Play interactive tourEdit tour

Windows Analysis Report
https://cdn.discordapp.com/attachments/1103880362347728966/1194556396168036373/WuqueID_3.0.msi?ex=65e82756&is=65d5b256&hm=40d79cf272acf64079a5a6013970d8cde7a7166a610a5a4fd4897d1253e580bc&

Overview

General Information

Sample URL:	https://cdn.discordapp.com/attachments/1103880362347728966/1194556396168036373/WuqueID_3.0.msi?ex=65e82756&is=65d5b256&hm=40d79cf272acf64079a5a6013970d8cde7a7166a610a5a4fd4897d1253e580bc&
Analysis ID:	1398368
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Files With System Process Name In Unsuspected Locations

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates driver files

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

×

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7064, TargetFilename: C:\Program Files (x86)\WuqueStudio\WuqueID\msiexec.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe", EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe, ProcessId: 424, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\App

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6888, ProcessName: svchost.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	ReversingLabs: Detection: 54%
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Virustotal: Detection: 48%			Perma Link

Compliance

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49714 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: MSI8F84.tmp.3.dr, 449e0c.msi.4.dr, chromecache_153.1.dr, MSI9FA0.tmp.4.dr, MSI8EF6.tmp.3.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr, MSIA02E.tmp.4.dr
Source:	Binary string: msiexec.pdb source: msiexec.exe.4.dr
Source:	Binary string: MS_Sans_Serif__8_0VSDCA_FolderForm_AllUsersInstalled="" AND NOT RESUME AND ALLUSERS=1WelcomeForm_NextArgsFolderForm_PrevArgsFolderForm_NextArgsConfirmInstallForm_PrevArgsAdminWelcomeForm_NextArgsAdminFolderForm_PrevArgsAdminFolderForm_NextArgsAdminConfirmInstallForm_PrevArgs_1AC4DA0A7D3EED7999615E5ACA812225{7F4CAD80-DD70-A3B2-87C7-9FC2AE2524E6}C__1AC4DA0A7D3EED7999615E5ACA812225NEWTON~1.XML|Newtonsoft.Json.xml_611CD1259FF9244173023E5AF7F87110{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}C__611CD1259FF9244173023E5AF7F87110HIDLIB~1.PDB|HidLibrary.pdb_BD877C90970AA9100E0C7F0F15E7D820{FC901E51-B971-EF18-0275-895DB99C96B7}C__BD877C90970AA9100E0C7F0F15E7D820LIBREH~1.PDB|LibreHardwareMonitorLib.pdb_D874BFE48899D575C49DA62E9FCC0B55{478362FE-AADF-D2A9-8284-8E941C16D161}C__D874BFE48899D575C49DA62E9FCC0B55LIBREH~1.XML|LibreHardwareMonitorLib.xml_DBDC3D5F294BC46AC36BCB97C1863469{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}C__DBDC3D5F294BC46AC36BCB97C1863469NEWTON~1.PDB|Newtonsoft.Json.pdb_23529296893BF1C104BE8AA7BD439105C__23529296893BF1C104BE8AA7BD439105LIBREH~2.DLL|LibreHardwareMonitorLib.dll_311BEF0DECFFAF3ECA63421B326FFA0BC__311BEF0DECFFAF3ECA63421B326FFA0BHIDLIB~2.DLL|HidLibrary.dll_7E763E4DF963F4CCF2F811F417A3771EC__7E763E4DF963F4CCF2F811F417 source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr
Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: MSI8F84.tmp.3.dr, 449e0c.msi.4.dr, chromecache_153.1.dr, MSI9FA0.tmp.4.dr, MSI8EF6.tmp.3.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr, MSIA02E.tmp.4.dr
Source:	Binary string: Newtonsoft.Json.pdb source: MSIA0BB.tmp.4.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb! source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.4.dr
Source:	Binary string: 9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: 449e0b.rbs.4.dr
Source:	Binary string: msiexec.pdbOGPS source: msiexec.exe.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdb source: WuqueID.exe, WuqueID.exe, 00000014.00000002.2346412006.00000000058D2000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdbC source: WuqueID.exe, 00000011.00000000.1309143888.0000000000402000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.4.dr
Source:	Binary string: (LIBREH~1.PDB|LibreHardwareMonitorLib.pdb!_BD877C90970AA9100E0C7F0F15E7D820 source: MSIA0BB.tmp.4.dr
Source:	Binary string: >C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: 449e0b.rbs.4.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WuqueID.sys.20.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: MSIA0BB.tmp.4.dr, 449e0b.rbs.4.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: MSIA0BB.tmp.4.dr, 449e0b.rbs.4.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: &{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdbSHA256 source: WuqueID.exe, 00000014.00000002.2348530254.00000000060A2000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.4.dr
Source:	Binary string: &{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}>C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb!_611CD1259FF9244173023E5AF7F87110 source: MSIA0BB.tmp.4.dr
Source:	Binary string: HidLibrary.pdb source: MSIA0BB.tmp.4.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb! source: MSIA0BB.tmp.4.dr
Source:	Binary string: Newtonsoft.Json.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: HidLibrary.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdb source: WuqueID.exe, WuqueID.exe, 00000014.00000002.2348530254.00000000060A2000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.4.dr
Source:	Binary string: &{FC901E51-B971-EF18-0275-895DB99C96B7}FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdbSHA256 source: WuqueID.exe, 00000014.00000002.2346412006.00000000058D2000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.4.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb source: MSIA0BB.tmp.4.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb!_DBDC3D5F294BC46AC36BCB97C1863469 source: MSIA0BB.tmp.4.dr
Source:	Binary string: FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: 449e0b.rbs.4.dr
Source:	Binary string: LIBREH~1.PDB|LibreHardwareMonitorLib.pdb! source: MSIA0BB.tmp.4.dr
Source:	Binary string: C:\Code\src\oss\hidsharp\hid\HidSharp\obj\Release\HidSharp.pdb source: HidSharp.dll.4.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: MSIA0BB.tmp.4.dr, 449e0b.rbs.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdb source: WuqueID.exe, 00000011.00000000.1309143888.0000000000402000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.4.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{DAC14A31-0355-4B35-B1E9-8DCCC7FF836C}			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData			Jump to behavior

