91 5c 10 d9 ae 39 27 6c a9 af af 37 de 78 e3 3b 75 75 75 f7 fb fd fe 03 3f fa e8 a3 cd b7 de 7a eb 03 33 67 ce fc 7b 35 88 32 c3 98 3e 7d Data Ascii: PNGIHDR7;yn IDATx^]SR/B4R-DKZbyV_<ZAVV]eQDT)`RFuQAXrfsoIv}6{39w9\B[#.VoU&q GDTH@P!@BXz7zmwo);;vuS2v^g&uilgoAm`!`<|~.s;}kiU_~[P>`?O?b!G}@ m-/^+2OdWqxlZ~{K_1ck~!r?@<>jo{'?}BD:8.(j/^#G}AQYn{rjior~z\r%k\9'l7x;uuu?z3g{52>}

Nov 19, 2019 11:49:47.450855970 CET

3007 OUT GET /static/rsrc.php/v3/yU/r/b6E9gAus05g.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 62 of 86

Nov 19, 2019 11:49:47.791352987 CET

3078 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: JjK/lvN+V47pB60fAGWHWg==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 15:11:45 GMTX-FB-Debug: 0f93MicBxlCTjD7Kcip926WqLyzmhr28RfWaZoHK6eLa1d4eT9CXwKWfgb6YhHaD+YIngVT9NllKnoUpeT/M3w==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 95272Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 70 4a 65 49 7a 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 56 69 64 65 6f 50 6c 61 79 65 72 46 6f 72 6d 61 74 73 4d 61 70 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 6c 69 76 65 5f 6d 61 70 3a 22 69 6e 6c 69 6e 65 22 2c 6c 69 76 65 5f 6d 61 70 5f 73 69 64 65 62 61 72 3a 22 69 6e 6c 69 6e 65 22 2c 6c 69 76 65 5f 6d 61 70 5f 6c 69 73 74 76 69 65 77 3a 22 69 6e 6c 69 6e 65 22 2c 6c 69 76 65 5f 6d 61 70 5f 74 6f 6f 6c 74 69 70 3a 22 69 6e 6c 69 6e 65 22 2c 6c 69 76 65 5f 6d 61 70 5f 74 6f 6f 6c 74 69 70 5f 66 72 6f 6d 5f 6c 69 73 74 76 69 65 77 3a 22 69 6e 6c 69 6e 65 22 2c 6c 69 76 65 5f 6d 61 70 5f 74 6f 6f 6c 74 69 70 5f 66 72 6f 6d 5f 6d 61 70 3a 22 69 6e 6c 69 6e 65 22 2c 76 69 64 65 6f 5f 68 6f 6d 65 5f 69 6e 6c 69 6e 65 3a 22 69 6e 6c 69 6e 65 22 2c 69 6e 6c 69 6e 65 3a 22 69 6e 6c 69 6e 65 22 2c 63 68 61 69 6e 65 64 3a 22 69 6e 6c 69 6e 65 22 2c 70 61 67 65 5f 6c 69 76 65 5f 76 69 64 65 6f 5f 6d 6f 64 75 6c 65 3a 22 69 6e 6c 69 6e 65 22 2c 63 68 61 69 6e 65 64 5f 73 75 67 67 65 73 74 69 6f 6e 3a 22 69 6e 6c 69 6e 65 22 2c 65 6d 62 65 64 64 65 64 5f 76 69 64 65 6f 3a 22 69 6e 6c 69 6e 65 22 2c 65 6d 62 65 64 64 65 64 5f 76 69 64 65 6f 5f 70 72 65 76 69 65 77 3a 22 69 6e 6c 69 6e 65 22 2c 65 6d 62 65 64 64 65 64 5f 76 69 64 65 6f 5f 66 72 6f 6d 5f 75 66 69 3a Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["pJeIz"]); }__d("VideoPlayerFormatsMap",[],(function(a,b,c,d,e,f){e.exports={live_map:"inline",live_map_sidebar:"inline",live_map_listview:"inline",live_map_tooltip:"inline",live_map_tooltip_from_listview:"inline",live_map_tooltip_from_map:"inline",video_home_inline:"inline",inline:"inline",chained:"inline",page_live_video_module:"inline",chained_suggestion:"inline",embedded_video:"inline",embedded_video_preview:"inline",embedded_video_from_ufi:

Nov 19, 2019 11:49:49.713646889 CET

4022 OUT GET /static/rsrc.php/v3/y7/r/svFKQXueTby.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:50.053531885 CET

4122 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:49 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: moIWlSdfIFzJ4/beS7kdug==Cache-Control: public,max-age=31536000,immutableExpires: Fri, 13 Nov 2020 02:49:57 GMTX-FB-Debug: O/WZnc3zPeDMkvc67YVlhyMyAyAyFNyT9MHQO+lLvnf4xKxsK46UTKAnBGqoGx5u7RL1W6QuDPN9X0A5irfbQQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 7750Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 46 45 74 35 47 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 49 6d 70 6c 22 2c 5b 22 41 72 62 69 74 65 72 22 2c 22 42 61 6e 7a 61 69 22 2c 22 42 6f 6f 74 6c 6f 61 64 65 72 22 2c 22 49 6d 61 67 65 54 69 6d 69 6e 67 48 65 6c 70 65 72 22 2c 22 49 53 42 22 2c 22 4b 69 6c 6c 61 62 79 74 65 50 72 6f 66 69 6c 65 72 43 6f 6e 66 69 67 22 2c 22 4e 61 76 69 67 61 74 69 6f 6e 54 69 6d 69 6e 67 48 65 6c 70 65 72 22 2c 22 50 61 67 65 45 76 65 6e 74 73 22 2c 22 50 61 67 65 6c 65 74 45 76 65 6e 74 43 6f 6e 73 74 73 4a 53 22 2c 22 50 61 67 65 6c 65 74 45 76 65 6e 74 73 48 65 6c 70 65 72 22 2c 22 50 65 72 66 58 4c 6f 67 67 65 72 22 2c 22 52 65 73 6f 75 72 63 65 54 69 6d 69 6e 67 42 6f 6f 74 6c 6f 61 64 65 72 48 65 6c 70 65 72 22 2c 22 53 63 72 69 70 74 50 61 74 68 22 2c 22 70 65 72 66 6f 72 6d 61 6e 63 65 22 2c 22 70 65 72 66 6f 72 6d 61 6e 63 65 41 62 73 6f 6c 75 74 65 4e 6f 77 22 2c 22 5f 5f 67 65 74 54 6f 74 61 6c 46 61 63 74 6f 72 69 65 73 22 2c 22 5f 5f 67 65 74 43 6f 6d 70 69 6c 65 54 69 6d 65 22 2c 22 5f 5f 67 65 74 46 61 63 74 6f 72 79 54 69 6d 65 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 76 61 72 20 67 2c 68 2c 69 3d 62 28 22 4b 69 6c 6c 61 62 79 74 65 50 72 6f 66 69 6c 65 72 43 6f 6e 66 69 67 22 29 2e 68 74 6d 6c 50 72 6f 66 69 6c 65 72 4d Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["FEt5G"]); }__d("CavalryLoggerImpl",["Arbiter","Banzai","Bootloader","ImageTimingHelper","ISB","KillabyteProfilerConfig","NavigationTimingHelper","PageEvents","PageletEventConstsJS","PageletEventsHelper","PerfXLogger","ResourceTimingBootloaderHelper","ScriptPath","performance","performanceAbsoluteNow","__getTotalFactories","__getCompileTime","__getFactoryTime"],(function(a,b,c,d,e,f){__p&&__p();var g,h,i=b("KillabyteProfilerConfig").htmlProfilerM

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 63 of 86

Session ID Source IP Source Port Destination IP Destination Port Process

4 192.168.2.5 49719 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.012952089 CET

61 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lrL2wvMCxjcm9zcy9HN1h6Y2FTMVFtTS5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:38.337304115 CET

96 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: M8jeZhmFCAmKrvJ28Y6i/A==Cache-Control: public,max-age=31536000,immutableExpires: Mon, 16 Nov 2020 16:13:27 GMTX-FB-Debug: DVxFKCzVL0P6WrPjzRpki2Z9MPs9L/KBgZSZGDfpwBPEKBG93cStivh1QaT2s2PozxZiTFe5+b57auO7BC1r7w==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 235738Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e 5f 33 5f 73 30 2e 5f 33 5f 73 30 7b 62 6f 72 64 65 72 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 68 65 69 67 68 74 3a 34 34 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 36 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 74 6f 70 3a 30 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 74 6f 70 20 2e 33 73 2c 20 68 65 69 67 68 74 20 2e 33 73 3b 7a 2d 69 6e 64 65 78 3a 33 30 31 7d 2e 68 69 64 65 42 61 6e 6e 65 72 20 2e 5f 33 5f 73 30 2c 2e 66 69 78 65 64 42 6f 64 79 20 2e 5f 33 5f 73 30 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 5f 33 5f 73 30 2e 5f 31 74 6f 66 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 34 30 30 7d 2e 5f 33 5f 73 30 2e 5f 31 74 6f 65 7b 68 65 69 67 68 74 3a 30 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 2e 5f 33 5f 73 30 20 2e 5f 36 30 38 6d 7b 61 6c 69 67 6e 2d 73 65 6c 66 3a 66 6c 65 78 2d 65 6e 64 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 39 38 31 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 31 30 30 70 78 3b 70 61 64 64 69 6e 67 3a 30 20 31 32 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 73 69 64 65 62 61 72 4d 6f 64 65 20 2e 5f 33 5f 73 30 20 2e 5f 36 30 38 6d 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 31 34 70 78 7d 2e 5f 33 5f 73 30 20 2e 5f 74 62 36 7b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 68 65 69 67 68 74 3a 34 34 70 78 7d 2e 5f 33 5f 73 30 20 2e 5f 36 30 38 6e 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e 5f 33 Data Ascii: ._3_s0._3_s0{border:0;display:flex;height:44px;min-width:600px;position:relative;text-align:left;top:0;transition:top .3s, height .3s;z-index:301}.hideBanner ._3_s0,.fixedBody ._3_s0{display:none}._3_s0._1tof{position:absolute;width:100%;z-index:400}._3_s0._1toe{height:0;overflow:hidden}._3_s0 ._608m{align-self:flex-end;margin:0 auto;max-width:981px;min-width:100px;padding:0 12px;width:100%}.sidebarMode ._3_s0 ._608m{padding-right:214px}._3_s0 ._tb6{align-items:center;height:44px}._3_s0 ._608n{display:flex}._3

Nov 19, 2019 11:49:42.787528992 CET

1260 OUT GET /static/rsrc.php/v3iIJC4/yf/l/en_US/Nmb_F6p7z4a.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:43.122634888 CET

1262 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:42 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: alhaHZt7MSgeaEiXUiMOLg==Cache-Control: public,max-age=31536000,immutableExpires: Wed, 18 Nov 2020 04:50:01 GMTX-FB-Debug: xgjz+4zIfAvm+qtBt1CU3m7HMfpw0Fix4EnD1+pz1neuqCSpTeCD6nrvugjlD7hH5cl9R/Nlbw6Tzb+pR+GzoA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 515585Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 69 Data Ascii: i

Copyright Joe Security LLC 2019 Page 64 of 86

Nov 19, 2019 11:49:47.436016083 CET

3005 OUT GET /static/rsrc.php/v3/yx/r/TSwa_FPpysc.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:47.759746075 CET

3042 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: uGkjMni04DHQ6lcJzi89Pw==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 15:28:53 GMTX-FB-Debug: h0QIy0ssDs7IGpjskkXpEhbV68KjzhgTSFwbC5C5taSzmatPcxwR2zGMx8o6/evM7+w3gK6pGU/TOvE0m02wxw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 16338Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 69 Data Ascii: i

Nov 19, 2019 11:49:47.860661030 CET

3100 OUT GET /static/rsrc.php/v3iYXl4/yN/l/en_US/NxAfI9A4Tnd.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:48.184936047 CET

3183 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: rS2oHRvwr8eRRm1dydYIuA==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 20:19:08 GMTX-FB-Debug: 2BKWhPkjOQwDB2Sv1ss8B57TKuG0Gm3pyX1g9Gv5njQ1sDuaKqmIFoE0PLdDpCATeIBCnywYwHUTyisrwS0JVw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 29764Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 Data Ascii: i

Nov 19, 2019 11:49:49.711990118 CET

4021 OUT GET /static/rsrc.php/v3/y9/r/h-GkR7hjZkA.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 65 of 86

Nov 19, 2019 11:49:50.035778999 CET

4111 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:49 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 2NC3ZJF/rErSB3qXAiRktA==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 23:00:50 GMTX-FB-Debug: zhnQpDsK4hCwje9lSbttpt9m4VpZUDGnztDUKNBqO2BV7gDAY9D2IjfBTDUtju8pkmFfMZBDarupldZKW9CHXA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 15665Keep-Alive: timeout=5, max=96Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 6e 70 35 56 6c 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 53 63 72 69 70 74 50 61 74 68 53 74 61 74 65 22 2c 5b 22 41 72 62 69 74 65 72 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 76 61 72 20 67 2c 68 2c 69 2c 6a 2c 6b 3d 31 30 30 2c 6c 3d 7b 73 65 74 49 73 55 49 50 61 67 65 6c 65 74 52 65 71 75 65 73 74 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 3d 61 7d 2c 73 65 74 55 73 65 72 55 52 49 53 61 6d 70 6c 65 52 61 74 65 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 6a 3d 61 7d 2c 72 65 73 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 67 3d 6e 75 6c 6c 2c 68 3d 21 31 2c 69 3d 21 31 7d 2c 5f 73 68 6f 75 6c 64 55 70 64 61 74 65 53 63 72 69 70 74 50 61 74 68 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 68 26 26 21 69 7d 2c 5f 73 68 6f 75 6c 64 53 65 6e 64 55 52 49 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3c 6a 7d 2c 67 65 74 50 61 72 61 6d 73 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 7b 7d 3b 6c 2e 5f 73 68 6f 75 6c 64 55 70 64 61 74 65 53 63 72 69 70 74 50 61 74 68 28 29 3f 6c 2e 5f 73 68 6f 75 6c 64 53 65 6e 64 55 52 49 28 29 26 26 67 21 3d 3d 6e 75 6c 6c 26 26 28 61 2e 75 73 65 72 5f 75 72 69 3d 67 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 6b 29 29 3a 61 2e 6e 6f 5f 73 63 72 69 70 74 5f 70 61 74 68 3d 31 3b Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["np5Vl"]); }__d("ScriptPathState",["Arbiter"],(function(a,b,c,d,e,f){__p&&__p();var g,h,i,j,k=100,l={setIsUIPageletRequest:function(a){i=a},setUserURISampleRate:function(a){j=a},reset:function(){g=null,h=!1,i=!1},_shouldUpdateScriptPath:function(){return h&&!i},_shouldSendURI:function(){return Math.random()<j},getParams:function(){var a={};l._shouldUpdateScriptPath()?l._shouldSendURI()&&g!==null&&(a.user_uri=g.substring(0,k)):a.no_script_path=1;

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

5 192.168.2.5 49716 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.017383099 CET

62 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3k2L2wvMCxjcm9zcy9jRGp5QVBQbmtrcC5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 66 of 86

Nov 19, 2019 11:49:38.357525110 CET

120 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: y/eL/pk4pobGv5ItaQ0ILQ==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 15:47:21 GMTX-FB-Debug: UieMQjwjKODS1BbfxEwK8ifc9NDvN1JJGzRsB+qteuk8AyfEm6aUFyVTetlWCAuBKmmHDNhVfEeY6eCJ+SrSBw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 23406Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 7b 70 61 64 64 69 6e 67 3a 31 34 70 78 20 30 20 30 20 31 37 70 78 3b 6d 61 72 67 69 6e 3a 35 30 70 78 20 61 75 74 6f 20 31 35 70 78 20 61 75 74 6f 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 32 70 78 20 73 6f 6c 69 64 20 23 64 33 64 61 65 36 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 53 6c 69 6d 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 30 20 31 37 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 31 35 70 78 20 61 75 74 6f 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 66 6f 6f 74 65 72 7b 77 69 64 74 68 3a 35 37 38 70 78 3b 6d 61 72 67 69 6e 3a 35 70 78 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 66 6f 6e 74 2d 73 69 7a 65 3a 39 70 78 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 74 65 78 74 5f 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 36 70 78 3b 77 69 64 74 68 3a 34 36 35 70 78 3b 66 6c 6f 61 74 3a 6c 65 66 74 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 74 65 78 74 5f 68 65 61 64 6c 69 6e 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 6c 61 72 67 65 20 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 74 65 78 74 7b 77 69 64 74 68 3a 34 30 30 70 78 7d 2e 55 49 43 6f 6e 74 65 6e 74 54 6f 70 70 65 72 5f 74 65 78 74 5f 62 6f 6c 64 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c Data Ascii: .UIContentTopper{padding:14px 0 0 17px;margin:50px auto 15px auto;border-top:2px solid #d3dae6}.UIContentTopperSlim{padding:0 0 0 17px;margin:0 auto 15px auto}.UIContentTopper_footer{width:578px;margin:5px auto 0 auto;font-size:9px}.UIContentTopper_text_container{margin-top:6px;width:465px;float:left}.UIContentTopper_text_headline{font-size:15px;font-weight:bold}.UIContentTopper_text{font-size:11px;margin-top:4px}.UIContentTopper_large .UIContentTopper_text{width:400px}.UIContentTopper_text_bold{font-weight:bol

Nov 19, 2019 11:49:38.725240946 CET

294 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lqL3IvQnlGalR1UENlVE0uanM/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:39.078970909 CET

439 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: XvU4kuLc4l4bGmLHXc8PZg==Cache-Control: public,max-age=31536000,immutableExpires: Sat, 14 Nov 2020 18:53:32 GMTX-FB-Debug: U4QwUZxy38wDH0KtE2YCYsx9k3M9ty2aCyBCEX3WNdo5PcBN+VWm8MPA9yTF9ke4oN3S3L71y55MOa+eQm9TlA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 337335Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 71 36 36 57 59 22 5d 29 3b 20 7d 0a 0a 73 65 6c 66 2e 5f 5f 44 45 56 5f 5f 3d 73 65 6c 66 2e 5f 5f 44 45 56 5f 5f 7c 7c 30 2c 73 65 6c 66 2e 65 6d 70 74 79 46 75 6e 63 74 69 6f 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 22 75 73 65 20 73 74 72 69 63 74 22 3b 0a 41 72 72 61 79 2e 66 72 6f 6d 7c 7c 28 41 72 72 61 79 2e 66 72 6f 6d 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 3d 3d 6e 75 6c 6c 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 4f 62 6a 65 63 74 20 69 73 20 6e 75 6c 6c 20 6f 72 20 75 6e 64 65 66 69 6e 65 64 22 29 3b 76 61 72 20 62 3d 61 72 67 75 6d 65 6e 74 73 5b 31 5d 2c 63 3d 61 72 67 75 6d 65 6e 74 73 5b 32 5d 2c 64 3d 74 68 69 73 2c 65 3d 4f 62 6a 65 63 74 28 61 29 2c 66 3d 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 3a 22 40 40 69 74 65 72 61 74 6f 72 22 3a 22 40 40 69 74 65 72 61 74 6f 72 22 2c 67 3d 74 79 70 65 6f 66 20 62 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 2c 68 3d 74 79 70 65 6f 66 20 65 5b 66 5d 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 2c 69 3d 30 2c 6a 2c 6b 3b 69 66 28 68 29 7b 6a 3d 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 6e 65 77 20 64 28 29 3a 5b 5d 3b 76 61 72 20 6c 3d 65 5b 66 5d 28 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["q66WY"]); }self.__DEV__=self.__DEV__||0,self.emptyFunction=function(){};"use strict";Array.from||(Array.from=function(a){if(a==null)throw new TypeError("Object is null or undefined");var b=arguments[1],c=arguments[2],d=this,e=Object(a),f=typeof Symbol==="function"?typeof Symbol==="function"?Symbol.iterator:"@@iterator":"@@iterator",g=typeof b==="function",h=typeof e[f]==="function",i=0,j,k;if(h){j=typeof d==="function"?new d():[];var l=e[f](

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 67 of 86

Nov 19, 2019 11:49:42.780136108 CET

1259 OUT GET /static/rsrc.php/v3i3Gb4/ys/l/en_US/7W_zzge2D8D.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:43.129458904 CET

1276 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:42 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: LBUPp52DuqjtnGoASsdbtQ==Cache-Control: public,max-age=31536000,immutableExpires: Wed, 18 Nov 2020 02:26:49 GMTX-FB-Debug: 5Ei6EyhMdWrdbp310XRU0D8r2aFi0aJfe8KDKDhuyjQBHvDRZ6GVPgZenzN5ojsQJxvgo5f30Y+mcsdgOF1Asg==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 718345Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 69 4a 4f 58 37 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 55 46 49 32 56 69 65 77 4f 70 74 69 6f 6e 22 2c 5b 22 71 65 78 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 61 3d 7b 69 73 43 68 72 6f 6e 6f 6c 6f 67 69 63 61 6c 4f 72 64 65 72 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 62 28 22 71 65 78 22 29 3b 69 66 28 61 3d 3d 3d 22 46 52 49 45 4e 44 53 5f 43 4f 4d 4d 45 4e 54 53 22 26 26 21 63 2e 5f 28 22 31 30 38 30 32 31 37 22 29 29 72 65 74 75 72 6e 21 31 3b 73 77 69 74 63 68 28 61 29 7b 63 61 73 65 22 52 45 43 45 4e 54 5f 41 43 54 49 56 49 54 59 22 3a 63 61 73 65 22 52 41 4e 4b 45 44 5f 54 48 52 45 41 44 45 44 22 3a 63 61 73 65 22 52 41 4e 4b 45 44 5f 55 4e 46 49 4c 54 45 52 45 44 22 3a 63 61 73 65 22 4c 49 56 45 5f 53 54 52 45 41 4d 49 4e 47 22 3a 63 61 73 65 22 52 41 4e 4b 45 44 5f 53 55 42 5f 52 45 50 4c 49 45 53 22 3a 63 61 73 65 22 52 41 4e 4b 45 44 5f 52 45 50 4c 49 45 53 22 3a 72 65 74 75 72 6e 21 31 7d 72 65 74 75 72 6e 21 30 7d 7d 3b 65 2e 65 78 70 6f 72 74 73 3d 61 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 55 46 49 32 43 6f 6d 6d 65 6e 74 73 4c 69 73 74 53 74 61 74 65 22 2c 5b 22 69 6e 76 61 72 69 61 6e 74 22 2c 22 45 72 72 6f 72 55 74 69 6c 73 22 2c 22 46 42 4c 6f 67 67 65 72 22 2c 22 55 46 49 32 56 69 65 77 4f 70 74 69 6f 6e 22 2c Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["iJOX7"]); }__d("UFI2ViewOption",["qex"],(function(a,b,c,d,e,f){"use strict";a={isChronologicalOrder:function(a){var c=b("qex");if(a==="FRIENDS_COMMENTS"&&!c._("1080217"))return!1;switch(a){case"RECENT_ACTIVITY":case"RANKED_THREADED":case"RANKED_UNFILTERED":case"LIVE_STREAMING":case"RANKED_SUB_REPLIES":case"RANKED_REPLIES":return!1}return!0}};e.exports=a}),null);__d("UFI2CommentsListState",["invariant","ErrorUtils","FBLogger","UFI2ViewOption",

Nov 19, 2019 11:49:47.426805973 CET

3005 OUT GET /static/rsrc.php/v3/yR/r/e24e1pKT5YP.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 68 of 86

Nov 19, 2019 11:49:47.767225027 CET

3060 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: rYegUu/am7x0mJnjTaVdqw==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 15:22:45 GMTX-FB-Debug: Ao65AEJ+oRFdtuQYTPAKergFBOq+Uq7+Zn8fgGd0w7Hu5zHWiizuP/IF3vIkDlRVi21FnkIDkq57wBUDLGSoqQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 15392Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 70 76 67 61 57 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 4c 6f 67 67 65 64 4f 75 74 53 77 69 74 63 68 69 6e 67 4c 6f 63 61 6c 65 54 79 70 65 64 4c 6f 67 67 65 72 22 2c 5b 22 42 61 6e 7a 61 69 22 2c 22 47 65 6e 65 72 61 74 65 64 4c 6f 67 67 65 72 55 74 69 6c 73 22 2c 22 6e 75 6c 6c 74 68 72 6f 77 73 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 5f 5f 70 26 26 5f 5f 70 28 29 3b 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 74 68 69 73 2e 24 31 3d 7b 7d 7d 76 61 72 20 63 3d 61 2e 70 72 6f 74 6f 74 79 70 65 3b 63 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 62 28 22 47 65 6e 65 72 61 74 65 64 4c 6f 67 67 65 72 55 74 69 6c 73 22 29 2e 6c 6f 67 28 22 6c 6f 67 67 65 72 3a 4c 6f 67 67 65 64 4f 75 74 53 77 69 74 63 68 69 6e 67 4c 6f 63 61 6c 65 4c 6f 67 67 65 72 43 6f 6e 66 69 67 22 2c 74 68 69 73 2e 24 31 2c 62 28 22 42 61 6e 7a 61 69 22 29 2e 42 41 53 49 43 29 7d 3b 63 2e 6c 6f 67 56 69 74 61 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 62 28 22 47 65 6e 65 72 61 74 65 64 4c 6f 67 67 65 72 55 74 69 6c 73 22 29 2e 6c 6f 67 28 22 6c 6f 67 67 65 72 3a 4c 6f 67 67 65 64 4f 75 74 53 77 69 74 63 68 69 6e 67 4c 6f 63 61 6c 65 4c 6f 67 67 65 72 43 6f 6e 66 69 67 22 2c 74 68 69 73 2e 24 31 2c 62 28 22 42 61 6e 7a 61 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["pvgaW"]); }__d("LoggedOutSwitchingLocaleTypedLogger",["Banzai","GeneratedLoggerUtils","nullthrows"],(function(a,b,c,d,e,f){"use strict";__p&&__p();a=function(){__p&&__p();function a(){this.$1={}}var c=a.prototype;c.log=function(){b("GeneratedLoggerUtils").log("logger:LoggedOutSwitchingLocaleLoggerConfig",this.$1,b("Banzai").BASIC)};c.logVital=function(){b("GeneratedLoggerUtils").log("logger:LoggedOutSwitchingLocaleLoggerConfig",this.$1,b("Banza

Nov 19, 2019 11:49:47.874447107 CET

3101 OUT GET /static/rsrc.php/v3iVop4/yZ/l/en_US/N-He0del83q.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:48.234545946 CET

3213 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: mMX0+Ap9w04Aj4lP22tAOg==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 14:57:29 GMTX-FB-Debug: j6Wm3sICe0/t9DkuFNVGeimXSA0vQ2+lNOMuK3/0sj0lvUq05neukjnn4pu4JUpekQRhuvuBvDrf5sXIdWIqQA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 12100Keep-Alive: timeout=5, max=96Connection: Keep-AliveData Raw: 69 Data Ascii: i

Nov 19, 2019 11:49:48.332758904 CET

3239 OUT GET /static/rsrc.php/v3i1HE4/yx/l/en_US/0lUsxssk6yc.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 69 of 86

