Windows Analysis Report
QMassAutoQContours81.exe

Overview

General Information

Sample name: QMassAutoQContours81.exe
Analysis ID: 1430477
MD5: f1064102179e389886972306e68c085c
SHA1: 8e8b89e726b00c45ad3e1ef6e32f34209a64d525
SHA256: c699a8d9b8a485e7c994292e304db8d6d37b450b9ef0512d2f5c50cedde378c3
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: QMassAutoQContours81.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: QMassAutoQContours81.exe String found in binary or memory: http://dicom.nema.org/PS3.19/models/NativeDICOM
Source: QMassAutoQContours81.exe String found in binary or memory: http://dicom.offis.de/dcmtk
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/common
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/commonhttp://www.jclark.com/xtxsltSortComp:
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/crypto
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/cryptomd4md5sha1rc4_encryptrc4_decryptmath:min:
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/dates-and-times
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/dates-and-timesaddadd-durationdate-timeday-abbreviationday-in-monthday-in-weekday-i
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/dynamic
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/functions
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/math
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/mathminmaxhighestlowestconstantrandomabssqrtpowersincostanasinacosatanatan2exp
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/sets
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/setsdifferenceintersectiondistincthas-same-nodeleadingtrailingexsltFuncRegisterFunc
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/strings
Source: QMassAutoQContours81.exe String found in binary or memory: http://exslt.org/stringstokenizesplitencode-uridecode-uripaddingJanuaryFebruaryMarchAprilMayJuneJuly
Source: QMassAutoQContours81.exe String found in binary or memory: http://icl.com/saxon
Source: QMassAutoQContours81.exe String found in binary or memory: http://icl.com/saxonFound
Source: QMassAutoQContours81.exe String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: QMassAutoQContours81.exe String found in binary or memory: http://www.jclark.com/xt
Source: QMassAutoQContours81.exe String found in binary or memory: http://www.winimage.com/zLibDll
Source: QMassAutoQContours81.exe String found in binary or memory: http://www.winimage.com/zLibDll1.2.11
Source: QMassAutoQContours81.exe String found in binary or memory: http://www.winimage.com/zLibDllqiodevice_seek_file_func()
Source: QMassAutoQContours81.exe String found in binary or memory: http://xmlsoft.org/XSLT/
Source: QMassAutoQContours81.exe String found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: QMassAutoQContours81.exe String found in binary or memory: http://xmlsoft.org/XSLT/namespacenode-setdebugFile
Source: QMassAutoQContours81.exe String found in binary or memory: http://xmlsoft.org/XSLT/test10132
Sample file is different than original file name gathered from version info
Source: QMassAutoQContours81.exe, 00000000.00000000.2112164324.00007FF64B7A9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQMassAutoQContoursJ vs QMassAutoQContours81.exe
Source: QMassAutoQContours81.exe Binary or memory string: OriginalFilenameQMassAutoQContoursJ vs QMassAutoQContours81.exe
Source: classification engine Classification label: clean1.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: QMassAutoQContours81.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QMassAutoQContours81.exe String found in binary or memory: //Applications/Application/AddIns/AddIn
Source: QMassAutoQContours81.exe String found in binary or memory: D:\jenkins\workspace\R-Framework_PRODUCTION\source\cms6\source\engage\logic\cmsapplkernel\source\CmsAddInManager.cppfalse == configFileName.isEmpty ()//Applications/Application/AddIns/AddInAddin %1 failed to initialize.No add-ins registered.%1 #%2Add-in %1 (%2) loaded successfully.Add-in %1 (%2) failed to load.Could not unload add-in: %1
Source: QMassAutoQContours81.exe String found in binary or memory: Peer-Address
Source: QMassAutoQContours81.exe String found in binary or memory: ..\..\..\..\src\stream_user.cpp!plugged!sessionsession_metadata == NULLplugged!io_errordecoderprocessed <= insizehandshakingn > 0input_stoppedsession != NULLdecoder != NULLgreeting_bytes_read < greeting_sizeoptions.mechanism == ZMQ_NULL || options.mechanism == ZMQ_PLAIN || options.mechanism == ZMQ_CURVE || options.mechanism == ZMQ_GSSAPIPLAINGSSAPICURVEbuffer_size == header_sizeNULLPLAINCURVEmechanism != NULLsession!has_handshake_timerPeer-Address
Source: QMassAutoQContours81.exe String found in binary or memory: kernel32LoadLibraryExA\/AddDllDirectoryDevSDK_Licensing_ExternalProductDLL_Release_x64.dll
Source: unknown Process created: C:\Users\user\Desktop\QMassAutoQContours81.exe "C:\Users\user\Desktop\QMassAutoQContours81.exe"
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: lsdcod64.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5winextras.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5xml.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5network.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5concurrent.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5widgets.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5gui.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: qt5core.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: picx20.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: lsapiw64.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QMassAutoQContours81.exe Section loaded: activeds.dll Jump to behavior
Source: QMassAutoQContours81.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QMassAutoQContours81.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: QMassAutoQContours81.exe Static file information: File size 24452608 > 1048576
Source: QMassAutoQContours81.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10ed200
Source: QMassAutoQContours81.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x4c7000
Source: QMassAutoQContours81.exe Static PE information: More than 200 imports for Qt5Widgets.dll
Source: QMassAutoQContours81.exe Static PE information: More than 200 imports for Qt5Gui.dll
Source: QMassAutoQContours81.exe Static PE information: More than 200 imports for Qt5Core.dll
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: QMassAutoQContours81.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: QMassAutoQContours81.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QMassAutoQContours81.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QMassAutoQContours81.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QMassAutoQContours81.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QMassAutoQContours81.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QMassAutoQContours81.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1430477 Sample: QMassAutoQContours81.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 1 5 QMassAutoQContours81.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos