Analysis Report QgWIrI5nvn

AV Detection:

Found malware configuration

Source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.14

Source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.14

Multi AV Scanner detection for submitted file

Source: QgWIrI5nvn.exe	Virustotal: Detection: 52%			Perma Link
Source: QgWIrI5nvn.exe	Metadefender: Detection: 43%			Perma Link
Source: QgWIrI5nvn.exe	ReversingLabs: Detection: 62%
Source: QgWIrI5nvn.exe	Virustotal: Detection: 52%			Perma Link
Source: QgWIrI5nvn.exe	Metadefender: Detection: 43%			Perma Link
Source: QgWIrI5nvn.exe	ReversingLabs: Detection: 62%

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.QgWIrI5nvn.exe.830000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.calc.exe.610000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.QgWIrI5nvn.exe.830000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.calc.exe.610000.2.unpack	Avira: Label: TR/Dropper.Gen

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,		0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,		0_2_008337E0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,		0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,		0_2_008337E0
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00439132 lstrlenA,FindFirstFileA,FindClose,		1_2_00439132
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		1_2_00437C5A

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49720 -> 47.36.140.164:80
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49720 -> 47.36.140.164:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 47.36.140.164 47.36.140.164
Source: Joe Sandbox View	IP Address: 47.36.140.164 47.36.140.164
Source: Joe Sandbox View	IP Address: 47.36.140.164 47.36.140.164
Source: Joe Sandbox View	IP Address: 47.36.140.164 47.36.140.164

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CHARTER-20115US CHARTER-20115US
Source: Joe Sandbox View	ASN Name: CHARTER-20115US CHARTER-20115US

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache

Source: global traffic

HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 47.36.140.164

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache

Urls found in memory or binary data

Source: calc.exe, 00000001.00000002.507116463.0000000002573000.00000004.00000001.sdmp	String found in binary or memory: http://47.36.140.164/BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000003.00000002.508237407.00000202E0E50000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.304875218.000001B8A2C52000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.304885191.000001B8A2C61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen6
Source: calc.exe, 00000001.00000002.507116463.0000000002573000.00000004.00000001.sdmp	String found in binary or memory: http://47.36.140.164/BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000003.00000002.508237407.00000202E0E50000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.304875218.000001B8A2C52000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.304885191.000001B8A2C61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen6

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: QgWIrI5nvn.exe, 00000000.00000002.239946887.000000000085A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: QgWIrI5nvn.exe, 00000000.00000002.239946887.000000000085A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		0_2_00432EF6
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_0042F52E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		0_2_00432EF6
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_0042F52E
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		1_2_00432EF6
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState,		1_2_0042F52E

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506147931.0000000000611000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506045325.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239926495.0000000000831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505938111.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239911370.0000000000814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.QgWIrI5nvn.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.calc.exe.610000.2.unpack, type: UNPACKEDPE

System Summary:

Creates files inside the system directory

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File created: C:\Windows\SysWOW64\udhisapi\			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File created: C:\Windows\SysWOW64\udhisapi\			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File deleted: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File deleted: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0043456A		0_2_0043456A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BA2C		0_2_0040BA2C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040FB95		0_2_0040FB95
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_008381B0		0_2_008381B0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00837DD0		0_2_00837DD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00836500		0_2_00836500
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00837560		0_2_00837560
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833AF0		0_2_00833AF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00831C90		0_2_00831C90
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833C10		0_2_00833C10
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833DF0		0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833E17		0_2_00833E17
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D90FE		0_2_007D90FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D809E		0_2_007D809E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D568E		0_2_007D568E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D57AE		0_2_007D57AE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D382E		0_2_007D382E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D996E		0_2_007D996E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D59B5		0_2_007D59B5
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D598E		0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D9D4E		0_2_007D9D4E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0043456A		0_2_0043456A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BA2C		0_2_0040BA2C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040FB95		0_2_0040FB95
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_008381B0		0_2_008381B0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00837DD0		0_2_00837DD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00836500		0_2_00836500
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00837560		0_2_00837560
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833AF0		0_2_00833AF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00831C90		0_2_00831C90
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833C10		0_2_00833C10
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833DF0		0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833E17		0_2_00833E17
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D90FE		0_2_007D90FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D809E		0_2_007D809E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D568E		0_2_007D568E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D57AE		0_2_007D57AE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D382E		0_2_007D382E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D996E		0_2_007D996E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D59B5		0_2_007D59B5
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D598E		0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D9D4E		0_2_007D9D4E
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_0043456A		1_2_0043456A
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_0040BA2C		1_2_0040BA2C
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_0040FB95		1_2_0040FB95

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: String function: 0040D9BC appears 65 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: String function: 0040BF04 appears 94 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: String function: 0040EFF6 appears 41 times
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: String function: 0040D9BC appears 65 times
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: String function: 0040BF04 appears 94 times
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: String function: 0040EFF6 appears 41 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: String function: 0040D9BC appears 65 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: String function: 0040BF04 appears 94 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: String function: 0040EFF6 appears 41 times

Sample file is different than original file name gathered from version info

Source: QgWIrI5nvn.exe	Binary or memory string: OriginalFilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240208812.0000000002690000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamexwizard.exej% vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239758680.0000000000489000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe	Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe	Binary or memory string: OriginalFilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240208812.0000000002690000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamexwizard.exej% vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239758680.0000000000489000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe	Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Classification label

Source: classification engine

Classification label: mal92.troj.evad.winEXE@15/5@0/2

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00409468 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,		0_2_00409468
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00409468 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,		0_2_00409468

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00430785 FindResourceA,LoadResource,LockResource,FreeResource,		0_2_00430785
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00430785 FindResourceA,LoadResource,LockResource,FreeResource,		0_2_00430785

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00834F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,		0_2_00834F20
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00834F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,		0_2_00834F20

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_01

Might use command line arguments

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: @u@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: @u@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Command line argument: Hu@		0_2_007E1BE7

PE file has an executable .text section and no other executable section

Source: QgWIrI5nvn.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QgWIrI5nvn.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File read: C:\Users\desktop.ini			Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: QgWIrI5nvn.exe	Virustotal: Detection: 52%
Source: QgWIrI5nvn.exe	Metadefender: Detection: 43%
Source: QgWIrI5nvn.exe	ReversingLabs: Detection: 62%
Source: QgWIrI5nvn.exe	Virustotal: Detection: 52%
Source: QgWIrI5nvn.exe	Metadefender: Detection: 43%
Source: QgWIrI5nvn.exe	ReversingLabs: Detection: 62%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\QgWIrI5nvn.exe 'C:\Users\user\Desktop\QgWIrI5nvn.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable			Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\QgWIrI5nvn.exe 'C:\Users\user\Desktop\QgWIrI5nvn.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: xwizard.pdb source: QgWIrI5nvn.exe
Source:	Binary string: xwizard.pdb source: QgWIrI5nvn.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress,		0_2_0043809A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress,		0_2_0043809A

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040C244 push eax; retn 0040h		0_2_0040C245
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040D9F7 push ecx; ret		0_2_0040DA07
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BB40 push eax; ret		0_2_0040BB54
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BB40 push eax; ret		0_2_0040BB7C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BF04 push eax; ret		0_2_0040BF22
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835CA0 push ecx; mov dword ptr [esp], 0000ECEBh		0_2_00835CA1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835CF0 push ecx; mov dword ptr [esp], 0000DEB7h		0_2_00835CF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835C40 push ecx; mov dword ptr [esp], 00004180h		0_2_00835C41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835DB0 push ecx; mov dword ptr [esp], 0000F636h		0_2_00835DB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835D50 push ecx; mov dword ptr [esp], 000097F2h		0_2_00835D51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835E80 push ecx; mov dword ptr [esp], 00002BE4h		0_2_00835E81
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835EF0 push ecx; mov dword ptr [esp], 000066B1h		0_2_00835EF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835E10 push ecx; mov dword ptr [esp], 0000AF8Ah		0_2_00835E11
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835E40 push ecx; mov dword ptr [esp], 00002B63h		0_2_00835E41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835F90 push ecx; mov dword ptr [esp], 0000765Fh		0_2_00835F91
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835F50 push ecx; mov dword ptr [esp], 00000282h		0_2_00835F51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007E304F push ecx; ret		0_2_007E3062
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007E3646 push ecx; ret		0_2_007E3659
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007DD6DB push ecx; retf		0_2_007DD6F0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D77DE push ecx; mov dword ptr [esp], 00004180h		0_2_007D77DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D783E push ecx; mov dword ptr [esp], 0000ECEBh		0_2_007D783F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D78EE push ecx; mov dword ptr [esp], 000097F2h		0_2_007D78EF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D788E push ecx; mov dword ptr [esp], 0000DEB7h		0_2_007D788F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D794E push ecx; mov dword ptr [esp], 0000F636h		0_2_007D794F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007DD948 push edi; retf		0_2_007DD94D
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D79DE push ecx; mov dword ptr [esp], 00002B63h		0_2_007D79DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D79AE push ecx; mov dword ptr [esp], 0000AF8Ah		0_2_007D79AF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7A1E push ecx; mov dword ptr [esp], 00002BE4h		0_2_007D7A1F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7AEE push ecx; mov dword ptr [esp], 00000282h		0_2_007D7AEF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7A8E push ecx; mov dword ptr [esp], 000066B1h		0_2_007D7A8F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7B2E push ecx; mov dword ptr [esp], 0000765Fh		0_2_007D7B2F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040C244 push eax; retn 0040h		0_2_0040C245
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040D9F7 push ecx; ret		0_2_0040DA07
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BB40 push eax; ret		0_2_0040BB54
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BB40 push eax; ret		0_2_0040BB7C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040BF04 push eax; ret		0_2_0040BF22
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835CA0 push ecx; mov dword ptr [esp], 0000ECEBh		0_2_00835CA1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835CF0 push ecx; mov dword ptr [esp], 0000DEB7h		0_2_00835CF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835C40 push ecx; mov dword ptr [esp], 00004180h		0_2_00835C41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835DB0 push ecx; mov dword ptr [esp], 0000F636h		0_2_00835DB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835D50 push ecx; mov dword ptr [esp], 000097F2h		0_2_00835D51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835E80 push ecx; mov dword ptr [esp], 00002BE4h		0_2_00835E81
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835EF0 push ecx; mov dword ptr [esp], 000066B1h		0_2_00835EF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835E10 push ecx; mov dword ptr [esp], 0000AF8Ah		0_2_00835E11
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835E40 push ecx; mov dword ptr [esp], 00002B63h		0_2_00835E41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835F90 push ecx; mov dword ptr [esp], 0000765Fh		0_2_00835F91
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00835F50 push ecx; mov dword ptr [esp], 00000282h		0_2_00835F51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007E304F push ecx; ret		0_2_007E3062
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007E3646 push ecx; ret		0_2_007E3659
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007DD6DB push ecx; retf		0_2_007DD6F0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D77DE push ecx; mov dword ptr [esp], 00004180h		0_2_007D77DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D783E push ecx; mov dword ptr [esp], 0000ECEBh		0_2_007D783F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D78EE push ecx; mov dword ptr [esp], 000097F2h		0_2_007D78EF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D788E push ecx; mov dword ptr [esp], 0000DEB7h		0_2_007D788F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D794E push ecx; mov dword ptr [esp], 0000F636h		0_2_007D794F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007DD948 push edi; retf		0_2_007DD94D
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D79DE push ecx; mov dword ptr [esp], 00002B63h		0_2_007D79DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D79AE push ecx; mov dword ptr [esp], 0000AF8Ah		0_2_007D79AF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7A1E push ecx; mov dword ptr [esp], 00002BE4h		0_2_007D7A1F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7AEE push ecx; mov dword ptr [esp], 00000282h		0_2_007D7AEF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7A8E push ecx; mov dword ptr [esp], 000066B1h		0_2_007D7A8F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D7B2E push ecx; mov dword ptr [esp], 0000765Fh		0_2_007D7B2F

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Executable created and started: C:\Windows\SysWOW64\udhisapi\calc.exe			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Executable created and started: C:\Windows\SysWOW64\udhisapi\calc.exe			Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	PE file moved: C:\Windows\SysWOW64\udhisapi\calc.exe			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	PE file moved: C:\Windows\SysWOW64\udhisapi\calc.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File opened: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File opened: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier read attributes | delete			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_004010FA IsIconic,		0_2_004010FA
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00401307
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_00404FF9
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_004010FA IsIconic,		0_2_004010FA
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00401307
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_00404FF9
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_004010FA IsIconic,		1_2_004010FA
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		1_2_00401307
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect,		1_2_00404FF9

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,		0_2_00834F20
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,		0_2_00834F20

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6064	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6064	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,		0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,		0_2_008337E0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,		0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,		0_2_008337E0
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00439132 lstrlenA,FindFirstFileA,FindClose,		1_2_00439132
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,		1_2_00437C5A

Contains functionality to query system information

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040B946 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,		0_2_0040B946
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0040B946 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,		0_2_0040B946

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000003.00000002.508930823.00000202E1061000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.506139904.00000202DB82A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`S
Source: calc.exe, 00000001.00000002.507137958.000000000258A000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.508890012.00000202E104C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.506067661.00000150F8C29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.508930823.00000202E1061000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.506139904.00000202DB82A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`S
Source: calc.exe, 00000001.00000002.507137958.000000000258A000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.508890012.00000202E104C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.506067661.00000150F8C29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00401014 GetModuleHandleExA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,GetCurrentProcess,VirtualAllocExNuma,		0_2_00401014
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00401014 GetModuleHandleExA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,GetCurrentProcess,VirtualAllocExNuma,		0_2_00401014

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress,		0_2_0043809A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress,		0_2_0043809A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00834CD0 mov eax, dword ptr fs:[00000030h]		0_2_00834CD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833DF0 mov eax, dword ptr fs:[00000030h]		0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D0456 mov eax, dword ptr fs:[00000030h]		0_2_007D0456
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D686E mov eax, dword ptr fs:[00000030h]		0_2_007D686E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D095E mov eax, dword ptr fs:[00000030h]		0_2_007D095E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D598E mov eax, dword ptr fs:[00000030h]		0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00811030 mov eax, dword ptr fs:[00000030h]		0_2_00811030
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00834CD0 mov eax, dword ptr fs:[00000030h]		0_2_00834CD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833DF0 mov eax, dword ptr fs:[00000030h]		0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D0456 mov eax, dword ptr fs:[00000030h]		0_2_007D0456
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D686E mov eax, dword ptr fs:[00000030h]		0_2_007D686E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D095E mov eax, dword ptr fs:[00000030h]		0_2_007D095E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_007D598E mov eax, dword ptr fs:[00000030h]		0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00811030 mov eax, dword ptr fs:[00000030h]		0_2_00811030

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833000 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,		0_2_00833000
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00833000 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,		0_2_00833000

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00413296 SetUnhandledExceptionFilter,		0_2_00413296
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_004132AA SetUnhandledExceptionFilter,		0_2_004132AA
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00413296 SetUnhandledExceptionFilter,		0_2_00413296
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_004132AA SetUnhandledExceptionFilter,		0_2_004132AA
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_00413296 SetUnhandledExceptionFilter,		1_2_00413296
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: 1_2_004132AA SetUnhandledExceptionFilter,		1_2_004132AA

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Network Connect: 47.36.140.164 80			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Network Connect: 47.36.140.164 80			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,		0_2_00418EFB
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,		0_2_00417285
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,		0_2_00419451
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_0041941A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_004194D7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		0_2_0041952C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		0_2_0041B8CE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,		0_2_00455912
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,		0_2_0041B9FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		0_2_0041B98A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		0_2_0041BAB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		0_2_00401325
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,		0_2_00418EFB
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,		0_2_00417285
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,		0_2_00419451
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_0041941A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_004194D7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		0_2_0041952C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		0_2_0041B8CE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,		0_2_00455912
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,		0_2_0041B9FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		0_2_0041B98A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		0_2_0041BAB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		0_2_00401325
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoA,		1_2_00418EFB
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoA,		1_2_00417285
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,		1_2_00419451
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: _strlen,EnumSystemLocalesA,		1_2_0041941A
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: _strlen,EnumSystemLocalesA,		1_2_004194D7
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		1_2_0041952C
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		1_2_0041B8CE
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,		1_2_00455912
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,		1_2_0041B9FE
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		1_2_0041B98A
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		1_2_0041BAB1
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		1_2_00401325

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00412108 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,		0_2_00412108
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_00412108 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,		0_2_00412108

Contains functionality to query time zone information

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0041508B _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,		0_2_0041508B
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0041508B _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,		0_2_0041508B

Contains functionality to query windows version

Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0045851E GetVersion,LoadCursorA,LoadCursorA,LoadCursorA,		0_2_0045851E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe	Code function: 0_2_0045851E GetVersion,LoadCursorA,LoadCursorA,LoadCursorA,		0_2_0045851E

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval			Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000A.00000002.505531345.0000020A84813000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.505589116.0000020A8483D000.00000004.00000001.sdmp	Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.505531345.0000020A84813000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.505589116.0000020A8483D000.00000004.00000001.sdmp	Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506147931.0000000000611000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506045325.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239926495.0000000000831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505938111.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239911370.0000000000814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.QgWIrI5nvn.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.calc.exe.610000.2.unpack, type: UNPACKEDPE