Nov 19, 2019 11:49:48.675092936 CET

3346 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: EMMp7pO85X6tmfRQShZL4w==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 14:46:41 GMTX-FB-Debug: WDdDiI/+ardfFnzx78cJIFk3vxsaRE4Ig0CVEa5ywVO1IVu6yfYhxZi01gY3GTPkY4c6Opt3Dzgn7BUuq4ajsA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 211459Keep-Alive: timeout=5, max=95Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 6a 78 50 4a 58 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 46 42 52 54 43 4d 65 73 73 61 67 65 54 79 70 65 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 4a 4f 49 4e 3a 30 2c 53 45 52 56 45 52 5f 4d 45 44 49 41 5f 55 50 44 41 54 45 3a 31 2c 48 41 4e 47 55 50 3a 32 2c 49 43 45 5f 43 41 4e 44 49 44 41 54 45 3a 33 2c 52 49 4e 47 3a 34 2c 44 49 53 4d 49 53 53 3a 35 2c 43 4f 4e 46 45 52 45 4e 43 45 5f 53 54 41 54 45 3a 36 2c 41 44 44 5f 50 41 52 54 49 43 49 50 41 4e 54 53 3a 37 2c 53 55 42 53 43 52 49 50 54 49 4f 4e 3a 38 2c 43 4c 49 45 4e 54 5f 4d 45 44 49 41 5f 55 50 44 41 54 45 3a 39 2c 44 41 54 41 5f 4d 45 53 53 41 47 45 3a 31 30 2c 52 45 4d 4f 56 45 5f 50 41 52 54 49 43 49 50 41 4e 54 53 3a 31 31 2c 50 49 4e 47 3a 31 38 2c 50 32 50 5f 50 52 4f 54 4f 43 4f 4c 3a 31 39 2c 55 50 44 41 54 45 3a 32 30 2c 4e 4f 54 49 46 59 3a 32 31 2c 43 4f 4e4e 45 43 54 3a 32 32 2c 43 4c 49 45 4e 54 5f 45 56 45 4e 54 3a 32 33 7d 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 46 75 6e 64 73 41 76 61 69 6c 61 62 69 6c 69 74 79 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 4e 4f 4e 45 3a 30 2c 46 55 4e 44 53 5f 41 56 41 49 4c 41 42 49 4c 49 54 59 5f 4e 41 3a 36 35 2c 46 55 4e 44 53 5f 41 56 41 49 4c 41 42 49 4c 49 54 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["jxPJX"]); }__d("FBRTCMessageType",[],(function(a,b,c,d,e,f){e.exports={JOIN:0,SERVER_MEDIA_UPDATE:1,HANGUP:2,ICE_CANDIDATE:3,RING:4,DISMISS:5,CONFERENCE_STATE:6,ADD_PARTICIPANTS:7,SUBSCRIPTION:8,CLIENT_MEDIA_UPDATE:9,DATA_MESSAGE:10,REMOVE_PARTICIPANTS:11,PING:18,P2P_PROTOCOL:19,UPDATE:20,NOTIFY:21,CONNECT:22,CLIENT_EVENT:23}}),null);__d("FundsAvailability",[],(function(a,b,c,d,e,f){e.exports={NONE:0,FUNDS_AVAILABILITY_NA:65,FUNDS_AVAILABILIT

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

6 192.168.2.5 49718 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.021445990 CET

62 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lYL2wvMCxjcm9zcy8wMmFwX2xOZ1pwSC5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 70 of 86

Nov 19, 2019 11:49:38.370961905 CET

143 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-UA-Compatible: IE=edgeVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: mqVGwiLyVwAxz1EVQ/ayXw==Cache-Control: public,max-age=31536000,immutableExpires: Tue, 17 Nov 2020 10:29:59 GMTX-FB-Debug: ICOZHvKARo/cShJtOu0mXTSmNaqsk8c2LGzBxLu8sTmqQ3okUnbtELA95iu8YN1gtT4s9yzA2zN4jpJ4QW+40w==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 18394Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e 5f 34 2d 64 6f 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 5f 34 2d 64 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 38 70 78 3b 6d 61 72 67 69 6e 3a 34 30 70 78 20 30 20 32 30 70 78 7d 2e 5f 34 2d 64 71 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 38 70 78 3b 6d 61 72 67 69 6e 3a 32 30 70 78 20 30 7d 2e 5f 34 2d 64 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 30 70 78 7d 0a 2e 5f 31 79 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 7d 2e 5f 34 34 32 6e 20 2e 5f 31 79 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 7d 2e 5f 35 75 6e 64 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 7d 2e 5f 31 79 74 20 2e 5f 35 75 6e 64 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 7d 2e 5f 31 79 74 20 2e 5f 34 5f 79 6c 20 2e 5f 35 75 6e 64 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 7d 2e 5f 31 79 74 20 2e 5f 34 5f 79 6c 3a 66 69 72 73 74 2d 63 68 69 6c 64 20 2e 5f 35 75 6e 64 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 7d 0a 2e 5f 36 6b 5f 20 2e 69 6d 67 7b 6d 61 72 67 69 6e 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 0a 2e 66 62 78 20 23 70 61 67 65 46 6f 6f 74 65 72 7b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 77 69 64 74 68 3a 61 75 74 6f 7d 2e 68 61 73 4c 65 66 74 43 6f 6c 20 23 70 61 67 65 46 6f 6f 74 65 72 Data Ascii: ._4-do{text-align:center}._4-dp{font-size:24px;line-height:28px;margin:40px 0 20px}._4-dq{font-size:16px;line-height:28px;margin:20px 0}._4-dr{font-size:12px;line-height:20px}._1yt{margin-top:8px}._442n ._1yt{margin-top:0}._5und{margin-top:8px}._1yt ._5und:first-child{margin-top:0}._1yt ._4_yl ._5und:first-child{margin-top:8px}._1yt ._4_yl:first-child ._5und:first-child{margin-top:0}._6k_ .img{margin:0;position:absolute}.fbx #pageFooter{margin:auto;width:auto}.hasLeftCol #pageFooter

Nov 19, 2019 11:49:38.731321096 CET

294 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3liL3IvR3NOSk53dUktVU0uZ2lm HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:39.071118116 CET

438 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/gifLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: cH2zTAVPHVXw/aQfDhS/Bg==Cache-Control: public,max-age=31536000,immutableExpires: Thu, 12 Nov 2020 05:31:51 GMTX-FB-Debug: o5cT9MqfPETIxm+h1aqVLC/O1R/4Vo+qAJRJ5RWuZUy4ikzvikpcyfs2bArDRj7+Y9TDMga2GYCom9sQVDvdtg==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 522Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 47 49 46 38 39 61 10 00 0b 00 b3 0c 00 e5 e9 f1 ad b9 d3 70 87 b4 ea ed f4 bd c6 db e0 e5 ee f2 f4 f8 9e ac cb 8c 9e c3 52 6f a7 f4 f6 f9 ef f2 f6 ff ff ff 00 00 00 00 00 00 00 00 00 21 ff 0b 4e 45 54 53 43 41 50 45 32 2e 30 03 01 00 00 00 21 f9 04 05 0b 00 0c 00 2c 00 00 00 00 10 00 0b 00 00 04 2b 90 c9 49 ab bd d4 ac 65 a4 e6 de a6 29 ca 22 2d a4 c9 a025 ab ba 67 0a af 69 dc d6 74 69 6f f8 ec 7e 1d 06 30 04 c2 18 8f 94 08 00 21 f9 04 09 0b 00 0c 00 2c 00 00 00 00 04 00 0b 00 00 04 0f 50 a4 24 11 9a 16 df 94 f9 ee e0 77 49 54 04 00 21 f9 04 09 0b 00 0c 00 2c 00 00 00 00 10 00 0b 00 00 04 32 90 c9 29 52 12 73 86 73 82 4c 08 92 64 d2 41 10 c7 17 8e a4 89 aa 22 c9 b8 29 03 c6 ed 59 df 6c 46 c3 bd c9 cf b6 92 0d 79 b2 4d 07 28 93 55 2e b2 08 00 21 f9 04 09 0b 00 0c 00 2c 00 00 00 00 10 00 0b 00 00 04 3e 90 c9 49 a5 48 49 54 16 ce 09 52 82 20 09 50 14 80 74 10 c4 11 8e 49 31 0c 85 ca ba 8c 48 ca b4 dd be bb 59 8d b1 fa e5 60 bc 61 11 a7 8b 09 7d 4c 98 09 05 05 26 36 9d 8f 75 b3 b9 64 22 00 21 f9 04 09 0b 00 0c 00 2c 00 00 00 00 10 00 0b 00 00 04 3d 90 c9 49 ab bd e1 9c 60 d6 32 12 50 14 80 74 10 c4 b1 28 ca 22 15 c3 50 98 a8 ca ba 0c 2c d3 e9 da be b1 19 e3 d4 bb 01 77 c3 9a 0f a7 13 12 0f 9d 4f 68 54 4a a6 2e 95 cc 06 8b 8d 00 00 21 f9 04 05 0b 00 0c 00 2c 00 00 00 00 10 00 0b 00 00 04 33 90 c9 49 ab bd d4 ac 65 a4 e6 12 50 14 c0 a2 28 8b 64 a2 52 31 0c c5 9a 32 72 fb c6 e7 5c 33 2e bc ef 3d 1c 8b 96 b3 c1 3e 1d 06 32 34 02 60 9e d0 4a 04 00 21 f9 04 05 14 00 0c 00 2c 0c 00 02 00 04 00 07 00 00 04 0c d0 ac 25 95 9a 16 df 95 f9 95 54 04 00 3b Data Ascii: GIF89apRo!NETSCAPE2.0!,+Ie)"-%gitio~0!,P$wIT!,2)RssLdA")YlFyM(U.!,>IHITR PtI1HY`a}L&6ud"!,=I`2Pt("P,wOhTJ.!,3IeP(dR12r\3.=>24`J!,%T;

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

7 192.168.2.5 49722 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Copyright Joe Security LLC 2019 Page 71 of 86

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.356698990 CET

108 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3lEL2wvMCxjcm9zcy8yV1ROcFRubGZXNy5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:38.692027092 CET

222 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-UA-Compatible: IE=edgeVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: qICr7vxDpcY33oUq3JYTSA==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 15:50:56 GMTX-FB-Debug: bhwNzP7B48R26ZsmDICxzfbMdtyQ7zTaF1KERqOVOrQtD+DjDItk1hO3Qy74qKeE1lb5ch7O+qpPALibtDWgnw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 108023Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 2e Data Ascii: .

Nov 19, 2019 11:49:42.790611982 CET

1260 OUT GET /static/rsrc.php/v3/yf/r/rELlH3fWQtn.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:43.139174938 CET

1304 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:42 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: pLrTn05cofzUo3yjgD0gjg==Cache-Control: public,max-age=31536000,immutableExpires: Wed, 18 Nov 2020 05:02:51 GMTX-FB-Debug: zF4I5lQ4Q4H0SQjeXrIHE1twDNBsK6VtFGqN5uTTByEcLde5pJO0FFbNBRJIZlslSTJ5rEE010VgDTeyZSBqVQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 412102Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 51 74 45 7a 70 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 41 63 74 6f 72 55 52 49 43 6f 6e 66 69 67 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 50 41 52 41 4d 45 54 45 52 5f 41 43 54 4f 52 3a 22 61 76 22 2c 45 4e 43 52 59 50 54 45 44 5f 50 41 52 41 4d 45 54 45 52 5f 41 43 54 4f 52 3a 22 65 61 76 22 7d 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 43 6f 6d 65 74 53 74 79 6c 65 58 44 61 72 6b 54 68 65 6d 65 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 22 66 64 73 2d 61 63 74 69 76 65 2d 69 63 6f 6e 22 3a 22 62 6c 61 63 6b 22 2c 22 66 64 73 2d 61 74 74 61 63 68 6d 65 6e 74 2d 66 6f 6f 74 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 22 3a 22 62 6c 61 63 6b 22 2c 22 66 64 73 2d 62 6c 61 63 6b 22 3a 22 62 6c 61 63 6b 22 2c 22 66 64 73 2d 62 6c 61 63 6b 2d 61 6c 70 68 61 2d 30 35 22 3a 22 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 30 35 29 22 2c 22 66 64 73 2d 62 6c 61 63 6b 2d 61 6c 70 68 61 2d 31 30 22 3a 22 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 29 22 2c 22 66 64 73 2d 62 6c 61 63 6b 2d 61 6c 70 68 61 2d 31 35 22 3a 22 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 35 29 22 2c 22 66 64 73 2d 62 6c 61 63 6b 2d 61 6c 70 68 61 2d 32 30 22 3a 22 72 67 62 61 28 30 2c 20 30 2c 20 30 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["QtEzp"]); }__d("ActorURIConfig",[],(function(a,b,c,d,e,f){e.exports={PARAMETER_ACTOR:"av",ENCRYPTED_PARAMETER_ACTOR:"eav"}}),null);__d("CometStyleXDarkTheme",[],(function(a,b,c,d,e,f){e.exports={"fds-active-icon":"black","fds-attachment-footer-background":"black","fds-black":"black","fds-black-alpha-05":"rgba(0, 0, 0, 0.05)","fds-black-alpha-10":"rgba(0, 0, 0, 0.1)","fds-black-alpha-15":"rgba(0, 0, 0, 0.15)","fds-black-alpha-20":"rgba(0, 0, 0

Nov 19, 2019 11:49:47.416718960 CET

3005 OUT GET /static/rsrc.php/v3i-RI4/yf/l/en_US/eQUWlompwsJ.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Copyright Joe Security LLC 2019 Page 72 of 86

Nov 19, 2019 11:49:47.753405094 CET

3008 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: nvzIL/12tJ44boAWtn8rpg==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 14:41:56 GMTX-FB-Debug: zyi9DAVdTcft4J6bpOcdn9WBS2Rp6uV+Om4g7n/xg0Q6TKqSI6rz1KgJf8ZV53pO7c9UrDcG+uHlJxDpiFHplw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 70440Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 76 70 5a 61 62 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 50 69 78 65 6c 52 61 74 69 6f 43 6f 6e 73 74 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 63 6f 6f 6b 69 65 4e 61 6d 65 3a 22 64 70 72 22 7d 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 54 69 6d 65 7a 6f 6e 65 41 75 74 6f 73 65 74 22 2c 5b 22 41 73 79 6e 63 52 65 71 75 65 73 74 22 2c 22 44 61 74 65 43 6f 6e 73 74 73 22 2c 22 46 42 4c 6f 67 67 65 72 22 2c 22 65 6d 70 74 79 46 75 6e 63 74 69 6f 6e 22 2c 22 6b 69 6c 6c 73 77 69 74 63 68 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 76 61 72 20 67 3d 28 63 3d 62 28 22 44 61 74 65 43 6f 6e 73 74 73 22 29 29 2e 48 4f 55 52 5f 50 45 52 5f 44 41 59 2c 68 3d 63 2e 4d 49 4e 5f 50 45 52 5f 48 4f 55 52 2c 69 3d 63 2e 4d 53 5f 50 45 52 5f 53 45 43 2c 6a 3d 63 2e 53 45 43 5f 50 45 52 5f 4d 49 4e 2c 6b 3d 21 31 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 76 61 72 20 63 3d 68 2a 67 2c 64 3d 6e 65 77 20 44 61 74 65 28 29 2c 65 3d 64 2e 67 65 74 54 69 6d 65 7a 6f 6e 65 4f 66 66 73 65 74 28 29 3b 64 3d 64 2e 67 65 74 54 69 6d 65 28 29 2f 69 3b 76 61 72 20 66 3d 31 35 3b 61 3d 61 2d 64 3b 64 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 61 2f 28 66 2a 6a 29 29 2a 66 3b 64 21 3d 30 26 26 62 28 22 46 42 4c 6f 67 67 65 72 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["vpZab"]); }__d("PixelRatioConst",[],(function(a,b,c,d,e,f){e.exports={cookieName:"dpr"}}),null);__d("TimezoneAutoset",["AsyncRequest","DateConsts","FBLogger","emptyFunction","killswitch"],(function(a,b,c,d,e,f){__p&&__p();var g=(c=b("DateConsts")).HOUR_PER_DAY,h=c.MIN_PER_HOUR,i=c.MS_PER_SEC,j=c.SEC_PER_MIN,k=!1;function l(a){var c=h*g,d=new Date(),e=d.getTimezoneOffset();d=d.getTime()/i;var f=15;a=a-d;d=Math.round(a/(f*j))*f;d!=0&&b("FBLogger

Nov 19, 2019 11:49:48.103930950 CET

3153 OUT GET /static/rsrc.php/v3idwB4/yP/l/en_US/DzWAqG4WWLL.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:48.443103075 CET

3241 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 6lfcKYS/4sRF+murMfGL3w==Cache-Control: public,max-age=31536000,immutableExpires: Wed, 18 Nov 2020 04:25:33 GMTX-FB-Debug: Bks+RhEpWofGCmYAX3GYJ8mK+Yf8q3sfEA5Ac960O0ggv7xhwxjWraxo7O7hm6s9pxeDrKItP/YKb9RV+gRLHg==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 157345Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 46 54 33 6a 39 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 4d 65 73 73 61 67 69 6e 67 54 61 67 22 2c 5b 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 65 2e 65 78 70 6f 72 74 73 3d 7b 47 52 4f 55 50 53 3a 22 67 72 6f 75 70 73 22 2c 55 4e 52 45 41 44 3a 22 75 6e 72 65 61 64 22 2c 46 4c 41 47 47 45 44 3a 22 66 6c 61 67 67 65 64 22 2c 41 43 54 49 4f 4e 5f 41 52 43 48 49 56 45 44 3a 22 61 63 74 69 6f 6e 3a 61 72 63 68 69 76 65 64 22 2c 49 4e 42 4f 58 3a 22 69 6e 62 6f 78 22 2c 4d 41 52 4b 45 54 50 4c 41 43 45 5f 46 4f 4c 44 45 52 3a 22 6d 61 72 6b 65 74 70 6c 61 63 65 5f 66 6f 6c 64 65 72 22 2c 4f 54 48 45 52 3a 22 6f 74 68 65 72 22 2c 50 45 4e 44 49 4e 47 3a 22 70 65 6e 64 69 6e 67 22 2c 4d 4f 4e 54 41 47 45 3a 22 6d 6f 6e 74 61 67 65 22 2c 50 41 47 45 53 3a 22 70 61 67 65 73 22 2c 50 41 47 45 5f 42 41 43 4b 47 52 4f 55 4e 44 3a 22 70 61 67 65 5f 62 61 63 6b 67 72 6f 75 6e 64 22 2c 41 43 54 49 4f 4e 5f 43 4f 50 49 45 44 5f 4d 45 53 53 41 47 45 3a 22 61 63 74 69 6f 6e 3a 63 6f 70 79 5f 6d 65 73 73 61 67 65 22 2c 41 43 54 49 4f 4e 5f 43 4f 50 49 45 44 5f 53 45 4c 46 5f 4d 45 53 53 41 47 45 3a 22 63 6f 70 79 5f 73 65 6c 66 5f 6d 65 73 73 61 67 65 22 2c 41 43 54 49 4f 4e 5f 43 4f 50 49 45 44 5f 41 54 54 41 43 48 4d 45 4e 54 3a 22 61 63 74 69 6f 6e 3a 63 6f 70 79 5f 61 74 74 61 63 68 6d 65 6e 74 22 2c 41 43 54 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["FT3j9"]); }__d("MessagingTag",[],(function(a,b,c,d,e,f){e.exports={GROUPS:"groups",UNREAD:"unread",FLAGGED:"flagged",ACTION_ARCHIVED:"action:archived",INBOX:"inbox",MARKETPLACE_FOLDER:"marketplace_folder",OTHER:"other",PENDING:"pending",MONTAGE:"montage",PAGES:"pages",PAGE_BACKGROUND:"page_background",ACTION_COPIED_MESSAGE:"action:copy_message",ACTION_COPIED_SELF_MESSAGE:"copy_self_message",ACTION_COPIED_ATTACHMENT:"action:copy_attachment",ACT

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 73 of 86

Nov 19, 2019 11:49:50.033911943 CET

4109 OUT GET /static/rsrc.php/v3iqES4/yN/l/en_US/lIJrOY0twaO.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:50.369851112 CET

4201 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:50 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: 9Fk1rRTNCgWehqKjOHJd5A==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 18:32:52 GMTX-FB-Debug: T+3EIuAHwMPwyNGScEXch82duBZ65gq9I9RmrqHKlSD/nh7zJbSXjdNdqc2LoBUqbHK6FL5pkC72rZTsxM72XQ==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 31294Keep-Alive: timeout=5, max=96Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 31 5a 74 6c 61 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 44 65 74 65 63 74 42 72 6f 6b 65 6e 50 72 6f 78 79 43 61 63 68 65 22 2c 5b 22 41 73 79 6e 63 53 69 67 6e 61 6c 22 2c 22 43 6f 6f 6b 69 65 22 2c 22 55 52 49 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 76 61 72 20 67 3b 66 75 6e 63 74 69 6f 6e 20 61 28 61 2c 63 29 7b 76 61 72 20 64 3d 62 28 22 43 6f 6f 6b 69 65 22 29 2e 67 65 74 28 63 29 3b 69 66 28 64 21 3d 61 26 26 64 21 3d 6e 75 6c 6c 26 26 61 21 3d 22 30 22 29 7b 63 3d 7b 63 3a 22 73 69 5f 64 65 74 65 63 74 5f 62 72 6f 6b 65 6e 5f 70 72 6f 78 79 5f 63 61 63 68 65 22 2c 6d 3a 63 2b 22 20 22 2b 61 2b 22 20 22 2b 64 7d 3b 61 3d 6e 65 77 28 67 7c 7c 28 67 3d 62 28 22 55 52 49 22 29 29 29 28 22 2f 63 6f 6d 6d 6f 6e 2f 73 63 72 69 62 65 5f 65 6e 64 70 6f 69 6e 74 2e 70 68 70 22 29 2e 67 65 74 51 75 61 6c 69 66 69 65 64 55 52 49 28 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 65 77 28 62 28 22 41 73 79 6e 63 53 69 67 6e 61 6c 22 29 29 28 61 2c 63 29 2e 73 65 6e 64 28 29 7d 7d 65 2e 65 78 70 6f 72 74 73 3d 7b 72 75 6e 3a 61 7d 7d 29 2c 6e 75 6c 6c 29 3b 0a 5f 5f 64 28 22 42 6f 6f 74 6c 6f 61 64 65 72 45 76 65 6e 74 73 54 79 70 65 64 4c 6f 67 67 65 72 22 2c 5b 22 42 61 6e 7a 61 69 22 2c 22 47 65 6e 65 72 61 74 65 64 4c 6f 67 67 65 72 55 74 69 6c 73 22 2c 22 6e 75 6c 6c 74 68 72 6f 77 73 22 5d 2c 28 66 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["1Ztla"]); }__d("DetectBrokenProxyCache",["AsyncSignal","Cookie","URI"],(function(a,b,c,d,e,f){var g;function a(a,c){var d=b("Cookie").get(c);if(d!=a&&d!=null&&a!="0"){c={c:"si_detect_broken_proxy_cache",m:c+" "+a+" "+d};a=new(g||(g=b("URI")))("/common/scribe_endpoint.php").getQualifiedURI().toString();new(b("AsyncSignal"))(a,c).send()}}e.exports={run:a}}),null);__d("BootloaderEventsTypedLogger",["Banzai","GeneratedLoggerUtils","nullthrows"],(f

TimestampkBytestransferred Direction Data

Session ID Source IP Source Port Destination IP Destination Port Process

8 192.168.2.5 49723 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:38.391391039 CET

159 OUT GET /static?u=aH&r=R0cHM6Ly9zdGF0aWMueHguZmJjZG4ubmV0L3JzcmMucGhwL3YzL3kyL2wvMCxjcm9zcy9sWjg2Y3Y5YVI5MC5jc3M/X25jX3g9SWozV3A4bGc1S3o= HTTP/1.1Accept: text/css, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:38.742350101 CET

295 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:38 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: text/css; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: D/kK+zzisO302r+X+0OamQ==Cache-Control: public,max-age=31536000,immutableExpires: Fri, 06 Nov 2020 19:17:31 GMTX-FB-Debug: UJezqe2ZuZ/JdxVAProsO5wBUJ/QGAs7qLnxf3ueN0hActuVVBuhGNXcj2UOf+tSNa71UK6kBxtNm1V7NeYzAA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 40628Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 40 Data Ascii: @

Copyright Joe Security LLC 2019 Page 74 of 86

Nov 19, 2019 11:49:43.092402935 CET

1262 OUT GET /rsrc.php/v3/yj/r/AE-e0Vw8Uhd.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:43.431720018 CET

1338 IN HTTP/1.1 200 OKDate: Mon, 18 Nov 2019 11:35:17 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: image/pngLast-Modified: Mon, 01 Jan 2001 08:00:00 GMTX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: +5u0CX6+ZEWd69WrwHnA9w==Cache-Control: public,max-age=31536000,immutableExpires: Tue, 17 Nov 2020 11:35:17 GMTX-FB-Debug: PTb9ABlfWd2dxJqUF19tcXxPXU0s3WhWgHr0iFJHlLxhY2FoKK3tw7GPRzmV6UxWKgWatI4rHOcJlciqYU5Z6g==Content-Length: 13354Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 35 00 00 01 28 08 06 00 00 00 f8 d9 b9 81 00 00 20 00 49 44 41 54 78 5e ed 7d 0b 5c 54 d5 f6 ff 9e 61 18 66 50 c9 57 5e 53 a3 52 f3 81 5c 51 03 15 f3 95 9a 91 8a 06 58 94 4a 65 fc 0c 41 b1 48 4d cd 54 f4 de 90 34 1d 05 45 8b 08 bd 68 46 3e b8 81 8f 52 52 a3 42 14 1f 60 20 6a be 53 af 37 4d 0d 11 07 98 99 f3 ff 7c 4f 67 cf 3d 73 38 67 ce 99 07 d6 ed 7f f7 e7 33 1f 86 39 fb b1 be 7b ed bd f6 de 6b ad bd 0e 21 7f b2 64 31 33 44 e3 2a 26 86 61 d8 2a 54 2a 15 fe a0 3e 2d 21 44 c7 7d c7 ff c2 36 4c 84 10 fa 31 12 42 6a f1 3f ad c7 51 7a b8 76 6d 8a b9 0c 4a a5 52 a1 0e 6f 42 48 e3 89 13 27 3e fa fc f3 cf 0f f6 f5 f5 7d a2 69 d3 a6 8f 36 69 d2 a4 b5 4e a7 f3 f1 f0 f0 00 48 62 36 9b 8d 46 a3 b1 f2 ce 9d 3b d7 6e df be 7d e1 d2 a5 4b 47 36 6f de bc 3f 33 33 f3 82 4a a5 aa 22 84 54 bb 02 d0 d1 0e 11 cb 0f 8e 34 1f 3f 7e 7c e0 f7 df 7f 9f 7a fd fa f5 b3 8c 93 09 65 51 c7 b8 71 e3 7a a3 4e 8e db 04 dc 93 fb 08 09 c3 f0 63 c7 8c 83 09 9c 69 1c 17 17 e7 3f 79 f2 e4 37 ba 76 ed 3a 5a a3 d1 00 20 9b 2a 2a 2a 4a ca ca ca ce 94 97 97 5f 2d 2d 2d bd fe e3 8f 3f 56 5d bb 76 0d 43 8c b4 6e dd 5a fb f8 e3 8f 37 0e 08 08 78 b0 5b b7 6e 6d fc fd fd 3b 76 ed da b5 07 2d 6b 32 99 6a 4f 9f 3e fd 65 5a 5a da b2 d5 ab 57 1f 27 84 54 31 0c 83 a1 2a 99 84 c3 cf 19 50 3a 5f 5f df 36 d9 d9 d9 33 03 03 03 5f d5 68 34 ec b0 3a 75 ea d4 f1 dc dc dc c2 b9 73 e7 1e ab ab ab 73 a8 8f 3c 3d 3d c9 7b ef bd d7 73 f4 e8 d1 fd 3a 77 ee dc 1d 85 4d 26 93 b1 b8 b8 78 dd ab af be ba f4 f4 e9 d3 d7 08 21 46 86 61 2c 62 15 bb 02 4a 0d ee 24 26 26 f6 9f 36 6d 5a 6a b3 66 cd da a3 81 13 27 4e 1c 4d 49 49 d9 fd e1 87 1f 9e 77 08 89 44 e6 a8 a8 a8 87 67 cd 9a 15 d2 ad 5b b7 40 64 b9 75 eb d6 85 8f 3e fa e8 8d d9 b3 67 ef e7 b8 56 0f 98 b3 a0 00 a8 e9 b6 6d db 5e 1b 35 6a d4 df 3c 3d 3d 75 ff fa d7 Data Ascii: PNGIHDR5( IDATx^}\TafPW^SR\QXJeAHMT4EhF>RRB` jS7M|Og=s8g39{k!d13D*&a*T*>-!D}6L1Bj?QzvmJRoBH'>}i6iNHb6F;n}KG6o?33J"T4?~|zeQqzNci?y7v:Z ***J_---?V]vCnZ7x[nm;v-k2jO>eZZW'T1*P:__63_h4:uss<=={s:wM&x!Fa,bJ$&&6mZjf'NMIIwDg[@du>gVm^5j<==u

Nov 19, 2019 11:49:47.439567089 CET

3006 OUT GET /static/rsrc.php/v3iXji4/yv/l/en_US/46twG_p7jIg.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:47.912962914 CET

3102 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:47 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: ngnGd4sK09ktONPAgrCbvA==Cache-Control: public,max-age=31536000,immutableExpires: Wed, 18 Nov 2020 10:49:47 GMTX-FB-Debug: htHYrvce+QTzzXKGxQsuatLOEbzUDASEf2qsTp1+4F0DTwuwYWGzOkiHlvi7u4W4ybaxFj24U59t+T1xX+x1xw==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 21739Keep-Alive: timeout=5, max=98Connection: Keep-AliveData Raw: 69 Data Ascii: i

Nov 19, 2019 11:49:48.281894922 CET

3238 OUT GET /static/rsrc.php/v3i5Xt4/yZ/l/en_US/hX1hTfJarhp.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 75 of 86

Nov 19, 2019 11:49:48.623655081 CET

3330 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: s2rywDMHFQC9gIW+jzo5zg==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 17:56:24 GMTX-FB-Debug: F3ez2CUeswach9Q7r1CPJ/xxlXJFFffEX1ezUniCukdClKKG7PWh8hcy80+CX83norZP6yPTHkiRdoJ3mJvz4Q==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 63670Keep-Alive: timeout=5, max=97Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 69 67 74 69 4e 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 58 55 49 43 61 72 64 53 65 63 74 69 6f 6e 2e 72 65 61 63 74 22 2c 5b 22 63 78 22 2c 22 52 65 61 63 74 22 2c 22 58 55 49 42 6c 6f 63 6b 22 2c 22 6a 6f 69 6e 43 6c 61 73 73 65 73 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 2c 67 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 5f 5f 70 26 26 5f 5f 70 28 29 3b 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 5f 5f 70 26 26 5f 5f 70 28 29 3b 62 61 62 65 6c 48 65 6c 70 65 72 73 2e 69 6e 68 65 72 69 74 73 4c 6f 6f 73 65 28 63 2c 61 29 3b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 72 65 74 75 72 6e 20 61 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 7c 7c 74 68 69 73 7d 76 61 72 20 64 3d 63 2e 70 72 6f 74 6f 74 79 70 65 3b 64 2e 72 65 6e 64 65 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 74 68 69 73 2e 70 72 6f 70 73 3b 61 2e 62 61 63 6b 67 72 6f 75 6e 64 3b 76 61 72 20 63 3d 61 2e 63 68 69 6c 64 72 65 6e 2c 64 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 61 3d 62 61 62 65 6c 48 65 6c 70 65 72 73 2e 6f 62 6a 65 63 74 57 69 74 68 6f 75 74 50 72 6f 70 65 72 74 69 65 73 4c 6f 6f 73 65 28 61 2c 5b 22 62 61 63 6b 67 72 6f 75 6e 64 22 2c 22 63 68 69 6c 64 72 65 6e 22 2c 22 63 6c 61 73 73 4e 61 6d 65 22 5d 29 3b 64 3d 62 28 22 6a 6f 69 6e 43 6c 61 73 73 65 73 22 29 28 64 2c 22 5f 34 2d 75 33 22 2c 62 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["igtiN"]); }__d("XUICardSection.react",["cx","React","XUIBlock","joinClasses"],(function(a,b,c,d,e,f,g){"use strict";__p&&__p();a=function(a){__p&&__p();babelHelpers.inheritsLoose(c,a);function c(){return a.apply(this,arguments)||this}var d=c.prototype;d.render=function(){var a=this.props;a.background;var c=a.children,d=a.className;a=babelHelpers.objectWithoutPropertiesLoose(a,["background","children","className"]);d=b("joinClasses")(d,"_4-u3",b

Nov 19, 2019 11:49:49.720098972 CET

4022 OUT GET /static/rsrc.php/v3/yN/r/YSGcJgI3134.js?_nc_x=Ij3Wp8lg5Kz HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: agent.joinf.cnConnection: Keep-Alive

Nov 19, 2019 11:49:50.060749054 CET

4131 IN HTTP/1.1 200 OKDate: Tue, 19 Nov 2019 10:49:49 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsContent-Type: application/x-javascript; charset=utf-8Last-Modified: Mon, 01 Jan 2001 08:00:00 GMTVary: Accept-EncodingX-Content-Type-Options: nosnifftiming-allow-origin: *Access-Control-Allow-Origin: *Content-MD5: HahWx3TJbMvUg+GtFZe0FQ==Cache-Control: public,max-age=31536000,immutableExpires: Sun, 15 Nov 2020 14:41:58 GMTX-FB-Debug: wNHznsG/4bi8zuB4nuic5cBvaJ+rpaeJhRPKgm0zi7gh4/DMWINf9e2v3o7Eh/wI55KmxLuhT10lN7ESfxJKuA==X-FB-TRIP-ID: 420120009Alt-Svc: h3-23=":443"; ma=3600Content-Length: 20534Keep-Alive: timeout=5, max=96Connection: Keep-AliveData Raw: 69 66 20 28 73 65 6c 66 2e 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 29 20 7b 20 43 61 76 61 6c 72 79 4c 6f 67 67 65 72 2e 73 74 61 72 74 5f 6a 73 28 5b 22 56 71 38 6c 5c 2f 22 5d 29 3b 20 7d 0a 0a 5f 5f 64 28 22 56 65 72 73 65 53 69 64 65 62 61 72 55 74 69 6c 22 2c 5b 22 42 6f 6f 74 6c 6f 61 64 65 72 22 2c 22 43 53 53 22 2c 22 44 4f 4d 22 2c 22 67 65 22 5d 2c 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 5f 5f 70 26 26 5f 5f 70 28 29 3b 66 75 6e 63 74 69 6f 6e 20 67 28 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 7c 7c 22 22 3b 62 28 22 43 53 53 22 29 2e 61 64 64 43 6c 61 73 73 28 61 2c 22 62 75 64 64 79 6c 69 73 74 4f 66 66 22 29 7d 76 61 72 20 68 3d 7b 73 68 6f 77 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 67 28 29 3b 69 66 28 62 28 22 67 65 22 29 28 22 70 61 67 65 6c 65 74 5f 76 65 72 73 65 5f 73 69 64 65 62 61 72 22 29 29 72 65 74 75 72 6e 3b 62 28 22 42 6f 6f 74 6c 6f 61 64 65 72 22 29 2e 6c 6f 61 64 4d 6f 64 75 6c 65 73 28 5b 22 55 49 50 61 67 65 6c 65 74 22 5d 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 62 28 22 44 4f 4d 22 29 2e 63 72 65 61 74 65 28 22 64 69 76 22 2c 7b 69 64 3a 22 70 61 67 65 6c 65 74 5f 76 65 72 73 65 5f 73 69 64 65 62 61 72 22 7d 29 3b 6228 22 44 4f 4d 22 29 2e 61 70 70 65 6e 64 43 6f 6e 74 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2c 63 29 3b 61 2e 6c 6f 61 64 46 72 6f 6d 45 6e 64 70 6f 69 6e 74 28 22 56 65 72 73 65 53 69 64 Data Ascii: if (self.CavalryLogger) { CavalryLogger.start_js(["Vq8l\/"]); }__d("VerseSidebarUtil",["Bootloader","CSS","DOM","ge"],(function(a,b,c,d,e,f){"use strict";__p&&__p();function g(){var a=document.documentElement||"";b("CSS").addClass(a,"buddylistOff")}var h={show:function(){g();if(b("ge")("pagelet_verse_sidebar"))return;b("Bootloader").loadModules(["UIPagelet"],function(a){var c=b("DOM").create("div",{id:"pagelet_verse_sidebar"});b("DOM").appendContent(document.body,c);a.loadFromEndpoint("VerseSid

TimestampkBytestransferred Direction Data

Copyright Joe Security LLC 2019 Page 76 of 86

Session ID Source IP Source Port Destination IP Destination Port Process

9 192.168.2.5 49736 47.91.149.178 80 C:\Program Files (x86)\Internet Explorer\iexplore.exe

TimestampkBytestransferred Direction Data

Nov 19, 2019 11:49:48.284279108 CET

3239 OUT GET /intern/common/referer_frame.php HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://www.joinfproxy.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.joinfproxy.comConnection: Keep-Alive

Nov 19, 2019 11:49:48.827419996 CET

3479 IN HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2019 10:49:48 GMTServer: Apache/2.4.25 (Unix) proxy_html/3.1.2 OpenSSL/1.0.1e-fipsP3P: CP="Facebook has no P3P policy fb.me/p3p"Cache-Control: private, no-cache, no-store, must-revalidatePragma: no-cacheStrict-Transport-Security: max-age=15552000; preloadVary: Accept-EncodingX-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 0Expires: Sat, 01 Jan 2000 00:00:00 GMTContent-Type: text/html;charset=utf-8X-FB-Debug: 68D6spAe8BZiPjLTYoaQjW9psRQ9amyh7/5gOi8teU1msqLJ2gK8RznavvnHAaaY2sk81RlpMuGa3V+fr04pTw==Alt-Svc: h3-23=":443"; ma=3600Set-Cookie: fr=1POPjWbQS7WYXeHkp..Bd08jM.9P.AAA.0.0.Bd08jM.AWWRKil8; expires=Mon, 17-Feb-2020 10:49:47 GMT; Max-Age=7775999; path=/; domain=.joinf.cn; httponlyKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedData Raw: 62 37 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 69 64 3d 22 66 61 63 65 62 6f 6f 6b 22 20 63 6c 61 73 73 3d 22 6e 6f 5f 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 22 20 69 64 3d 22 6d 65 74 61 5f 72 65 66 65 72 72 65 72 22 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 5f 63 73 74 61 72 74 3d 2b 6e 65 77 20 44 61 74 65 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 0d 0a Data Ascii: b7<html lang="en" id="facebook" class="no_js"><head><meta charset="utf-8"><meta name="referrer" content="default" id="meta_referrer"><script>window._cstart=+new Date();</script><script>

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Nov 19, 2019 11:49:38.213150024 CET

185.60.216.35 443 192.168.2.5 49727 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.213356972 CET

185.60.216.35 443 192.168.2.5 49728 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

HTTPS Packets

Copyright Joe Security LLC 2019 Page 77 of 86

Nov 19, 2019 11:49:38.461997032 CET

185.60.216.35 443 192.168.2.5 49730 CN=fbcdn.net, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Oct 09 02:00:00 CEST 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Jan 07 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.463088989 CET

185.60.216.35 443 192.168.2.5 49729 CN=fbcdn.net, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Oct 09 02:00:00 CEST 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Jan 07 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.620639086 CET

185.60.216.35 443 192.168.2.5 49732 CN=fbcdn.net, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Oct 09 02:00:00 CEST 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Jan 07 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

3faf2df7ab96c36419c31725cb1fa7d6

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.621087074 CET

185.60.216.35 443 192.168.2.5 49731 CN=fbcdn.net, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Oct 09 02:00:00 CEST 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Jan 07 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

3faf2df7ab96c36419c31725cb1fa7d6

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.692784071 CET

157.240.15.22 443 192.168.2.5 49725 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 78 of 86

Nov 19, 2019 11:49:38.697261095 CET

157.240.15.22 443 192.168.2.5 49724 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.714059114 CET

157.240.15.22 443 192.168.2.5 49726 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.826069117 CET

185.60.216.19 443 192.168.2.5 49733 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:38.826653004 CET

185.60.216.19 443 192.168.2.5 49734 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:53.263711929 CET

47.91.149.178 443 192.168.2.5 49739 CN=*.joinf.com CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Fri Dec 15 01:00:00 CET 2017 Mon Nov 06 13:23:33 CET 2017

Sat Dec 15 13:00:00 CET 2018 Sat Nov 06 13:23:33 CET 2027

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Mon Nov 06 13:23:33 CET 2017

Sat Nov 06 13:23:33 CET 2027

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 79 of 86

Nov 19, 2019 11:49:55.603070974 CET

185.60.216.36 443 192.168.2.5 49740 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:49:55.605540037 CET

185.60.216.36 443 192.168.2.5 49741 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:50:38.722223997 CET

47.91.149.178 443 192.168.2.5 49747 CN=*.joinf.com CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Fri Dec 15 01:00:00 CET 2017 Mon Nov 06 13:23:33 CET 2017

Sat Dec 15 13:00:00 CET 2018 Sat Nov 06 13:23:33 CET 2027

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Mon Nov 06 13:23:33 CET 2017

Sat Nov 06 13:23:33 CET 2027

Nov 19, 2019 11:50:38.751776934 CET

47.91.149.178 443 192.168.2.5 49748 CN=*.joinf.com CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Fri Dec 15 01:00:00 CET 2017 Mon Nov 06 13:23:33 CET 2017

Sat Dec 15 13:00:00 CET 2018 Sat Nov 06 13:23:33 CET 2027

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Mon Nov 06 13:23:33 CET 2017

Sat Nov 06 13:23:33 CET 2027

Nov 19, 2019 11:50:41.441549063 CET

47.91.149.178 443 192.168.2.5 49751 CN=*.joinf.com CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Fri Dec 15 01:00:00 CET 2017 Mon Nov 06 13:23:33 CET 2017

Sat Dec 15 13:00:00 CET 2018 Sat Nov 06 13:23:33 CET 2027

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Mon Nov 06 13:23:33 CET 2017

Sat Nov 06 13:23:33 CET 2027

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 80 of 86

Nov 19, 2019 11:51:02.850929976 CET

185.60.216.15 443 192.168.2.5 49763 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:02.850991011 CET

185.60.216.15 443 192.168.2.5 49762 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:03.164768934 CET

185.60.216.19 443 192.168.2.5 49764 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:03.164941072 CET

185.60.216.19 443 192.168.2.5 49765 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:03.182746887 CET

185.60.216.19 443 192.168.2.5 49766 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 81 of 86

Nov 19, 2019 11:51:03.189198971 CET

185.60.216.19 443 192.168.2.5 49767 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:03.193666935 CET

185.60.216.19 443 192.168.2.5 49768 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:03.203372002 CET

185.60.216.19 443 192.168.2.5 49769 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:06.697761059 CET

185.60.216.15 443 192.168.2.5 49771 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:06.698438883 CET

185.60.216.15 443 192.168.2.5 49770 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 82 of 86

Nov 19, 2019 11:51:09.245987892 CET

185.60.216.6 443 192.168.2.5 49773 CN=*.atlassolutions.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Mon Oct 28 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Sun Jan 26 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:09.252907991 CET

185.60.216.6 443 192.168.2.5 49772 CN=*.atlassolutions.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Mon Oct 28 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Sun Jan 26 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:15.819456100 CET

185.60.216.15 443 192.168.2.5 49781 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:15.850284100 CET

185.60.216.15 443 192.168.2.5 49782 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:23.151668072 CET

185.60.216.15 443 192.168.2.5 49785 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 83 of 86

Code Manipulations

Statistics

Behavior

• iexplore.exe

• iexplore.exe

Click to jump to process

Nov 19, 2019 11:51:23.152524948 CET

185.60.216.15 443 192.168.2.5 49786 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:28.898951054 CET

185.60.216.15 443 192.168.2.5 49788 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Nov 19, 2019 11:51:28.900674105 CET

185.60.216.15 443 192.168.2.5 49787 CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed Nov 06 01:00:00 CET 2019 Tue Oct 22 14:00:00 CEST 2013

Tue Feb 04 13:00:00 CET 2020 Sun Oct 22 14:00:00 CEST 2028

771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0

9e10692f1b7f78228b2d4e424db3a98c

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Copyright Joe Security LLC 2019 Page 84 of 86

System Behavior

File ActivitiesFile Activities

Registry ActivitiesRegistry Activities

Start time: 11:49:33

Start date: 19/11/2019

Path: C:\Program Files\internet explorer\iexplore.exe

Wow64 process (32bit): false

Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding

Imagebase: 0x7ff7d86a0000

File size: 823560 bytes

MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596

Has administrator privileges: true

Programmed in: C, C++ or other language

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File Path Offset Length Completion CountSourceAddress Symbol

Key Path Completion CountSourceAddress Symbol

Key Path Name Type Data Completion CountSourceAddress Symbol

Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol

File ActivitiesFile Activities

Start time: 11:49:33

Start date: 19/11/2019

Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Wow64 process (32bit): true

Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1132 CREDAT:17410 /prefetch:2

Imagebase: 0xd70000

File size: 822536 bytes

MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A

Has administrator privileges: true

Programmed in: C, C++ or other language

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

Analysis Process: iexplore.exe PID: 1132 Parent PID: 700Analysis Process: iexplore.exe PID: 1132 Parent PID: 700

General

Analysis Process: iexplore.exe PID: 2672 Parent PID: 1132Analysis Process: iexplore.exe PID: 2672 Parent PID: 1132

General

Copyright Joe Security LLC 2019 Page 85 of 86

Disassembly

Registry ActivitiesRegistry Activities

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File Path Offset Length Completion CountSourceAddress Symbol

Key Path Completion CountSourceAddress Symbol

Key Path Name Type Data Completion CountSourceAddress Symbol

Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol

Copyright Joe Security LLC 2019 Page 86 of 86