Source: qd_x86.exe |
ReversingLabs: Detection: 35% |
Source: qd_x86.exe |
Virustotal: Detection: 42% |
Perma Link |
Source: qd_x86.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: qd_x86.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00568074 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
0_2_00568074 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00567C8A FindFirstFileExW, |
0_2_00567C8A |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005821A0 |
0_2_005821A0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00554243 |
0_2_00554243 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005723EF |
0_2_005723EF |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0056C42E |
0_2_0056C42E |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005844C0 |
0_2_005844C0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005545A2 |
0_2_005545A2 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00580800 |
0_2_00580800 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00554910 |
0_2_00554910 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0053ABC1 |
0_2_0053ABC1 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00554C6F |
0_2_00554C6F |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0058EC3F |
0_2_0058EC3F |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0057AD5D |
0_2_0057AD5D |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00554FCD |
0_2_00554FCD |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00539068 |
0_2_00539068 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0057D200 |
0_2_0057D200 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005352FF |
0_2_005352FF |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00571370 |
0_2_00571370 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0055533A |
0_2_0055533A |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00555698 |
0_2_00555698 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0055386E |
0_2_0055386E |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005718A0 |
0_2_005718A0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0058F9AF |
0_2_0058F9AF |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00555A8C |
0_2_00555A8C |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00553BB0 |
0_2_00553BB0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0057DC08 |
0_2_0057DC08 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00571CF0 |
0_2_00571CF0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00535EEE |
0_2_00535EEE |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00555E8F |
0_2_00555E8F |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0056FE89 |
0_2_0056FE89 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00553F01 |
0_2_00553F01 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: String function: 00536E70 appears 63 times |
|
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: String function: 00531140 appears 54 times |
|
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: String function: 00561F12 appears 35 times |
|
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: String function: 00562DA3 appears 56 times |
|
Source: qd_x86.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal60.evad.winEXE@2/1@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Command line argument: ~LX |
0_2_00584BD0 |
Source: qd_x86.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\qd_x86.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: qd_x86.exe |
ReversingLabs: Detection: 35% |
Source: qd_x86.exe |
Virustotal: Detection: 42% |
Source: unknown |
Process created: C:\Users\user\Desktop\qd_x86.exe "C:\Users\user\Desktop\qd_x86.exe" |
Source: C:\Users\user\Desktop\qd_x86.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: logoncli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: qd_x86.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: qd_x86.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe |
Source: qd_x86.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: qd_x86.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: qd_x86.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: qd_x86.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: qd_x86.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00533E91 LoadLibraryA,GetProcAddress, |
0_2_00533E91 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00584D3B push ecx; ret |
0_2_00584D4E |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00536EC0 push ecx; ret |
0_2_00536ED3 |
Source: C:\Users\user\Desktop\qd_x86.exe |
File Queried: C:\INTERNAL\__empty |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00568074 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
0_2_00568074 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00567C8A FindFirstFileExW, |
0_2_00567C8A |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00534540 GetSystemInfo, |
0_2_00534540 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005622A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_005622A5 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00533E91 LoadLibraryA,GetProcAddress, |
0_2_00533E91 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_0056D5EA GetProcessHeap, |
0_2_0056D5EA |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005622A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_005622A5 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00536C0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00536C0A |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00536DA0 SetUnhandledExceptionFilter, |
0_2_00536DA0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005372F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_005372F7 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00537109 cpuid |
0_2_00537109 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: EnumSystemLocalesW, |
0_2_00562779 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: EnumSystemLocalesW, |
0_2_005628E6 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: EnumSystemLocalesW, |
0_2_00562918 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetACP,IsValidCodePage,GetLocaleInfoW, |
0_2_0056C9C1 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: EnumSystemLocalesW, |
0_2_0056CC6D |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: EnumSystemLocalesW, |
0_2_0056CCD6 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: EnumSystemLocalesW, |
0_2_0056CD71 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0056CDFC |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetLocaleInfoW, |
0_2_0056D04F |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_0056D178 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetLocaleInfoW, |
0_2_0056325F |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetLocaleInfoW, |
0_2_0056D27E |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0056D354 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_005313B0 CreateNamedPipeA,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,DisconnectNamedPipe, |
0_2_005313B0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00536ADF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00536ADF |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00531AD0 GetFileAttributesW,GetModuleHandleA,GetUserNameW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,Sleep,lstrlenA, |
0_2_00531AD0 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Code function: 0_2_00534767 GetCurrentProcessId,GetLastError,KiUserCallbackDispatcher,GetVersionExA,GetWindowsDirectoryW, |
0_2_00534767 |
Source: C:\Users\user\Desktop\qd_x86.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |