Windows Analysis Report
SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe

Overview

General Information

Sample name: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe
Analysis ID: 1543319
MD5: df3ca79177e6ae81bf45f894b6683c14
SHA1: 520475c8efda7d4c14165436156417a1bbfd92aa
SHA256: 4f48297c67bb0803164f3e3f10135ad23ca6db7650c74f81227df8cf47efc659

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1291523167.00000182A4339000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257142867.00000182A4365000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257027393.00000182A4361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A47D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1291523167.00000182A4339000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257142867.00000182A4365000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257027393.00000182A4361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A47D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.co
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4AC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUgUABBQpQV
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1291523167.00000182A4339000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257142867.00000182A4365000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257027393.00000182A4361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crle
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A46D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.intel.com/support/gfx_feedback
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=98A3FD9E78FC44C7A06C3A0E80307840&timeOut=5000&oc
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Alert/Alert_FD_B.png
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Alert/Alert_FD_B.svg
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.png
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svg
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/temprise1.svg
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunn
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/WeatherInsight/W
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://edition.cnn.com/2019/01/15/politics/donald-trump-fast-food-clemson-tigers/index.html
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comE
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/:K
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/B
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/y
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/0K
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/E
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/dJLm
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/i1
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fwww.petco.com%2Fcontent%2Fpetco%2FPe
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8qo.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12lNhl.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15YhMq.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=32798c55-53d0-4330-98c1-75a3
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A4814000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?l
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.comf?
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comer
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stacker.com
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/art-culture/20-life-changing-locations-inspired-movies-books-and-art
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/food-drink/15-formerly-popular-foods-america-are-rarely-eaten-today
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/stories
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://today.yougov.com/ratings/consumer/popularity/dining-brands/all
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/P
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/nJBm
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/y
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/O
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/byy
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitNew
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitNew
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.merriam-webster.com/wordplay/new-words-in-the-dictionary
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/feed
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/other/why-so-many-southerners-go-by-their-middle-names/ar-AA1
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/14-of-john-wayne-s-favorite-foods/ar-BB1m7Zyk
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/daylight-saving-time-ends-next-weekend-this-is-how-to-prepare
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/how-s-that-my-fault-home-warranty-company-refused-to-pay-u
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/movies/news/top-10-movies-where-the-cast-had-most-fun-during-production/vi
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/harris-calls-on-the-united-states-to-turn-the-page-on-hatred
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/jake-tapper-and-jd-vance-have-fiery-exchange-over-trump-s-en
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-negotiating-with-russia-is-a-necessary-part-of-endi
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/50-slang-terms-only-people-over-25-years-old-will-understa
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/search-underway-for-man-accused-of-killing-his-pregnant-wife-while
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/washington-post-reports-elon-musk-briefly-worked-illegally-in-us-i
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/what-all-those-sexy-halloween-costumes-are-doing-to-kids/ar-AA1t0Y
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/satellite-images-show-damage-from-israeli-attack-at-2-iranian-m
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/mlb/yamamoto-shuts-down-yankees-freeman-homers-again-as-dodgers-win
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/college-football-rankings-week-10-top-10-teams/ar-AA1t0rWh
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/american-airlines-tests-boarding-technology-that-audibly-shame
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvcmsiL
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFl
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/maps/wildfire/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlv
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.nytimes.com/2021/04/20/magazine/filet-o-fish-asian-americans.html
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4BBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBp
Source: classification engine Classification label: mal64.evad.winEXE@1/0@0/0
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Section loaded: profapi.dll Jump to behavior
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static file information: File size 31139840 > 1048576
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1d56400
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains sections with non-standard names
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Static PE information: section name: _RDATA
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1235468750.00000182A28DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor]$ *!
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl[
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partitionl
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor,w
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1245246424.00000182A4265000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1244231281.00000182A4265000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor4\
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Servicem
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Serviceu%X+
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1234802463.00000182A42AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1234599930.00000182A4222000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1231986806.00000182A4222000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1232352690.00000182A4222000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Se
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1235468750.00000182A28DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1233143599.00000182A28DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accu
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1235244787.00000182A4225000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1234395256.00000182A4225000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860I
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorll?X
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processorkw
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorui
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorr
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1231643380.00000182A41E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1245246424.00000182A421B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1243411053.00000182A420B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1244231281.00000182A421B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotnt oAA
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionty>
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Process information queried: ProcessInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe NtQueryInformationProcess: Indirect: 0x7FF6A60F2ED5 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe NtQueryInformationProcess: Indirect: 0x7FF6A60F2E3C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe NtQueryInformationProcess: Indirect: 0x7FF6A60F1ACC Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe NtQueryInformationProcess: Indirect: 0x7FF6A60F1958 Jump to behavior
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1262762360.00000182A46B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1262762360.00000182A46EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543319 Sample: SecuriteInfo.com.QD.Trojan.... Startdate: 27/10/2024 Architecture: WINDOWS Score: 64 8 Multi AV Scanner detection for submitted file 2->8 5 SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe 2->5         started        process3 signatures4 10 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 5->10 12 Queries memory information (via WMI often done to detect virtual machines) 5->12 14 Found direct / indirect Syscall (likely to bypass EDR) 5->14
No contacted IP infos