Analysis Report QgWIrI5nvn

Overview

General Information

Sample Name: QgWIrI5nvn (renamed file extension from none to exe)
Analysis ID: 317585
MD5: a527ec7a52e66e6850943b4fa64fa2c3
SHA1: e5fc894131067826297d26b8bdad4aa9895992b1
SHA256: 34f1bf9de98302a9b8b0f8fbd53feec40037696e86b76ae3c019b76e2bdb74de

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.14
Source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.14
Multi AV Scanner detection for submitted file
Source: QgWIrI5nvn.exe Virustotal: Detection: 52% Perma Link
Source: QgWIrI5nvn.exe Metadefender: Detection: 43% Perma Link
Source: QgWIrI5nvn.exe ReversingLabs: Detection: 62%
Source: QgWIrI5nvn.exe Virustotal: Detection: 52% Perma Link
Source: QgWIrI5nvn.exe Metadefender: Detection: 43% Perma Link
Source: QgWIrI5nvn.exe ReversingLabs: Detection: 62%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.QgWIrI5nvn.exe.830000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.calc.exe.610000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.QgWIrI5nvn.exe.830000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.calc.exe.610000.2.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose, 0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose, 0_2_008337E0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose, 0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose, 0_2_008337E0
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00439132 lstrlenA,FindFirstFileA,FindClose, 1_2_00439132
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_00437C5A

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49720 -> 47.36.140.164:80
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49720 -> 47.36.140.164:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 47.36.140.164 47.36.140.164
Source: Joe Sandbox View IP Address: 47.36.140.164 47.36.140.164
Source: Joe Sandbox View IP Address: 47.36.140.164 47.36.140.164
Source: Joe Sandbox View IP Address: 47.36.140.164 47.36.140.164
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CHARTER-20115US CHARTER-20115US
Source: Joe Sandbox View ASN Name: CHARTER-20115US CHARTER-20115US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown TCP traffic detected without corresponding DNS query: 47.36.140.164
Source: unknown HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
Source: calc.exe, 00000001.00000002.507116463.0000000002573000.00000004.00000001.sdmp String found in binary or memory: http://47.36.140.164/BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000003.00000002.508237407.00000202E0E50000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.304875218.000001B8A2C52000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.304885191.000001B8A2C61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen6
Source: calc.exe, 00000001.00000002.507116463.0000000002573000.00000004.00000001.sdmp String found in binary or memory: http://47.36.140.164/BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000003.00000002.508237407.00000202E0E50000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.304875218.000001B8A2C52000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.304885191.000001B8A2C61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen6

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: QgWIrI5nvn.exe, 00000000.00000002.239946887.000000000085A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: QgWIrI5nvn.exe, 00000000.00000002.239946887.000000000085A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00432EF6
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0042F52E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00432EF6
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0042F52E
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_00432EF6
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0042F52E

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.506147931.0000000000611000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.506045325.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239926495.0000000000831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.505938111.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239911370.0000000000814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.QgWIrI5nvn.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.calc.exe.610000.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File created: C:\Windows\SysWOW64\udhisapi\ Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File created: C:\Windows\SysWOW64\udhisapi\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File deleted: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File deleted: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0043456A 0_2_0043456A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BA2C 0_2_0040BA2C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040FB95 0_2_0040FB95
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_008381B0 0_2_008381B0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00837DD0 0_2_00837DD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00836500 0_2_00836500
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00837560 0_2_00837560
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833AF0 0_2_00833AF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00831C90 0_2_00831C90
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833C10 0_2_00833C10
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833DF0 0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833E17 0_2_00833E17
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D90FE 0_2_007D90FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D809E 0_2_007D809E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D568E 0_2_007D568E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D57AE 0_2_007D57AE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D382E 0_2_007D382E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D996E 0_2_007D996E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D59B5 0_2_007D59B5
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D598E 0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D9D4E 0_2_007D9D4E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0043456A 0_2_0043456A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BA2C 0_2_0040BA2C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040FB95 0_2_0040FB95
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_008381B0 0_2_008381B0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00837DD0 0_2_00837DD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00836500 0_2_00836500
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00837560 0_2_00837560
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833AF0 0_2_00833AF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00831C90 0_2_00831C90
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833C10 0_2_00833C10
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833DF0 0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833E17 0_2_00833E17
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D90FE 0_2_007D90FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D809E 0_2_007D809E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D568E 0_2_007D568E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D57AE 0_2_007D57AE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D382E 0_2_007D382E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D996E 0_2_007D996E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D59B5 0_2_007D59B5
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D598E 0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D9D4E 0_2_007D9D4E
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_0043456A 1_2_0043456A
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_0040BA2C 1_2_0040BA2C
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_0040FB95 1_2_0040FB95
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: String function: 0040D9BC appears 65 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: String function: 0040BF04 appears 94 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: String function: 0040EFF6 appears 41 times
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: String function: 0040D9BC appears 65 times
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: String function: 0040BF04 appears 94 times
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: String function: 0040EFF6 appears 41 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: String function: 0040D9BC appears 65 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: String function: 0040BF04 appears 94 times
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: String function: 0040EFF6 appears 41 times
Sample file is different than original file name gathered from version info
Source: QgWIrI5nvn.exe Binary or memory string: OriginalFilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240208812.0000000002690000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamexwizard.exej% vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239758680.0000000000489000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe Binary or memory string: OriginalFilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240208812.0000000002690000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamexwizard.exej% vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe, 00000000.00000002.239758680.0000000000489000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Source: QgWIrI5nvn.exe Binary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winEXE@15/5@0/2
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00409468 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 0_2_00409468
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00409468 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 0_2_00409468
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00430785 FindResourceA,LoadResource,LockResource,FreeResource, 0_2_00430785
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00430785 FindResourceA,LoadResource,LockResource,FreeResource, 0_2_00430785
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00834F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap, 0_2_00834F20
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00834F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap, 0_2_00834F20
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_01
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: @u@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: @u@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Command line argument: Hu@ 0_2_007E1BE7
Source: QgWIrI5nvn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QgWIrI5nvn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: QgWIrI5nvn.exe Virustotal: Detection: 52%
Source: QgWIrI5nvn.exe Metadefender: Detection: 43%
Source: QgWIrI5nvn.exe ReversingLabs: Detection: 62%
Source: QgWIrI5nvn.exe Virustotal: Detection: 52%
Source: QgWIrI5nvn.exe Metadefender: Detection: 43%
Source: QgWIrI5nvn.exe ReversingLabs: Detection: 62%
Source: unknown Process created: C:\Users\user\Desktop\QgWIrI5nvn.exe 'C:\Users\user\Desktop\QgWIrI5nvn.exe'
Source: unknown Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QgWIrI5nvn.exe 'C:\Users\user\Desktop\QgWIrI5nvn.exe'
Source: unknown Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: xwizard.pdb source: QgWIrI5nvn.exe
Source: Binary string: xwizard.pdb source: QgWIrI5nvn.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress, 0_2_0043809A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress, 0_2_0043809A
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040C244 push eax; retn 0040h 0_2_0040C245
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040D9F7 push ecx; ret 0_2_0040DA07
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BB40 push eax; ret 0_2_0040BB54
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BB40 push eax; ret 0_2_0040BB7C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BF04 push eax; ret 0_2_0040BF22
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835CA0 push ecx; mov dword ptr [esp], 0000ECEBh 0_2_00835CA1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835CF0 push ecx; mov dword ptr [esp], 0000DEB7h 0_2_00835CF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835C40 push ecx; mov dword ptr [esp], 00004180h 0_2_00835C41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835DB0 push ecx; mov dword ptr [esp], 0000F636h 0_2_00835DB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835D50 push ecx; mov dword ptr [esp], 000097F2h 0_2_00835D51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835E80 push ecx; mov dword ptr [esp], 00002BE4h 0_2_00835E81
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835EF0 push ecx; mov dword ptr [esp], 000066B1h 0_2_00835EF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835E10 push ecx; mov dword ptr [esp], 0000AF8Ah 0_2_00835E11
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835E40 push ecx; mov dword ptr [esp], 00002B63h 0_2_00835E41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835F90 push ecx; mov dword ptr [esp], 0000765Fh 0_2_00835F91
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835F50 push ecx; mov dword ptr [esp], 00000282h 0_2_00835F51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007E304F push ecx; ret 0_2_007E3062
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007E3646 push ecx; ret 0_2_007E3659
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007DD6DB push ecx; retf 0_2_007DD6F0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D77DE push ecx; mov dword ptr [esp], 00004180h 0_2_007D77DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D783E push ecx; mov dword ptr [esp], 0000ECEBh 0_2_007D783F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D78EE push ecx; mov dword ptr [esp], 000097F2h 0_2_007D78EF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D788E push ecx; mov dword ptr [esp], 0000DEB7h 0_2_007D788F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D794E push ecx; mov dword ptr [esp], 0000F636h 0_2_007D794F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007DD948 push edi; retf 0_2_007DD94D
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D79DE push ecx; mov dword ptr [esp], 00002B63h 0_2_007D79DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D79AE push ecx; mov dword ptr [esp], 0000AF8Ah 0_2_007D79AF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7A1E push ecx; mov dword ptr [esp], 00002BE4h 0_2_007D7A1F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7AEE push ecx; mov dword ptr [esp], 00000282h 0_2_007D7AEF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7A8E push ecx; mov dword ptr [esp], 000066B1h 0_2_007D7A8F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7B2E push ecx; mov dword ptr [esp], 0000765Fh 0_2_007D7B2F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040C244 push eax; retn 0040h 0_2_0040C245
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040D9F7 push ecx; ret 0_2_0040DA07
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BB40 push eax; ret 0_2_0040BB54
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BB40 push eax; ret 0_2_0040BB7C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040BF04 push eax; ret 0_2_0040BF22
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835CA0 push ecx; mov dword ptr [esp], 0000ECEBh 0_2_00835CA1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835CF0 push ecx; mov dword ptr [esp], 0000DEB7h 0_2_00835CF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835C40 push ecx; mov dword ptr [esp], 00004180h 0_2_00835C41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835DB0 push ecx; mov dword ptr [esp], 0000F636h 0_2_00835DB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835D50 push ecx; mov dword ptr [esp], 000097F2h 0_2_00835D51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835E80 push ecx; mov dword ptr [esp], 00002BE4h 0_2_00835E81
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835EF0 push ecx; mov dword ptr [esp], 000066B1h 0_2_00835EF1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835E10 push ecx; mov dword ptr [esp], 0000AF8Ah 0_2_00835E11
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835E40 push ecx; mov dword ptr [esp], 00002B63h 0_2_00835E41
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835F90 push ecx; mov dword ptr [esp], 0000765Fh 0_2_00835F91
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00835F50 push ecx; mov dword ptr [esp], 00000282h 0_2_00835F51
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007E304F push ecx; ret 0_2_007E3062
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007E3646 push ecx; ret 0_2_007E3659
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007DD6DB push ecx; retf 0_2_007DD6F0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D77DE push ecx; mov dword ptr [esp], 00004180h 0_2_007D77DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D783E push ecx; mov dword ptr [esp], 0000ECEBh 0_2_007D783F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D78EE push ecx; mov dword ptr [esp], 000097F2h 0_2_007D78EF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D788E push ecx; mov dword ptr [esp], 0000DEB7h 0_2_007D788F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D794E push ecx; mov dword ptr [esp], 0000F636h 0_2_007D794F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007DD948 push edi; retf 0_2_007DD94D
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D79DE push ecx; mov dword ptr [esp], 00002B63h 0_2_007D79DF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D79AE push ecx; mov dword ptr [esp], 0000AF8Ah 0_2_007D79AF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7A1E push ecx; mov dword ptr [esp], 00002BE4h 0_2_007D7A1F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7AEE push ecx; mov dword ptr [esp], 00000282h 0_2_007D7AEF
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7A8E push ecx; mov dword ptr [esp], 000066B1h 0_2_007D7A8F
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D7B2E push ecx; mov dword ptr [esp], 0000765Fh 0_2_007D7B2F

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Executable created and started: C:\Windows\SysWOW64\udhisapi\calc.exe Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Executable created and started: C:\Windows\SysWOW64\udhisapi\calc.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe PE file moved: C:\Windows\SysWOW64\udhisapi\calc.exe Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe PE file moved: C:\Windows\SysWOW64\udhisapi\calc.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File opened: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File opened: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_004010FA IsIconic, 0_2_004010FA
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_00401307
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00404FF9
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_004010FA IsIconic, 0_2_004010FA
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_00401307
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00404FF9
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_004010FA IsIconic, 1_2_004010FA
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_00401307
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00404FF9
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap, 0_2_00834F20
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap, 0_2_00834F20
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6064 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6064 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose, 0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose, 0_2_008337E0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose, 0_2_00439132
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose, 0_2_008337E0
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00439132 lstrlenA,FindFirstFileA,FindClose, 1_2_00439132
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_00437C5A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040B946 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0040B946
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0040B946 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0040B946
Source: svchost.exe, 00000003.00000002.508930823.00000202E1061000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.506139904.00000202DB82A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`S
Source: calc.exe, 00000001.00000002.507137958.000000000258A000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.508890012.00000202E104C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.506067661.00000150F8C29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.508930823.00000202E1061000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.506139904.00000202DB82A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`S
Source: calc.exe, 00000001.00000002.507137958.000000000258A000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.508890012.00000202E104C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.506067661.00000150F8C29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00401014 GetModuleHandleExA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,GetCurrentProcess,VirtualAllocExNuma, 0_2_00401014
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00401014 GetModuleHandleExA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,GetCurrentProcess,VirtualAllocExNuma, 0_2_00401014
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress, 0_2_0043809A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress, 0_2_0043809A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00834CD0 mov eax, dword ptr fs:[00000030h] 0_2_00834CD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833DF0 mov eax, dword ptr fs:[00000030h] 0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D0456 mov eax, dword ptr fs:[00000030h] 0_2_007D0456
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D686E mov eax, dword ptr fs:[00000030h] 0_2_007D686E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D095E mov eax, dword ptr fs:[00000030h] 0_2_007D095E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D598E mov eax, dword ptr fs:[00000030h] 0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00811030 mov eax, dword ptr fs:[00000030h] 0_2_00811030
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00834CD0 mov eax, dword ptr fs:[00000030h] 0_2_00834CD0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833DF0 mov eax, dword ptr fs:[00000030h] 0_2_00833DF0
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D0456 mov eax, dword ptr fs:[00000030h] 0_2_007D0456
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D686E mov eax, dword ptr fs:[00000030h] 0_2_007D686E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D095E mov eax, dword ptr fs:[00000030h] 0_2_007D095E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_007D598E mov eax, dword ptr fs:[00000030h] 0_2_007D598E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00811030 mov eax, dword ptr fs:[00000030h] 0_2_00811030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833000 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap, 0_2_00833000
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00833000 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap, 0_2_00833000
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00413296 SetUnhandledExceptionFilter, 0_2_00413296
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_004132AA SetUnhandledExceptionFilter, 0_2_004132AA
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00413296 SetUnhandledExceptionFilter, 0_2_00413296
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_004132AA SetUnhandledExceptionFilter, 0_2_004132AA
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_00413296 SetUnhandledExceptionFilter, 1_2_00413296
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: 1_2_004132AA SetUnhandledExceptionFilter, 1_2_004132AA

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Network Connect: 47.36.140.164 80 Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Network Connect: 47.36.140.164 80 Jump to behavior
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: calc.exe, 00000001.00000002.506757193.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA, 0_2_00418EFB
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA, 0_2_00417285
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00419451
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0041941A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: _strlen,EnumSystemLocalesA, 0_2_004194D7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 0_2_0041952C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_0041B8CE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_00455912
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0041B9FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_0041B98A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_0041BAB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00401325
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA, 0_2_00418EFB
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA, 0_2_00417285
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00419451
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0041941A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: _strlen,EnumSystemLocalesA, 0_2_004194D7
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 0_2_0041952C
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_0041B8CE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_00455912
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0041B9FE
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_0041B98A
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_0041BAB1
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00401325
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoA, 1_2_00418EFB
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoA, 1_2_00417285
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 1_2_00419451
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: _strlen,EnumSystemLocalesA, 1_2_0041941A
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: _strlen,EnumSystemLocalesA, 1_2_004194D7
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 1_2_0041952C
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 1_2_0041B8CE
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 1_2_00455912
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 1_2_0041B9FE
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 1_2_0041B98A
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 1_2_0041BAB1
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_00401325
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00412108 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412108
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_00412108 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412108
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0041508B _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0041508B
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0041508B _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0041508B
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0045851E GetVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_0045851E
Source: C:\Users\user\Desktop\QgWIrI5nvn.exe Code function: 0_2_0045851E GetVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_0045851E
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\udhisapi\calc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000A.00000002.505531345.0000020A84813000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.505589116.0000020A8483D000.00000004.00000001.sdmp Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.505531345.0000020A84813000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.505589116.0000020A8483D000.00000004.00000001.sdmp Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.506147931.0000000000611000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.506045325.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239926495.0000000000831000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.505938111.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239911370.0000000000814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.QgWIrI5nvn.exe.830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.calc.exe.610000.2.unpack, type: UNPACKEDPE