Loading ...

Play interactive tourEdit tour

Windows Analysis Report NQBNpLezqZKv1P4.exe

Overview

General Information

Sample Name:NQBNpLezqZKv1P4.exe
Analysis ID:452473
MD5:f03bf8d3ecc2ae4b40f836c59ac09bdf
SHA1:58f48a5a960eac4ee1f33ea16075cfd44f37b3a3
SHA256:2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • NQBNpLezqZKv1P4.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe' MD5: F03BF8D3ECC2AE4B40F836C59AC09BDF)
    • NQBNpLezqZKv1P4.exe (PID: 3984 cmdline: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe MD5: F03BF8D3ECC2AE4B40F836C59AC09BDF)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 7056 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 7012 cmdline: /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extraclass.xyz/4nn8/"], "decoy": ["chamtowon.com", "yaaquu.com", "thepettybox.com", "zrcezzfdfkyjlir.com", "finalcutgrowshop.com", "856381151.xyz", "fbgroupsmadesimple.com", "thinktank-texas.com", "shoppingsys.com", "natezubal.com", "skyhighbud.com", "toddlely.net", "bachelor-boys.com", "blogdepr.com", "chuanyigou.com", "photocouture-show.com", "spacetasks.com", "kureitall.com", "qmcp00033.com", "visiodaya.com", "teleasistencianamaste.com", "updates-app.com", "marbleheadelementary.com", "jameswilliamgordon.com", "bouncingbellybeans.com", "icloud-site-fd.com", "hotradioarnhem.com", "shengdagp.com", "sickrime.com", "17545bullock.com", "cmovied.com", "wwwpaturnoiketollbyplate.com", "qphis.com", "vhsstores.com", "sorcierebienaimee.com", "y7mioung.xyz", "indianapartylines.com", "fezze.info", "uweup.com", "xn--gestinvalenciana-9ub.com", "creativeartaadda.com", "cattedralidismeraldo.com", "thecarestudio.com", "etruruueurt.xyz", "sidehustle.kiwi", "hagumee.com", "sdkqglgs.com", "nirvananaturalcbd.net", "grassth.com", "zeugmagiftandmore.com", "smartscene.club", "chsecv.com", "gettothecoast.com", "whiskey-friends.com", "ambernai.com", "iregentos.info", "sh-zzjy.com", "boicity.com", "sgtcsleathers.net", "themixedveggies.com", "greenbanc.net", "papiempanadas.com", "ndirxk.club", "iafzal.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        4.2.NQBNpLezqZKv1P4.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.NQBNpLezqZKv1P4.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extraclass.xyz/4nn8/"], "decoy": ["chamtowon.com", "yaaquu.com", "thepettybox.com", "zrcezzfdfkyjlir.com", "finalcutgrowshop.com", "856381151.xyz", "fbgroupsmadesimple.com", "thinktank-texas.com", "shoppingsys.com", "natezubal.com", "skyhighbud.com", "toddlely.net", "bachelor-boys.com", "blogdepr.com", "chuanyigou.com", "photocouture-show.com", "spacetasks.com", "kureitall.com", "qmcp00033.com", "visiodaya.com", "teleasistencianamaste.com", "updates-app.com", "marbleheadelementary.com", "jameswilliamgordon.com", "bouncingbellybeans.com", "icloud-site-fd.com", "hotradioarnhem.com", "shengdagp.com", "sickrime.com", "17545bullock.com", "cmovied.com", "wwwpaturnoiketollbyplate.com", "qphis.com", "vhsstores.com", "sorcierebienaimee.com", "y7mioung.xyz", "indianapartylines.com", "fezze.info", "uweup.com", "xn--gestinvalenciana-9ub.com", "creativeartaadda.com", "cattedralidismeraldo.com", "thecarestudio.com", "etruruueurt.xyz", "sidehustle.kiwi", "hagumee.com", "sdkqglgs.com", "nirvananaturalcbd.net", "grassth.com", "zeugmagiftandmore.com", "smartscene.club", "chsecv.com", "gettothecoast.com", "whiskey-friends.com", "ambernai.com", "iregentos.info", "sh-zzjy.com", "boicity.com", "sgtcsleathers.net", "themixedveggies.com", "greenbanc.net", "papiempanadas.com", "ndirxk.club", "iafzal.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: NQBNpLezqZKv1P4.exeJoe Sandbox ML: detected
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: NQBNpLezqZKv1P4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: NQBNpLezqZKv1P4.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.903338998.000000000352F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4x nop then pop ebx4_2_00406A94
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4x nop then pop edi4_2_0041567E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx10_2_00956A95
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi10_2_0096567E

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.66:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.66:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.66:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 104.143.9.211:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 104.143.9.211:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 104.143.9.211:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extraclass.xyz/4nn8/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.boicity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.sh-zzjy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.zrcezzfdfkyjlir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.iafzal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.nirvananaturalcbd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.updates-app.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.fbgroupsmadesimple.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.boicity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.sh-zzjy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.zrcezzfdfkyjlir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.iafzal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.nirvananaturalcbd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.updates-app.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.fbgroupsmadesimple.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.boicity.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 11:15:39 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.zrcezzfdfkyjlir.comVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Thu, 05-Aug-2021 11:15:39 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages3.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3802Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 32 36 34 35 31 37 34 35 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64 65
          Source: NETSTAT.EXE, 0000000A.00000002.903760107.0000000003AC2000.00000004.00000001.sdmpString found in binary or memory: http://050005.voodoo.com/js/partner.js
          Source: NQBNpLezqZKv1P4.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.639552016.000000000555D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.639552016.000000000555D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comp
          Source: NQBNpLezqZKv1P4.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
          Source: explorer.exe, 00000005.00000000.702532502.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmp, NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641810889.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.645535031.000000000555E000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640649210.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ct
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnAc
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnUc
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krklJ
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krylx
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.639209828.0000000005542000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coml
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.kr
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr8l
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krbl
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641852644.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicFf
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641852644.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicwf
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
          Source: NETSTAT.EXE, 0000000A.00000002.903760107.0000000003AC2000.00000004.00000001.sdmpString found in binary or memory: https://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004181AC NtCreateFile,4_2_004181AC
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00418202 NtCreateFile,4_2_00418202
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041840A NtAllocateVirtualMemory,4_2_0041840A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479710 NtQueryInformationToken,LdrInitializeThunk,10_2_03479710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479FE0 NtCreateMutant,LdrInitializeThunk,10_2_03479FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479780 NtMapViewOfSection,LdrInitializeThunk,10_2_03479780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A50 NtCreateFile,LdrInitializeThunk,10_2_03479A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479650 NtQueryValueKey,LdrInitializeThunk,10_2_03479650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03479660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034796D0 NtCreateKey,LdrInitializeThunk,10_2_034796D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034796E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_034796E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479540 NtReadFile,LdrInitializeThunk,10_2_03479540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03479910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034795D0 NtClose,LdrInitializeThunk,10_2_034795D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034799A0 NtCreateSection,LdrInitializeThunk,10_2_034799A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479840 NtDelayExecution,LdrInitializeThunk,10_2_03479840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03479860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479760 NtOpenProcess,10_2_03479760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479770 NtSetInformationFile,10_2_03479770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347A770 NtOpenThread,10_2_0347A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479B00 NtSetValueKey,10_2_03479B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347A710 NtOpenProcessToken,10_2_0347A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479730 NtQueryVirtualMemory,10_2_03479730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034797A0 NtUnmapViewOfSection,10_2_034797A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347A3B0 NtGetContextThread,10_2_0347A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479670 NtQueryInformationProcess,10_2_03479670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A00 NtProtectVirtualMemory,10_2_03479A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479610 NtEnumerateValueKey,10_2_03479610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A10 NtQuerySection,10_2_03479A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A20 NtResumeThread,10_2_03479A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A80 NtOpenDirectoryObject,10_2_03479A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479950 NtQueueApcThread,10_2_03479950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479560 NtWriteFile,10_2_03479560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479520 NtWaitForSingleObject,10_2_03479520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347AD30 NtSetContextThread,10_2_0347AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034799D0 NtCreateProcessEx,10_2_034799D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034795F0 NtQueryInformationFile,10_2_034795F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347B040 NtSuspendThread,10_2_0347B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479820 NtEnumerateKey,10_2_03479820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034798F0 NtReadVirtualMemory,10_2_034798F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034798A0 NtWriteVirtualMemory,10_2_034798A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_009681B0 NtCreateFile,10_2_009681B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_009682E0 NtClose,10_2_009682E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00968260 NtReadFile,10_2_00968260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00968390 NtAllocateVirtualMemory,10_2_00968390
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_009681AC NtCreateFile,10_2_009681AC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00968202 NtCreateFile,10_2_00968202
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096840A NtAllocateVirtualMemory,10_2_0096840A
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B84A4_2_0041B84A
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00408C4C4_2_00408C4C
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00408C504_2_00408C50
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B4964_2_0041B496
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CD524_2_0041CD52
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041C5144_2_0041C514
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041C5274_2_0041C527
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00402D884_2_00402D88
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CDA74_2_0041CDA7
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CE794_2_0041CE79
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041BE0B4_2_0041BE0B
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CF314_2_0041CF31
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0049BF7F4_2_0049BF7F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346EBB010_2_0346EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03456E3010_2_03456E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03501D5510_2_03501D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343F90010_2_0343F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03430D2010_2_03430D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345412010_2_03454120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344D5E010_2_0344D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346258110_2_03462581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F100210_2_034F1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344841F10_2_0344841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344B09010_2_0344B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B49610_2_0096B496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00958C5010_2_00958C50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00958C4C10_2_00958C4C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00952D9010_2_00952D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00952D8810_2_00952D88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CDA710_2_0096CDA7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096C51410_2_0096C514
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096C52710_2_0096C527
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CD5210_2_0096CD52
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CE7910_2_0096CE79
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00952FB010_2_00952FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CF3110_2_0096CF31
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0343B150 appears 32 times
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000000.636900304.0000000000102000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFixedBufferAttribu.exe8 vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exeBinary or memory string: OriginalFilename vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exe, 00000004.00000003.697053653.0000000000DD6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exe, 00000004.00000000.696683735.0000000000492000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFixedBufferAttribu.exe8 vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exeBinary or memory string: OriginalFilenameFixedBufferAttribu.exe8 vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: NQBNpLezqZKv1P4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NQBNpLezqZKv1P4.exe, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.NQBNpLezqZKv1P4.exe.100000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.NQBNpLezqZKv1P4.exe.490000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.NQBNpLezqZKv1P4.exe.490000.1.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@7/6
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NQBNpLezqZKv1P4.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
          Source: NQBNpLezqZKv1P4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'Jump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: NQBNpLezqZKv1P4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NQBNpLezqZKv1P4.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.903338998.000000000352F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041522D push esi; retf 4_2_00415240
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B3F2 push eax; ret 4_2_0041B3F8
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B3FB push eax; ret 4_2_0041B462
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B3A5 push eax; ret 4_2_0041B3F8
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B45C push eax; ret 4_2_0041B462
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0040F646 push edi; retf 4_2_0040F64A
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00415628 push ss; iretd 4_2_00415637
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00414E32 push ds; iretd 4_2_00414E33
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0348D0D1 push ecx; ret 10_2_0348D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096522D push esi; retf 10_2_00965240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B3A5 push eax; ret 10_2_0096B3F8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B3F2 push eax; ret 10_2_0096B3F8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B3FB push eax; ret 10_2_0096B462
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B45C push eax; ret 10_2_0096B462
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00964E32 push ds; iretd 10_2_00964E33
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00965628 push ss; iretd 10_2_00965637
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0095F646 push edi; retf 10_2_0095F64A
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57888986763
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion: