Play interactive tourEdit tour

Windows Analysis Report
https://cdn.discordapp.com/attachments/1103880362347728966/1173825851121471628/WuqueID_2.2.msi?ex=65e69083&is=65d41b83&hm=ca02fcdde083740db41bbb41c5713bf277b51639f2793ea4e9b12a6ef64137df&

Overview

General Information

Sample URL:	https://cdn.discordapp.com/attachments/1103880362347728966/1173825851121471628/WuqueID_2.2.msi?ex=65e69083&is=65d41b83&hm=ca02fcdde083740db41bbb41c5713bf277b51639f2793ea4e9b12a6ef64137df&
Analysis ID:	1398370
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Files With System Process Name In Unsuspected Locations

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to read device registry values (via SetupAPI)

Contains long sleeps (>= 3 min)

Creates driver files

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

×

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7076, TargetFilename: C:\Program Files (x86)\WuqueStudio\WuqueID\msiexec.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe", EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe, ProcessId: 6160, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\App

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6816, ProcessName: svchost.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

ReversingLabs: Detection: 58%

Compliance

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49711 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: 6ebf82.msi.3.dr, MSIC165.tmp.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr, MSIB8E9.tmp.2.dr, MSIC0F7.tmp.3.dr, MSIB85C.tmp.2.dr
Source:	Binary string: msiexec.pdb source: msiexec.exe.3.dr
Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: 6ebf82.msi.3.dr, MSIC165.tmp.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr, MSIB8E9.tmp.2.dr, MSIC0F7.tmp.3.dr, MSIB85C.tmp.2.dr
Source:	Binary string: Newtonsoft.Json.pdb source: MSIC1E3.tmp.3.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb! source: MSIC1E3.tmp.3.dr
Source:	Binary string: msiexec.pdbOGPS source: msiexec.exe.3.dr
Source:	Binary string: 9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: 6ebf81.rbs.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdb source: WuqueID.exe, WuqueID.exe, 00000013.00000002.2341095368.0000000005D02000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdbC source: WuqueID.exe, 0000000D.00000000.1271939149.0000000000D02000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.3.dr
Source:	Binary string: (LIBREH~1.PDB|LibreHardwareMonitorLib.pdb!_BD877C90970AA9100E0C7F0F15E7D820 source: MSIC1E3.tmp.3.dr
Source:	Binary string: >C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: 6ebf81.rbs.3.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: MSIC1E3.tmp.3.dr, 6ebf81.rbs.3.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WuqueID.sys.19.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: MSIC1E3.tmp.3.dr, 6ebf81.rbs.3.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: &{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdbSHA256 source: WuqueID.exe, 00000013.00000002.2341290551.0000000005D92000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.3.dr
Source:	Binary string: &{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}>C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb!_611CD1259FF9244173023E5AF7F87110 source: MSIC1E3.tmp.3.dr
Source:	Binary string: HidLibrary.pdb source: MSIC1E3.tmp.3.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb! source: MSIC1E3.tmp.3.dr
Source:	Binary string: Newtonsoft.Json.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: HidLibrary.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdb source: WuqueID.exe, WuqueID.exe, 00000013.00000002.2341290551.0000000005D92000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.3.dr
Source:	Binary string: &{FC901E51-B971-EF18-0275-895DB99C96B7}FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdbSHA256 source: WuqueID.exe, 00000013.00000002.2341095368.0000000005D02000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.3.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb source: MSIC1E3.tmp.3.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb!_DBDC3D5F294BC46AC36BCB97C1863469 source: MSIC1E3.tmp.3.dr
Source:	Binary string: FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: 6ebf81.rbs.3.dr
Source:	Binary string: LIBREH~1.PDB|LibreHardwareMonitorLib.pdb! source: MSIC1E3.tmp.3.dr
Source:	Binary string: MS_Sans_Serif__8_0VSDCA_FolderForm_AllUsersInstalled="" AND NOT RESUME AND ALLUSERS=1WelcomeForm_NextArgsFolderForm_PrevArgsFolderForm_NextArgsConfirmInstallForm_PrevArgsAdminWelcomeForm_NextArgsAdminFolderForm_PrevArgsAdminFolderForm_NextArgsAdminConfirmInstallForm_PrevArgs_1AC4DA0A7D3EED7999615E5ACA812225{7F4CAD80-DD70-A3B2-87C7-9FC2AE2524E6}C__1AC4DA0A7D3EED7999615E5ACA812225NEWTON~1.XML|Newtonsoft.Json.xml_611CD1259FF9244173023E5AF7F87110{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}C__611CD1259FF9244173023E5AF7F87110HIDLIB~1.PDB|HidLibrary.pdb_BD877C90970AA9100E0C7F0F15E7D820{FC901E51-B971-EF18-0275-895DB99C96B7}C__BD877C90970AA9100E0C7F0F15E7D820LIBREH~1.PDB|LibreHardwareMonitorLib.pdb_D874BFE48899D575C49DA62E9FCC0B55{478362FE-AADF-D2A9-8284-8E941C16D161}C__D874BFE48899D575C49DA62E9FCC0B55LIBREH~1.XML|LibreHardwareMonitorLib.xml_DBDC3D5F294BC46AC36BCB97C1863469{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}C__DBDC3D5F294BC46AC36BCB97C1863469NEWTON~1.PDB|Newtonsoft.Json.pdb_23529296893BF1C104BE8AA7BD439105C__23529296893BF1C104BE8AA7BD439105LIBREH~2.DLL|LibreHardwareMonitorLib.dll_311BEF0DECFFAF3ECA63421B326FFA0BC__311BEF0DECFFAF3ECA63421B326FFA0BHIDLIB~2.DLL|HidLibrary.dll_7E763E4DF963F4CCF2F811F417A3771EC__7E763E4DF963F4CCF2F811F4 source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr
Source:	Binary string: C:\Code\src\oss\hidsharp\hid\HidSharp\obj\Release\HidSharp.pdb source: HidSharp.dll.3.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: MSIC1E3.tmp.3.dr, 6ebf81.rbs.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdbSHA256Q source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdb source: WuqueID.exe, 0000000D.00000000.1271939149.0000000000D02000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.3.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{A1DE3274-DFFE-4F46-BBF5-10AD26600017}			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData			Jump to behavior

Networking

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.21.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.46
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.46
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /attachments/1103880362347728966/1173825851121471628/WuqueID_2.2.msi?ex=65e69083&is=65d41b83&hm=ca02fcdde083740db41bbb41c5713bf277b51639f2793ea4e9b12a6ef64137df& HTTP/1.1Host: cdn.discordapp.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ZCLRHV6XlAOsvo2&MD=TfGr4z5G HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ZCLRHV6XlAOsvo2&MD=TfGr4z5G HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=LtGInZ4I4WDrCvCHQBVMHOy4a-sqzpSrMO-Rwr8ezStTz_kfoi2bri7uGdXfNvskAEO_Tj5Jkwl0XSN-qA6MYiGShcDB_vNQOl1bpl3aua7gMrDRvWsHLpAuFBlBnNxTMeen95XElzx3r4myG8p8sgSHdx4NBawYGaI5oFn_dZ8

URLs found in memory or binary data

Source: WuqueID.exe, 0000000D.00000000.1271939149.0000000000D02000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.3.dr	String found in binary or memory: http://api.weatherapi.com/v1/current.json?key=
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: svchost.exe, 00000005.00000002.2336092458.0000023D11000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: HidSharp.dll.3.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: HidSharp.dll.3.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: HidSharp.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: HidSharp.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: WuqueID.sys.19.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WuqueID.sys.19.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WuqueID.sys.19.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WuqueID.sys.19.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: HidSharp.dll.3.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: HidSharp.dll.3.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000005.00000002.2337006014.0000023D11066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 6ebf82.msi.3.dr, HidSharp.dll.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: http://ocsp.sectigo.com00
Source: HidSharp.dll.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: HidSharp.dll.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: HidSharp.dll.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: svchost.exe, 00000009.00000002.1367520017.000001FCD3624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: HidSharp.dll.3.dr	String found in binary or memory: http://www.zer7.com/software/hidsharp
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367720166.000001FCD3659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000009.00000003.1366582282.000001FCD366C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367770868.000001FCD3672000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366817712.000001FCD365A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366700985.000001FCD365F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366650657.000001FCD3662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1366582282.000001FCD366C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367770868.000001FCD3674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.1366615064.000001FCD3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1366582282.000001FCD366C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.1367520017.000001FCD3624000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366817712.000001FCD365A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366650657.000001FCD3662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.1367520017.000001FCD3624000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366615064.000001FCD3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.1367520017.000001FCD3624000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367745211.000001FCD3665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366650657.000001FCD3662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.1366868935.000001FCD3641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367646233.000001FCD3644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1366650657.000001FCD3662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.1366905281.000001FCD3631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1367646233.000001FCD3644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366650657.000001FCD3662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366868935.000001FCD3641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366700985.000001FCD365F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366905281.000001FCD3631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.1367520017.000001FCD3624000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366615064.000001FCD3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000005.00000003.1203516923.0000023D10E82000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: Newtonsoft.Json.xml.3.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: WuqueID.exe, WuqueID.exe, 00000013.00000002.2341290551.0000000005D92000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.3.dr	String found in binary or memory: https://github.com/LibreHardwareMonitor/LibreHardwareMonitor
Source: Newtonsoft.Json.pdb.3.dr	String found in binary or memory: https://raw.githubusercontent.com/JamesNK/Newtonsoft.Json/01e1759cac40d8154e47ed0e11c12a9d42d2d0ff/
Source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000009.00000003.1366868935.000001FCD3641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.1366834474.000001FCD364A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1367720166.000001FCD3659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367556064.000001FCD363D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1366905281.000001FCD3631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366732800.000001FCD365D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.1367520017.000001FCD3624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.1366748028.000001FCD3658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1367720166.000001FCD3659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: LibreHardwareMonitorLib.xml.3.dr	String found in binary or memory: https://www.dmtf.org/dsp/DSP0134
Source: LibreHardwareMonitorLib.xml.3.dr	String found in binary or memory: https://www.dmtf.org/standards/smbios
Source: HidSharp.dll.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: HidSharp.dll.3.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: HidSharp.dll.3.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Newtonsoft.Json.xml.3.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Potential key logger detected (key state polling based)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 19_2_077A08A7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

19_2_077A08A7

System Summary

Abnormal high CPU Usage

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Process Stats: CPU usage > 24%

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 19_2_06A202F4: DeviceIoControl,

19_2_06A202F4

Creates driver files

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6ebf80.msi

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC0F7.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_05D05696		19_2_05D05696
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_05D0565B		19_2_05D0565B
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_05D055FA		19_2_05D055FA
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_05D94FAE		19_2_05D94FAE
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_0170B6C1		19_2_0170B6C1
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_01707BED		19_2_01707BED
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_06A26B09		19_2_06A26B09
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_06A26B18		19_2_06A26B18

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msvcp140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3d9.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: atiadlxx.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: nvapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: locationapi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: hid.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: locationframeworkps.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: dxcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: msctfui.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: uiautomationcore.dll			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Section loaded: d3dcompiler_47.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: smphost.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mispace.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sxshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wmiclnt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clusapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wmitomi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fastprox.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fmifs.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ifsutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: healthapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: healthapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsp_fs.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sscore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsp_sr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tdh.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsp_health.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: lfsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: locationframework.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: brokerlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: locationframeworkps.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: capabilityaccessmanagerclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: locationwinpalmisc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledevicetypes.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mdmcommon.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll			Jump to behavior

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: WuqueID.sys.19.dr

Binary string: \Device\WinRing0_1_2_0

Classification label

Source: classification engine

Classification label: mal72.evad.win@35/66@8/7

Creates files inside the program directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\WuqueStudio

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\ac61b8d3-8a4e-4d3d-b304-c6db20d81988.tmp

Jump to behavior

Creates mutexes

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: NULL
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_ISABUS.HTP.Method
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3968:120:WilError_03
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\WuqueID
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_PCI
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_EC
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\RazerReadWriteGuardMutex

Creates temporary files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIB85C.tmp

Jump to behavior

Reads ini files

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Sample might require command line arguments

Source: WuqueID.exe	String found in binary or memory: Start/Stop Count
Source: WuqueID.exe	String found in binary or memory: Start/Stop Count

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1103880362347728966/1173825851121471628/WuqueID_2.2.msi?ex=65e69083&is=65d41b83&hm=ca02fcdde083740db41bbb41c5713bf277b51639f2793ea4e9b12a6ef64137df&
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1956,i,3282380040631421609,15645620257267596017,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\WuqueID_2.2.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 40A8312AD040F40B26F750F4ACC9A5B2 C
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 40AF3798B59B6ABE21D851566470F213
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe "C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s lfsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1956,i,3282380040631421609,15645620257267596017,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\WuqueID_2.2.msi"			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 40A8312AD040F40B26F750F4ACC9A5B2 C			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 40AF3798B59B6ABE21D851566470F213			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Windows shortcut file (LNK) contains relative path

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: WuqueID.lnk.3.dr	LNK file: ..\..\..\Installer\{A1DE3274-DFFE-4F46-BBF5-10AD26600017}\_8DBF24F4AD3FB1A114F3D0.exe
Source: WuqueID.lnk0.3.dr	LNK file: ..\AppData\Roaming\Microsoft\Installer\{A1DE3274-DFFE-4F46-BBF5-10AD26600017}\_0B6BCD2EA651722588B8FE.exe
Source: uninstall.lnk.3.dr	LNK file: ..\..\..\Users\user\AppData\Roaming\Microsoft\Installer\{A1DE3274-DFFE-4F46-BBF5-10AD26600017}\_EF4D97BA55347FF55E9B54.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: 6ebf82.msi.3.dr, MSIC165.tmp.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr, MSIB8E9.tmp.2.dr, MSIC0F7.tmp.3.dr, MSIB85C.tmp.2.dr
Source:	Binary string: msiexec.pdb source: msiexec.exe.3.dr
Source:	Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: 6ebf82.msi.3.dr, MSIC165.tmp.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr, MSIB8E9.tmp.2.dr, MSIC0F7.tmp.3.dr, MSIB85C.tmp.2.dr
Source:	Binary string: Newtonsoft.Json.pdb source: MSIC1E3.tmp.3.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb! source: MSIC1E3.tmp.3.dr
Source:	Binary string: msiexec.pdbOGPS source: msiexec.exe.3.dr
Source:	Binary string: 9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: 6ebf81.rbs.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdb source: WuqueID.exe, WuqueID.exe, 00000013.00000002.2341095368.0000000005D02000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdbC source: WuqueID.exe, 0000000D.00000000.1271939149.0000000000D02000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.3.dr
Source:	Binary string: (LIBREH~1.PDB|LibreHardwareMonitorLib.pdb!_BD877C90970AA9100E0C7F0F15E7D820 source: MSIC1E3.tmp.3.dr
Source:	Binary string: >C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: 6ebf81.rbs.3.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb source: MSIC1E3.tmp.3.dr, 6ebf81.rbs.3.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WuqueID.sys.19.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb source: MSIC1E3.tmp.3.dr, 6ebf81.rbs.3.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: &{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}9C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdbSHA256 source: WuqueID.exe, 00000013.00000002.2341290551.0000000005D92000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.3.dr
Source:	Binary string: &{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}>C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb!_611CD1259FF9244173023E5AF7F87110 source: MSIC1E3.tmp.3.dr
Source:	Binary string: HidLibrary.pdb source: MSIC1E3.tmp.3.dr
Source:	Binary string: HIDLIB~1.PDB|HidLibrary.pdb! source: MSIC1E3.tmp.3.dr
Source:	Binary string: Newtonsoft.Json.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: HidLibrary.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\LibreHardwareMonitor\LibreHardwareMonitorLib\obj\Release\net472\LibreHardwareMonitorLib.pdb source: WuqueID.exe, WuqueID.exe, 00000013.00000002.2341290551.0000000005D92000.00000002.00000001.01000000.00000009.sdmp, LibreHardwareMonitorLib.dll.3.dr
Source:	Binary string: &{FC901E51-B971-EF18-0275-895DB99C96B7}FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb@ source: MSIC1E3.tmp.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\HidLibrary\src\HidLibrary\obj\Release\net45\HidLibrary.pdbSHA256 source: WuqueID.exe, 00000013.00000002.2341095368.0000000005D02000.00000002.00000001.01000000.0000000A.sdmp, HidLibrary.dll.3.dr
Source:	Binary string: LibreHardwareMonitorLib.pdb source: MSIC1E3.tmp.3.dr
Source:	Binary string: NEWTON~1.PDB|Newtonsoft.Json.pdb!_DBDC3D5F294BC46AC36BCB97C1863469 source: MSIC1E3.tmp.3.dr
Source:	Binary string: FC:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: 6ebf81.rbs.3.dr
Source:	Binary string: LIBREH~1.PDB|LibreHardwareMonitorLib.pdb! source: MSIC1E3.tmp.3.dr
Source:	Binary string: MS_Sans_Serif__8_0VSDCA_FolderForm_AllUsersInstalled="" AND NOT RESUME AND ALLUSERS=1WelcomeForm_NextArgsFolderForm_PrevArgsFolderForm_NextArgsConfirmInstallForm_PrevArgsAdminWelcomeForm_NextArgsAdminFolderForm_PrevArgsAdminFolderForm_NextArgsAdminConfirmInstallForm_PrevArgs_1AC4DA0A7D3EED7999615E5ACA812225{7F4CAD80-DD70-A3B2-87C7-9FC2AE2524E6}C__1AC4DA0A7D3EED7999615E5ACA812225NEWTON~1.XML|Newtonsoft.Json.xml_611CD1259FF9244173023E5AF7F87110{D69153E9-9582-DFE1-9B6B-5782DFB8B4F4}C__611CD1259FF9244173023E5AF7F87110HIDLIB~1.PDB|HidLibrary.pdb_BD877C90970AA9100E0C7F0F15E7D820{FC901E51-B971-EF18-0275-895DB99C96B7}C__BD877C90970AA9100E0C7F0F15E7D820LIBREH~1.PDB|LibreHardwareMonitorLib.pdb_D874BFE48899D575C49DA62E9FCC0B55{478362FE-AADF-D2A9-8284-8E941C16D161}C__D874BFE48899D575C49DA62E9FCC0B55LIBREH~1.XML|LibreHardwareMonitorLib.xml_DBDC3D5F294BC46AC36BCB97C1863469{6BEB42CF-965C-4CB4-D3D3-14B795FE5DC8}C__DBDC3D5F294BC46AC36BCB97C1863469NEWTON~1.PDB|Newtonsoft.Json.pdb_23529296893BF1C104BE8AA7BD439105C__23529296893BF1C104BE8AA7BD439105LIBREH~2.DLL|LibreHardwareMonitorLib.dll_311BEF0DECFFAF3ECA63421B326FFA0BC__311BEF0DECFFAF3ECA63421B326FFA0BHIDLIB~2.DLL|HidLibrary.dll_7E763E4DF963F4CCF2F811F417A3771EC__7E763E4DF963F4CCF2F811F4 source: 6ebf82.msi.3.dr, Unconfirmed 372492.crdownload.0.dr, chromecache_152.1.dr, 6ebf80.msi.3.dr
Source:	Binary string: C:\Code\src\oss\hidsharp\hid\HidSharp\obj\Release\HidSharp.pdb source: HidSharp.dll.3.dr
Source:	Binary string: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.pdb source: MSIC1E3.tmp.3.dr, 6ebf81.rbs.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\net45\Newtonsoft.Json.pdbSHA256Q source: Newtonsoft.Json.dll.3.dr
Source:	Binary string: D:\workspace\Visual Studio\WuqueID\wuque\wuque\obj\Release\WuqueID.pdb source: WuqueID.exe, 0000000D.00000000.1271939149.0000000000D02000.00000002.00000001.01000000.00000006.sdmp, WuqueID.exe.3.dr