Networking

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.21.200
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.73
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /attachments/1103880362347728966/1194556396168036373/WuqueID_3.0.msi?ex=65e82756&is=65d5b256&hm=40d79cf272acf64079a5a6013970d8cde7a7166a610a5a4fd4897d1253e580bc& HTTP/1.1Host: cdn.discordapp.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RpsgCVOa6K5lzWF&MD=a6y7twhY HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RpsgCVOa6K5lzWF&MD=a6y7twhY HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=LtGInZ4I4WDrCvCHQBVMHOy4a-sqzpSrMO-Rwr8ezStTz_kfoi2bri7uGdXfNvskAEO_Tj5Jkwl0XSN-qA6MYiGShcDB_vNQOl1bpl3aua7gMrDRvWsHLpAuFBlBnNxTMeen95XElzx3r4myG8p8sgSHdx4NBawYGaI5oFn_dZ8

URLs found in memory or binary data

Source: WuqueID.exe, 00000011.00000000.1309143888.0000000000402000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.4.dr	String found in binary or memory: http://api.weatherapi.com/v1/current.json?key=
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: svchost.exe, 00000002.00000002.2339920657.000002628C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: HidSharp.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: HidSharp.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: HidSharp.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: HidSharp.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: WuqueID.sys.20.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WuqueID.sys.20.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WuqueID.sys.20.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WuqueID.sys.20.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: HidSharp.dll.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: HidSharp.dll.4.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000002.00000002.2339920657.000002628C000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Newtonsoft.Json.dll.4.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, HidSharp.dll.4.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: http://ocsp.sectigo.com00
Source: HidSharp.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: HidSharp.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: HidSharp.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: svchost.exe, 0000000C.00000002.2335516842.000002148E486000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2337774258.000002148ED02000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.12.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000009.00000002.1368039474.0000019453035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: HidSharp.dll.4.dr	String found in binary or memory: http://www.zer7.com/software/hidsharp
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368125156.0000019453059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000009.00000002.1368144848.0000019453065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367276832.0000019453041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367213323.000001945305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368187482.0000019453081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000002.1368187482.0000019453081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.1366972310.0000019453067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1366687031.0000019453086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367213323.000001945305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368039474.0000019453035000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.1366972310.0000019453067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368039474.0000019453035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.1368144848.0000019453065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368039474.0000019453035000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.1367276832.0000019453041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368064266.0000019453044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.1367334332.0000019453027000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1368064266.0000019453044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.1367081089.000001945305E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367276832.0000019453041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.1368187482.0000019453081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366998059.0000019453062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368064266.0000019453044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.1366660079.000001945302A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000009.00000003.1366972310.0000019453067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368039474.0000019453035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000002.00000003.1203370158.000002628BEC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: Newtonsoft.Json.dll.4.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: Newtonsoft.Json.xml.4.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: WuqueID.exe, WuqueID.exe, 00000014.00000002.2348530254.00000000060A2000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.4.dr	String found in binary or memory: https://github.com/LibreHardwareMonitor/LibreHardwareMonitor
Source: Newtonsoft.Json.pdb.4.dr	String found in binary or memory: https://raw.githubusercontent.com/JamesNK/Newtonsoft.Json/01e1759cac40d8154e47ed0e11c12a9d42d2d0ff/
Source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000009.00000003.1366660079.000001945302A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic
Source: svchost.exe, 00000009.00000003.1366660079.000001945302A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.v0
Source: svchost.exe, 00000009.00000003.1367276832.0000019453041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.1367253324.000001945304A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366660079.000001945302A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367276832.0000019453041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1368125156.0000019453059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1367276832.0000019453041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.1368039474.0000019453035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366660079.000001945302A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvsx
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.1367137949.0000019453058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368125156.0000019453059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: LibreHardwareMonitorLib.xml.4.dr	String found in binary or memory: https://www.dmtf.org/dsp/DSP0134
Source: LibreHardwareMonitorLib.xml.4.dr	String found in binary or memory: https://www.dmtf.org/standards/smbios
Source: HidSharp.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: HidSharp.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: HidSharp.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Newtonsoft.Json.dll.4.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Potential key logger detected (key state polling based)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 20_2_074708A7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

20_2_074708A7

System Summary

Contains functionality to call native functions

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606C4C0 NtQuerySystemInformation,		20_2_0606C4C0
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606B968 NtQuerySystemInformation,		20_2_0606B968
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606B974 NtQuerySystemInformation,		20_2_0606B974
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606C65C NtQuerySystemInformation,		20_2_0606C65C
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606C7D4 NtQuerySystemInformation,		20_2_0606C7D4

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 20_2_0603E5C0: DeviceIoControl,

20_2_0603E5C0

Creates driver files

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9FA0.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_058D565B		20_2_058D565B
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_058D5696		20_2_058D5696
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_058D55FA		20_2_058D55FA
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_060A4FAE		20_2_060A4FAE
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0149B6C1		20_2_0149B6C1
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_01497BED		20_2_01497BED
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603C4E0		20_2_0603C4E0
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06039260		20_2_06039260
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06030040		20_2_06030040
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603B1C0		20_2_0603B1C0
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06039B30		20_2_06039B30
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06030006		20_2_06030006
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06038F18		20_2_06038F18
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06034AB0		20_2_06034AB0
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606D020		20_2_0606D020
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606B082		20_2_0606B082
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06061A78		20_2_06061A78
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06068270		20_2_06068270
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0606D011		20_2_0606D011

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msvcp140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3d9.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: atiadlxx.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: nvapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: locationapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: hid.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: locationframeworkps.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dxcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msctfui.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: uiautomationcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3dcompiler_47.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: smphost.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mispace.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sxshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wmiclnt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clusapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wmitomi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fastprox.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fmifs.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ifsutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: healthapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: healthapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsp_fs.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sscore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsp_sr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tdh.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsp_health.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: lfsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: locationframework.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: brokerlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: locationframeworkps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capabilityaccessmanagerclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: locationwinpalmisc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledevicetypes.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mdmcommon.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msvcp140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll			Jump to behavior

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: WuqueID.sys.20.dr

Binary string: \Device\WinRing0_1_2_0

Classification label

Source: classification engine

Classification label: mal72.evad.win@38/67@8/9

Creates files inside the program directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\WuqueStudio

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\89d3e286-5212-4210-b780-3fee422c49c2.tmp

Jump to behavior

Creates mutexes

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_ISABUS.HTP.Method
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\WuqueID
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_PCI
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_EC
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\RazerReadWriteGuardMutex

Creates temporary files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI8EF6.tmp

Jump to behavior

Reads ini files

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS

Jump to behavior

Sample might require command line arguments

Source: WuqueID.exe	String found in binary or memory: Start/Stop Count
Source: WuqueID.exe	String found in binary or memory: Start/Stop Count

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1103880362347728966/1194556396168036373/WuqueID_3.0.msi?ex=65e82756&is=65d5b256&hm=40d79cf272acf64079a5a6013970d8cde7a7166a610a5a4fd4897d1253e580bc&
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,8684459449656122443,9111299645881576453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\WuqueID_3.0.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A48BD8E333951F4485D6330C5AD9B382 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C1E1CCC8DEF71D2B0F865629E5F67421
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe"
Source: unknown	Process created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s lfsvc
Source: unknown	Process created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe"
Source: unknown	Process created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,8684459449656122443,9111299645881576453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\WuqueID_3.0.msi"			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A48BD8E333951F4485D6330C5AD9B382 C			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C1E1CCC8DEF71D2B0F865629E5F67421			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Windows shortcut file (LNK) contains relative path

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: WuqueID.lnk.4.dr	LNK file: ..\..\..\Installer\{DAC14A31-0355-4B35-B1E9-8DCCC7FF836C}\_98391D29E30AFDF3318049.exe
Source: WuqueID.lnk0.4.dr	LNK file: ..\AppData\Roaming\Microsoft\Installer\{DAC14A31-0355-4B35-B1E9-8DCCC7FF836C}\_90690589263367227668A7.exe
Source: uninstall.lnk.4.dr	LNK file: ..\..\..\Users\user\AppData\Roaming\Microsoft\Installer\{DAC14A31-0355-4B35-B1E9-8DCCC7FF836C}\_E5F2A62A45205F7D39A633.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: MSI8F84.tmp.3.dr, 449e0c.msi.4.dr, chromecache_153.1.dr, MSI9FA0.tmp.4.dr, MSI8EF6.tmp.3.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr, MSIA02E.tmp.4.dr
Source:	Binary string: msiexec.pdb source: msiexec.exe.4.dr
Source:	Binary string: MS_Sans_Serif__8_0VSDCA_FolderForm_AllUsersInstalled="" AND NOT RESUME AND ALLUSERS=1WelcomeForm_NextArgsFolderForm_PrevArgsFolderForm_NextArgsConfirmInstallForm_PrevArgsAdminWelcomeForm_NextArgsAdminFolderForm_PrevArgsAdminFolderForm_NextArgsAdminConfirmInstallForm_PrevArgs_1AC4DA0A7D3EED7999615E5ACA812225{7F4CAD80-DD70-A3B2-87C7-9FC2AE2524E6}C__1AC4DA0A7D3EED7999615E5ACA812225NEWTON~1.XML|Newtonsoft.Json.xml_611CD1259FF9244173023E5AF7F87110{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}C__611CD1259FF9244173023E5AF7F87110HIDLIB~1.PDB|HidLibrary.pdb_BD877C90970AA9100E0C7F0F15E7D820{FC901E51-B971-EF18-0275-895DB99C96B7}C__BD877C90970AA9100E0C7F0F15E7D820LIBREH~1.PDB|LibreHardwareMonitorLib.pdb_D874BFE48899D575C49DA62E9FCC0B55{478362FE-AADF-D2A9-8284-8E941C16D161}C__D874BFE48899D575C49DA62E9FCC0B55LIBREH~1.XML|LibreHardwareMonitorLib.xml_DBDC3D5F294BC46AC36BCB97C1863469{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}C__DBDC3D5F294BC46AC36BCB97C1863469NEWTON~1.PDB|Newtonsoft.Json.pdb_23529296893BF1C104BE8AA7BD439105C__23529296893BF1C104BE8AA7BD439105LIBREH~2.DLL|LibreHardwareMonitorLib.dll_311BEF0DECFFAF3ECA63421B326FFA0BC__311BEF0DECFFAF3ECA63421B326FFA0BHIDLIB~2.DLL|HidLibrary.dll_7E763E4DF963F4CCF2F811F417A3771EC__7E763E4DF963F4CCF2F811F417 source: 449e0c.msi.4.dr, chromecache_153.1.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr
Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: MSI8F84.tmp.3.dr, 449e0c.msi.4.dr, chromecache_153.1.dr, MSI9FA0.tmp.4.dr, MSI8EF6.tmp.3.dr, 449e0a.msi.4.dr, Unconfirmed 278968.crdownload.0.dr, MSIA02E.tmp.4.dr
Source:	Binary string: Newtonsoft.Json.pdb source: MSIA0BB.tmp.4.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb! source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.4.dr
Source:	Binary string: 9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: 449e0b.rbs.4.dr
Source:	Binary string: msiexec.pdbOGPS source: msiexec.exe.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdb source: WuqueID.exe, WuqueID.exe, 00000014.00000002.2346412006.00000000058D2000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdbC source: WuqueID.exe, 00000011.00000000.1309143888.0000000000402000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.4.dr
Source:	Binary string: (LIBREH~1.PDB|LibreHardwareMonitorLib.pdb!_BD877C90970AA9100E0C7F0F15E7D820 source: MSIA0BB.tmp.4.dr
Source:	Binary string: >C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: 449e0b.rbs.4.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WuqueID.sys.20.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: MSIA0BB.tmp.4.dr, 449e0b.rbs.4.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: MSIA0BB.tmp.4.dr, 449e0b.rbs.4.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: &{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdbSHA256 source: WuqueID.exe, 00000014.00000002.2348530254.00000000060A2000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.4.dr
Source:	Binary string: &{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}>C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb!_611CD1259FF9244173023E5AF7F87110 source: MSIA0BB.tmp.4.dr
Source:	Binary string: HidLibrary.pdb source: MSIA0BB.tmp.4.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb! source: MSIA0BB.tmp.4.dr
Source:	Binary string: Newtonsoft.Json.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: HidLibrary.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdb source: WuqueID.exe, WuqueID.exe, 00000014.00000002.2348530254.00000000060A2000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.4.dr
Source:	Binary string: &{FC901E51-B971-EF18-0275-895DB99C96B7}FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb@ source: MSIA0BB.tmp.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdbSHA256 source: WuqueID.exe, 00000014.00000002.2346412006.00000000058D2000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.4.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb source: MSIA0BB.tmp.4.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb!_DBDC3D5F294BC46AC36BCB97C1863469 source: MSIA0BB.tmp.4.dr
Source:	Binary string: FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: 449e0b.rbs.4.dr
Source:	Binary string: LIBREH~1.PDB|LibreHardwareMonitorLib.pdb! source: MSIA0BB.tmp.4.dr
Source:	Binary string: C:\Code\src\oss\hidsharp\hid\HidSharp\obj\Release\HidSharp.pdb source: HidSharp.dll.4.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: MSIA0BB.tmp.4.dr, 449e0b.rbs.4.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdb source: WuqueID.exe, 00000011.00000000.1309143888.0000000000402000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.4.dr

Data Obfuscation

Binary contains a suspicious time stamp

Source: msiexec.exe.4.dr

Static PE information: 0x7BF1D0D7 [Fri Nov 23 15:40:07 2035 UTC]

PE file contains sections with non-standard names

Source: msiexec.exe.4.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_058D5AF7 push ss; iretd		20_2_058D5AF8
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_014936D7 push ebx; iretd		20_2_014936DA
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06030641 push es; ret		20_2_06030650
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603C1A0 push es; iretd		20_2_0603C1BC
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603BD11 pushad ; iretd		20_2_0603BD1D
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603CDF3 push esp; iretd		20_2_0603CDFD
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603DB50 push eax; retf		20_2_0603DB5D
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603F971 push es; ret		20_2_0603F980
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_0603F99C push es; ret		20_2_0603F980
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_06066474 push ebx; retf		20_2_0606647C
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_060642B4 push ebx; retf		20_2_060642BC
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_07473535 push edi; iretd		20_2_07473532
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 20_2_074734C5 push edi; iretd		20_2_07473532

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\HidSharp.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\System.Net.Http.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8F84.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FA0.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA02E.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\msiexec.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8EF6.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FA0.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA02E.tmp			Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WuqueID.lnk			Jump to behavior

Creates an autostart registry key

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run App			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run App			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	System information queried: FirmwareTableInformation			Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 1470000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 2E50000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 14B0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 26C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 2910000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 2730000 memory reserve | memory write watch			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Window / User API: threadDelayed 432			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Window / User API: threadDelayed 1429			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\HidSharp.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\System.Net.Http.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9FA0.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8F84.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA02E.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\msiexec.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8EF6.tmp			Jump to dropped file
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 7000	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 4300	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 1836	Thread sleep time: -241000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 3932	Thread sleep time: -252000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 1836	Thread sleep time: -1429000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 3504	Thread sleep time: -227000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 6176	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{DAC14A31-0355-4B35-B1E9-8DCCC7FF836C}			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000015.00000002.2335197979.0000013640250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.ObjectId("{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000015.00000002.2334437123.0000013640213000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @path"\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: WuqueID.exe, 00000014.00000002.2334001041.000000000106D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11\WMI.ExecQuery(SELECT * FROM Win32_DiskDrive);
Source: svchost.exe, 0000000B.00000002.2336444082.000001BDAF464000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000015.00000002.2336018849.0000013640296000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @{a33c734b-61ca-11ee-8c18-806e6f6e6963}DI\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000003.1349516043.000001364051C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.1349516043.0000013640535000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2336018849.00000136402A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.1348396787.0000013640502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringDescriptionLocation contains the PnP location path of the disk. The format of this string depends on the bus type. If the bus type is SCSI, SAS, or PCI RAID, the format is <AdapterPnpLocationPath>#<BusType>(P<PathId>T<TargetId>L<LunId>). If the bus type is IDE, ATA, PATA, or SATA, the format is <AdapterPnpLocationPath>#<BusType>(C<PathId>T<TargetId>L<LunId>). For example, a SCSI location may look like: PCIROOT(0)#PCI(1C00)#PCI(0000)#SCSI(P00T01L01). Note: For Hyper-V and VHD images, this member is NULL because the virtual controller does not return the location path.LogicalSectorSize
Source: svchost.exe, 00000002.00000002.2337027677.0000026286A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2340348665.000002628C06B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2340647973.000002628C071000.00000004.00000020.00020000.00000000.sdmp, WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisksk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"1efb8b}\""
Source: svchost.exe, 00000015.00000003.1348565692.0000013640502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000003.1348534842.000001364050A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000015.00000003.1348614981.000001364041A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\user-PC\root\Microsoft\Windows\Storage:MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""Xh
Source: svchost.exe, 00000015.00000003.1348534842.0000013640502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000002.2337856830.0000013640402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000002.2335197979.0000013640250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}US
Source: svchost.exe, 00000015.00000002.2337041771.00000136402DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000015.00000002.2335197979.0000013640250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.Path("\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000015.00000002.2337041771.00000136402D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .@VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000015.00000002.2337041771.00000136402D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 n-@6
Source: svchost.exe, 00000015.00000002.2336018849.0000013640296000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000002.2335547372.0000013640267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: WuqueID.exe, 00000014.00000002.2334001041.000000000106D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11
Source: svchost.exe, 00000015.00000002.2335547372.0000013640267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}temD
Source: svchost.exe, 00000015.00000002.2337041771.00000136402D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device"
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\user-PC\root\Microsoft\Windows\Storage:MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""t
Source: svchost.exe, 00000015.00000002.2334437123.0000013640213000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sociators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDiskca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDiskO
Source: svchost.exe, 00000015.00000002.2336767181.00000136402B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"`
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDiskca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDisk
Source: svchost.exe, 00000015.00000002.2337041771.00000136402D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000r32
Source: svchost.exe, 00000015.00000002.2337041771.00000136402DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objectid"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:di:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\user-PC\root\Microsoft\Windows\Storage:MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""
Source: svchost.exe, 00000015.00000002.2334437123.0000013640213000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}WSH;
Source: svchost.exe, 00000015.00000002.2337041771.00000136402D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDisk1
Source: svchost.exe, 00000015.00000002.2334696672.000001364022B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l\v
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 0000000B.00000002.2335487677.000001BDAF424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000002.2335547372.0000013640267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9&
Source: svchost.exe, 00000015.00000003.1349516043.000001364051C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.1349516043.0000013640535000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2336018849.00000136402A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.1348396787.0000013640502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Location contains the PnP location path of the disk. The format of this string depends on the bus type. If the bus type is SCSI, SAS, or PCI RAID, the format is <AdapterPnpLocationPath>#<BusType>(P<PathId>T<TargetId>L<LunId>). If the bus type is IDE, ATA, PATA, or SATA, the format is <AdapterPnpLocationPath>#<BusType>(C<PathId>T<TargetId>L<LunId>). For example, a SCSI location may look like: PCIROOT(0)#PCI(1C00)#PCI(0000)#SCSI(P00T01L01). Note: For Hyper-V and VHD images, this member is NULL because the virtual controller does not return the location path.
Source: svchost.exe, 00000015.00000002.2337041771.00000136402DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@SetPropValue.Path("\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDiskV
Source: svchost.exe, 0000000B.00000002.2334812596.000001BDAF402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: WuqueID.exe, 00000014.00000002.2346876092.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_Disk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"6000C29CBCCEB42671D1430C5A2A776C\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0rfvgqg htgrhqujcmoh6000c29cbcceb42671d1430c5a2a776c2.0 rfvgqg htgrhqujcmoh
Source: svchost.exe, 00000015.00000002.2337041771.00000136402DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SetPropValue.Path("\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000015.00000002.2335547372.0000013640267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000015.00000002.2334437123.0000013640213000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: alue.ObjectId("{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000015.00000003.1349702499.0000013640539000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WSP_Disk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6000C29CBCCEB42671D1430C5A2A776C\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0rfvgqg htgrhqujcmoh6000c29cbcceb42671d1430c5a2a776c2.0 rfvgqg htgrhqujcmoh
Source: svchost.exe, 0000000B.00000002.2335870609.000001BDAF44B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000015.00000002.2337041771.00000136402DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@objectid"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:di:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000015.00000002.2334152325.0000013640210000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Queries a list of all running processes

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 20_2_06142F40 cpuid

20_2_06142F40

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device\v4.0_4.0.0.0__b77a5c561934e089\System.Device.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000010.00000002.2337485598.0000024077702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.2337485598.0000024077702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct