Loading ...

Play interactive tourEdit tour

Analysis Report vBugmobiJh.exe

Overview

General Information

Sample Name:vBugmobiJh.exe
Analysis ID:356496
MD5:5b59e521935e56a03255623df51c1631
SHA1:b6714751ef5127dd84bed782a30eb44b7add8813
SHA256:e6370f5f39e8e3d7a2506659786deadd1fe5ce8208cb2b6bf7748b6637a3b793
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vBugmobiJh.exe (PID: 5108 cmdline: 'C:\Users\user\Desktop\vBugmobiJh.exe' MD5: 5B59E521935E56A03255623DF51C1631)
    • vBugmobiJh.exe (PID: 68 cmdline: C:\Users\user\Desktop\vBugmobiJh.exe MD5: 5B59E521935E56A03255623DF51C1631)
    • vBugmobiJh.exe (PID: 6088 cmdline: C:\Users\user\Desktop\vBugmobiJh.exe MD5: 5B59E521935E56A03255623DF51C1631)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 3664 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 5428 cmdline: /c del 'C:\Users\user\Desktop\vBugmobiJh.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rizrvd.com/bw82/"], "decoy": ["fundamentaliemef.com", "gallerybrows.com", "leadeligey.com", "octoberx2.online", "climaxnovels.com", "gdsjgf.com", "curateherstories.com", "blacksailus.com", "yjpps.com", "gmobilet.com", "fcoins.club", "foreverlive2027.com", "healthyfifties.com", "wmarquezy.com", "housebulb.com", "thebabyfriendly.com", "primajayaintiperkasa.com", "learnplaychess.com", "chrisbubser.digital", "xn--avenr-wsa.com", "exlineinsurance.com", "thrivezi.com", "tuvandadayvitos24h.online", "illfingers.com", "usmedicarenow.com", "pandabutik.com", "engageautism.info", "magnabeautystyle.com", "texasdryroof.com", "woodlandpizzahartford.com", "dameadamea.com", "sedaskincare.com", "ruaysatu99.com", "mybestaide.com", "nikolaichan.com", "mrcabinetkitchenandbath.com", "ondemandbarbering.com", "activagebenefits.net", "srcsvcs.com", "cbrealvitalize.com", "ismaelworks.com", "medkomp.online", "ninasangtani.com", "h2oturkiye.com", "kolamart.com", "acdfr.com", "twistedtailgatesweeps1.com", "ramjamdee.com", "thedancehalo.com", "joeisono.com", "glasshouseroadtrip.com", "okcpp.com", "riggsfarmfenceservices.com", "mgg360.com", "xn--oi2b190cymc.com", "ctfocbdwholesale.com", "openspiers.com", "rumblingrambles.com", "thepoetrictedstudio.com", "magiclabs.media", "wellnesssensation.com", "lakegastonautoparts.com", "dealsonwheeeles.com", "semenboostplus.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.vBugmobiJh.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.vBugmobiJh.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.vBugmobiJh.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        6.2.vBugmobiJh.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.vBugmobiJh.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.rizrvd.com/bw82/"], "decoy": ["fundamentaliemef.com", "gallerybrows.com", "leadeligey.com", "octoberx2.online", "climaxnovels.com", "gdsjgf.com", "curateherstories.com", "blacksailus.com", "yjpps.com", "gmobilet.com", "fcoins.club", "foreverlive2027.com", "healthyfifties.com", "wmarquezy.com", "housebulb.com", "thebabyfriendly.com", "primajayaintiperkasa.com", "learnplaychess.com", "chrisbubser.digital", "xn--avenr-wsa.com", "exlineinsurance.com", "thrivezi.com", "tuvandadayvitos24h.online", "illfingers.com", "usmedicarenow.com", "pandabutik.com", "engageautism.info", "magnabeautystyle.com", "texasdryroof.com", "woodlandpizzahartford.com", "dameadamea.com", "sedaskincare.com", "ruaysatu99.com", "mybestaide.com", "nikolaichan.com", "mrcabinetkitchenandbath.com", "ondemandbarbering.com", "activagebenefits.net", "srcsvcs.com", "cbrealvitalize.com", "ismaelworks.com", "medkomp.online", "ninasangtani.com", "h2oturkiye.com", "kolamart.com", "acdfr.com", "twistedtailgatesweeps1.com", "ramjamdee.com", "thedancehalo.com", "joeisono.com", "glasshouseroadtrip.com", "okcpp.com", "riggsfarmfenceservices.com", "mgg360.com", "xn--oi2b190cymc.com", "ctfocbdwholesale.com", "openspiers.com", "rumblingrambles.com", "thepoetrictedstudio.com", "magiclabs.media", "wellnesssensation.com", "lakegastonautoparts.com", "dealsonwheeeles.com", "semenboostplus.com"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: climaxnovels.comVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: vBugmobiJh.exeVirustotal: Detection: 25%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: vBugmobiJh.exeJoe Sandbox ML: detected
          Source: 6.2.vBugmobiJh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: vBugmobiJh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: vBugmobiJh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.476422535.0000000003B40000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0709DEB8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0709EDC0
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0709E9A8

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 94.73.146.42:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 94.73.146.42:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 94.73.146.42:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rizrvd.com/bw82/
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=G5V/jI1lXUWhm2/po/i12Eg93VLS1Yw8/s5fANqQYS1eyL2v/ZzyMw3Ygf/31m6ddEJO HTTP/1.1Host: www.ramjamdee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.rizrvd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXar9S1Zs43DY HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.climaxnovels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cl HTTP/1.1Host: www.thebabyfriendly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj HTTP/1.1Host: www.wellnesssensation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.gallerybrows.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.usmedicarenow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI HTTP/1.1Host: www.activagebenefits.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=G5V/jI1lXUWhm2/po/i12Eg93VLS1Yw8/s5fANqQYS1eyL2v/ZzyMw3Ygf/31m6ddEJO HTTP/1.1Host: www.ramjamdee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.rizrvd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXar9S1Zs43DY HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.climaxnovels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cl HTTP/1.1Host: www.thebabyfriendly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj HTTP/1.1Host: www.wellnesssensation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.gallerybrows.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.usmedicarenow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI HTTP/1.1Host: www.activagebenefits.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fcoins.club
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1237Date: Tue, 23 Feb 2021 08:00:33 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67
          Source: explorer.exe, 00000007.00000000.255680100.000000000F659000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: vBugmobiJh.exe, 00000001.00000003.214832645.0000000005766000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: vBugmobiJh.exe, 00000001.00000003.214832645.0000000005766000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: vBugmobiJh.exe, 00000001.00000003.215875793.0000000005760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.216329040.0000000005739000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: vBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFzP
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomm
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd2P
          Source: vBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
          Source: vBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsP
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefd$P
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: vBugmobiJh.exe, 00000001.00000003.209223636.000000000573B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comKr
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: vBugmobiJh.exe, 00000001.00000003.211716442.0000000005726000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: vBugmobiJh.exe, 00000001.00000003.211340323.0000000005727000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
          Source: vBugmobiJh.exe, 00000001.00000003.211098499.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: vBugmobiJh.exe, 00000001.00000003.211340323.0000000005727000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
          Source: vBugmobiJh.exe, 00000001.00000003.211149216.0000000000D4D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
          Source: vBugmobiJh.exe, 00000001.00000003.218063402.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: vBugmobiJh.exe, 00000001.00000003.217860687.0000000005733000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/%k
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.217860687.0000000005733000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//P
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2P
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/AP
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ntPi
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: vBugmobiJh.exe, 00000001.00000003.214371711.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2P
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/zP
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ltt=P
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oiolP
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sP
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tendHP
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uild$P
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
          Source: vBugmobiJh.exe, 00000001.00000003.208761960.0000000005723000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: vBugmobiJh.exe, LogIn.csLong String: Length: 13656
          Source: 1.0.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 1.2.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.2.vBugmobiJh.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.0.vBugmobiJh.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 6.2.vBugmobiJh.exe.430000.1.unpack, LogIn.csLong String: Length: 13656
          Source: 6.0.vBugmobiJh.exe.430000.0.unpack, LogIn.csLong String: Length: 13656
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004181B0 NtCreateFile,6_2_004181B0
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00418260 NtReadFile,6_2_00418260
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004182E0 NtClose,6_2_004182E0
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00418390 NtAllocateVirtualMemory,6_2_00418390
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004181AA NtCreateFile,6_2_004181AA
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041825C NtReadFile,6_2_0041825C
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004182DA NtClose,6_2_004182DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A50 NtCreateFile,LdrInitializeThunk,10_2_03BA9A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA99A0 NtCreateSection,LdrInitializeThunk,10_2_03BA99A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03BA9910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03BA9860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9840 NtDelayExecution,LdrInitializeThunk,10_2_03BA9840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9780 NtMapViewOfSection,LdrInitializeThunk,10_2_03BA9780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9FE0 NtCreateMutant,LdrInitializeThunk,10_2_03BA9FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9710 NtQueryInformationToken,LdrInitializeThunk,10_2_03BA9710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_03BA96E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA96D0 NtCreateKey,LdrInitializeThunk,10_2_03BA96D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA95D0 NtClose,LdrInitializeThunk,10_2_03BA95D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9540 NtReadFile,LdrInitializeThunk,10_2_03BA9540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAA3B0 NtGetContextThread,10_2_03BAA3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9B00 NtSetValueKey,10_2_03BA9B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A80 NtOpenDirectoryObject,10_2_03BA9A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A20 NtResumeThread,10_2_03BA9A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A10 NtQuerySection,10_2_03BA9A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A00 NtProtectVirtualMemory,10_2_03BA9A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA99D0 NtCreateProcessEx,10_2_03BA99D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9950 NtQueueApcThread,10_2_03BA9950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA98A0 NtWriteVirtualMemory,10_2_03BA98A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA98F0 NtReadVirtualMemory,10_2_03BA98F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9820 NtEnumerateKey,10_2_03BA9820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAB040 NtSuspendThread,10_2_03BAB040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA97A0 NtUnmapViewOfSection,10_2_03BA97A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9730 NtQueryVirtualMemory,10_2_03BA9730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAA710 NtOpenProcessToken,10_2_03BAA710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAA770 NtOpenThread,10_2_03BAA770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9770 NtSetInformationFile,10_2_03BA9770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9760 NtOpenProcess,10_2_03BA9760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9610 NtEnumerateValueKey,10_2_03BA9610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9670 NtQueryInformationProcess,10_2_03BA9670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9660 NtAllocateVirtualMemory,10_2_03BA9660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9650 NtQueryValueKey,10_2_03BA9650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA95F0 NtQueryInformationFile,10_2_03BA95F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAAD30 NtSetContextThread,10_2_03BAAD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9520 NtWaitForSingleObject,10_2_03BA9520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9560 NtWriteFile,10_2_03BA9560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F581B0 NtCreateFile,10_2_00F581B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F582E0 NtClose,10_2_00F582E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F58260 NtReadFile,10_2_00F58260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F581AA NtCreateFile,10_2_00F581AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F582DA NtClose,10_2_00F582DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5825C NtReadFile,10_2_00F5825C
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_00CBC2B01_2_00CBC2B0
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_00CB99901_2_00CB9990
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709C6D81_2_0709C6D8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709B6E81_2_0709B6E8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_070900401_2_07090040
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092F781_2_07092F78
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092F881_2_07092F88
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709B6D81_2_0709B6D8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092D281_2_07092D28
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092D381_2_07092D38
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07090D901_2_07090D90
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_070962911_2_07096291
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709E9A81_2_0709E9A8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0040102F6_2_0040102F
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00408C4C6_2_00408C4C
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00408C506_2_00408C50
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B4936_2_0041B493
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041CD286_2_0041CD28
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00402D876_2_00402D87
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041CE776_2_0041CE77
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9EBB010_2_03B9EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2DBD210_2_03C2DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C203DA10_2_03C203DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C32B2810_2_03C32B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C322AE10_2_03C322AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8412010_2_03B84120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6F90010_2_03B6F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A010_2_03B920A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7B09010_2_03B7B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C328EC10_2_03C328EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C320A810_2_03C320A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2100210_2_03C21002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3E82410_2_03C3E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3DFCE10_2_03C3DFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C31FF110_2_03C31FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C32EF710_2_03C32EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B86E3010_2_03B86E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2D61610_2_03C2D616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C325DD10_2_03C325DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9258110_2_03B92581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7D5E010_2_03B7D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B60D2010_2_03B60D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C31D5510_2_03C31D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C32D0710_2_03C32D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2D46610_2_03C2D466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7841F10_2_03B7841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B49310_2_00F5B493
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F48C5010_2_00F48C50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F48C4C10_2_00F48C4C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F42D9010_2_00F42D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F42D8710_2_00F42D87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5CD2810_2_00F5CD28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5CE7710_2_00F5CE77
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F42FB010_2_00F42FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03B6B150 appears 39 times
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.227808975.00000000002D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs vBugmobiJh.exe
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000004.00000002.226155480.0000000000152000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000006.00000002.268144606.0000000000EBC000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000006.00000000.226888250.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: vBugmobiJh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vBugmobiJh.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 1.0.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 1.2.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 4.2.vBugmobiJh.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 4.0.vBugmobiJh.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 6.2.vBugmobiJh.exe.430000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 6.0.vBugmobiJh.exe.430000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@15/5
          Source: C:\Users\user\Desktop\vBugmobiJh.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vBugmobiJh.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
          Source: vBugmobiJh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\vBugmobiJh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\vBugmobiJh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: vBugmobiJh.exeVirustotal: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\vBugmobiJh.exe 'C:\Users\user\Desktop\vBugmobiJh.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: unknownProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\vBugmobiJh.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exeJump to behavior
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\vBugmobiJh.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\vBugmobiJh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: vBugmobiJh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: vBugmobiJh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.476422535.0000000003B40000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: vBugmobiJh.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.vBugmobiJh.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.vBugmobiJh.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.vBugmobiJh.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.vBugmobiJh.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.vBugmobiJh.exe.430000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.vBugmobiJh.exe.430000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_00CB0015 push 0030007Ah; retf 1_2_00CB001A
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_070961EC push eax; iretd 1_2_070961ED
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0040C8B1 push ss; iretd 6_2_0040C8B5
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B3F2 push eax; ret 6_2_0041B3F8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B3FB push eax; ret 6_2_0041B462
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B3A5 push eax; ret 6_2_0041B3F8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B45C push eax; ret 6_2_0041B462
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00415CB8 push esi; ret 6_2_00415CB9
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041A5F2 push cs; retf 6_2_0041A5F3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BBD0D1 push ecx; ret 10_2_03BBD0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F4C8B1 push ss; iretd 10_2_00F4C8B5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B3F2 push eax; ret 10_2_00F5B3F8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B3FB push eax; ret 10_2_00F5B462
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B3A5 push eax; ret 10_2_00F5B3F8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F55CB8 push esi; ret 10_2_00F55CB9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B45C push eax; ret 10_2_00F5B462
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5A5F2 push cs; retf