Data Obfuscation

Binary contains a suspicious time stamp

Source: Newtonsoft.Json.dll.3.dr

Static PE information: 0x8C2175C7 [Fri Jul 1 16:24:39 2044 UTC]

PE file contains sections with non-standard names

Source: msiexec.exe.3.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_05D05AF7 push ss; iretd		19_2_05D05AF8
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_0170C998 push ecx; iretd		19_2_0170C9A2
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_017036D7 push ebx; iretd		19_2_017036DA
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_06A22BC0 push es; ret		19_2_06A22BD0
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_06A21B02 push es; ret		19_2_06A21B30
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Code function: 19_2_06A21B40 push es; ret		19_2_06A21B30

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\HidSharp.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC165.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\System.Net.Http.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB85C.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\msiexec.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB8E9.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0F7.tmp			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC165.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0F7.tmp			Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WuqueID.lnk			Jump to behavior

Creates an autostart registry key

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run App			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run App			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	System information queried: FirmwareTableInformation			Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 16C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 33C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Memory allocated: 3100000 memory reserve | memory write watch			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 19_2_06A27430 SetupDiGetDeviceRegistryPropertyW,

19_2_06A27430

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Window / User API: threadDelayed 836			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Window / User API: threadDelayed 496			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Window / User API: threadDelayed 1964			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\HidSharp.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC165.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\System.Net.Http.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB85C.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\msiexec.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB8E9.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.sys			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC0F7.tmp			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6652	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 4216	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 6024	Thread sleep time: -176000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 5408	Thread sleep time: -127000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 3728	Thread sleep time: -496000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 5500	Thread sleep time: -159000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe TID: 3728	Thread sleep time: -1964000s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{A1DE3274-DFFE-4F46-BBF5-10AD26600017}			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000014.00000002.2330644873.000001C9B9241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @path"\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000002.2330644873.000001C9B9241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.ObjectId("{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: WuqueID.exe, 00000013.00000002.2329724452.0000000001166000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11\WMI.ExecQuery(SELECT * FROM Win32_DiskDrive);
Source: WuqueID.exe, 00000013.00000002.2329724452.0000000001166000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDisk
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @{a33c734b-61ca-11ee-8c18-806e6f6e6963}DI\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000003.1311841119.000001C9B971E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1310682727.000001C9B9702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1312017496.000001C9B9735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1312017496.000001C9B971C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1311841119.000001C9B9737000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringDescriptionLocation contains the PnP location path of the disk. The format of this string depends on the bus type. If the bus type is SCSI, SAS, or PCI RAID, the format is <AdapterPnpLocationPath>#<BusType>(P<PathId>T<TargetId>L<LunId>). If the bus type is IDE, ATA, PATA, or SATA, the format is <AdapterPnpLocationPath>#<BusType>(C<PathId>T<TargetId>L<LunId>). For example, a SCSI location may look like: PCIROOT(0)#PCI(1C00)#PCI(0000)#SCSI(P00T01L01). Note: For Hyper-V and VHD images, this member is NULL because the virtual controller does not return the location path.LogicalSectorSize
Source: svchost.exe, 00000014.00000002.2330482779.000001C9B9224000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: en-CH-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&
Source: svchost.exe, 00000005.00000002.2333351204.0000023D0BA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2336785563.0000023D11060000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2337006014.0000023D11066000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.2331041388.0000021B0D62B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisksk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"1efb8b}\""
Source: svchost.exe, 00000014.00000003.1310845827.000001C9B9702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000014.00000003.1310815134.000001C9B970A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000003.1310894001.000001C9B961A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000003.1310815134.000001C9B9702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000002.2332674420.000001C9B9602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000002.2330644873.000001C9B9241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.Path("\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"`
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .@VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000014.00000002.2332182139.000001C9B92DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @objectid"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:di:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000002.2332182139.000001C9B92D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000014.00000003.1311841119.000001C9B9737000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WSP_Disk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6000C29CBCCEB42671D1430C5A2A776C\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0owdejj vqnfqurphbaj6000c29cbcceb42671d1430c5a2a776c2.0 owdejj vqnfqurphbaj
Source: svchost.exe, 00000014.00000002.2332411267.000001C9B92FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000014.00000002.2330482779.000001C9B9224000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000013.00000002.2329724452.0000000001166000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.ExecQuery(ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_Disk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"6000C29CBCCEB42671D1430C5A2A776C\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0owdejj vqnfqurphbaj6000c29cbcceb42671d1430c5a2a776c2.0 owdejj vqnfqurphbaj
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@VMware Virtual disk SCSI Disk Devicell
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASSOCIATORS OF {MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDisk
Source: svchost.exe, 00000014.00000002.2330301946.000001C9B9213000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c9
Source: svchost.exe, 00000014.00000003.1311841119.000001C9B9737000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\user-PC\root\Microsoft\Windows\Storage:MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""z
Source: WuqueID.exe, 00000013.00000002.2329724452.0000000001166000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sociators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDiskca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDisk
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDiskca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_VirtualDiskToDisk
Source: svchost.exe, 00000014.00000002.2332182139.000001C9B92DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objectid"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:di:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}DI\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\user-PC\root\Microsoft\Windows\Storage:MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000014.00000002.2332411267.000001C9B92FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 0000000B.00000002.2331517615.0000021B0D652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: svchost.exe, 00000014.00000002.2330644873.000001C9B9241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l\v
Source: svchost.exe, 00000014.00000002.2331182002.000001C9B929D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}pDat
Source: svchost.exe, 00000014.00000002.2332411267.000001C9B92FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000014.00000002.2330644873.000001C9B9241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: path"\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}".
Source: WuqueID.exe, 00000013.00000002.2340215620.0000000005C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000003.1311841119.000001C9B971E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1310682727.000001C9B9702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1312017496.000001C9B9735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1312017496.000001C9B971C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1311841119.000001C9B9737000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Location contains the PnP location path of the disk. The format of this string depends on the bus type. If the bus type is SCSI, SAS, or PCI RAID, the format is <AdapterPnpLocationPath>#<BusType>(P<PathId>T<TargetId>L<LunId>). If the bus type is IDE, ATA, PATA, or SATA, the format is <AdapterPnpLocationPath>#<BusType>(C<PathId>T<TargetId>L<LunId>). For example, a SCSI location may look like: PCIROOT(0)#PCI(1C00)#PCI(0000)#SCSI(P00T01L01). Note: For Hyper-V and VHD images, this member is NULL because the virtual controller does not return the location path.
Source: WuqueID.exe, 00000013.00000002.2329724452.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\user-PC\root\Microsoft\Windows\Storage:MSFT_Disk.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""6t
Source: svchost.exe, 00000014.00000002.2332182139.000001C9B92DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@SetPropValue.Path("\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000014.00000002.2331182002.000001C9B929D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\sys
Source: svchost.exe, 00000014.00000002.2331572873.000001C9B92BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000B.00000002.2330485018.0000021B0D602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000014.00000002.2332182139.000001C9B92DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SetPropValue.Path("\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 00000014.00000002.2330109873.000001C9B9200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: i#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000002.2330830390.000001C9B9267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: alue.ObjectId("{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}");
Source: svchost.exe, 0000000B.00000002.2331517615.0000021B0D652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000014.00000002.2332182139.000001C9B92DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@objectid"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:di:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: svchost.exe, 00000014.00000003.1311841119.000001C9B9737000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Queries a list of all running processes

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 19_2_05E32F40 cpuid

19_2_05E32F40

Queries device information via Setup API

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Code function: 19_2_06A27430 SetupDiGetDeviceRegistryPropertyW,

19_2_06A27430

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\LibreHardwareMonitorLib.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Program Files (x86)\WuqueStudio\WuqueID\HidLibrary.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device\v4.0_4.0.0.0__b77a5c561934e089\System.Device.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Program Files (x86)\WuqueStudio\WuqueID\WuqueID.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000010.00000002.2332767381.0000020E0A302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.2332767381.0000020E0A302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct