Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe

Overview

General Information

Sample name:SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe
Analysis ID:1543319
MD5:df3ca79177e6ae81bf45f894b6683c14
SHA1:520475c8efda7d4c14165436156417a1bbfd92aa
SHA256:4f48297c67bb0803164f3e3f10135ad23ca6db7650c74f81227df8cf47efc659

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64native
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeReversingLabs: Detection: 18%
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1291523167.00000182A4339000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257142867.00000182A4365000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257027393.00000182A4361000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A47D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1291523167.00000182A4339000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257142867.00000182A4365000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257027393.00000182A4361000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A47D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.co
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUgUABBQpQV
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1291523167.00000182A4339000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257142867.00000182A4365000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257027393.00000182A4361000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crle
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A46D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.intel.com/support/gfx_feedback
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=98A3FD9E78FC44C7A06C3A0E80307840&timeOut=5000&oc
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Alert/Alert_FD_B.png
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Alert/Alert_FD_B.svg
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.png
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svg
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/temprise1.svg
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunn
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/WeatherInsight/W
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edition.cnn.com/2019/01/15/politics/donald-trump-fast-food-clemson-tigers/index.html
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comE
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/:K
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/B
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/y
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/0K
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/E
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/dJLm
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/i1
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fwww.petco.com%2Fcontent%2Fpetco%2FPe
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8qo.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12lNhl.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15YhMq.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=32798c55-53d0-4330-98c1-75a3
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A4814000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?l
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.comf?
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/art-culture/20-life-changing-locations-inspired-movies-books-and-art
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/food-drink/15-formerly-popular-foods-america-are-rarely-eaten-today
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/stories
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://today.yougov.com/ratings/consumer/popularity/dining-brands/all
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/P
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/nJBm
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/y
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/O
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/byy
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitNew
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitNew
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.merriam-webster.com/wordplay/new-words-in-the-dictionary
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/other/why-so-many-southerners-go-by-their-middle-names/ar-AA1
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/14-of-john-wayne-s-favorite-foods/ar-BB1m7Zyk
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/daylight-saving-time-ends-next-weekend-this-is-how-to-prepare
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/how-s-that-my-fault-home-warranty-company-refused-to-pay-u
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/top-10-movies-where-the-cast-had-most-fun-during-production/vi
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/harris-calls-on-the-united-states-to-turn-the-page-on-hatred
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/jake-tapper-and-jd-vance-have-fiery-exchange-over-trump-s-en
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-negotiating-with-russia-is-a-necessary-part-of-endi
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/50-slang-terms-only-people-over-25-years-old-will-understa
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/search-underway-for-man-accused-of-killing-his-pregnant-wife-while
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/washington-post-reports-elon-musk-briefly-worked-illegally-in-us-i
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/what-all-those-sexy-halloween-costumes-are-doing-to-kids/ar-AA1t0Y
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/satellite-images-show-damage-from-israeli-attack-at-2-iranian-m
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/mlb/yamamoto-shuts-down-yankees-freeman-homers-again-as-dodgers-win
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/college-football-rankings-week-10-top-10-teams/ar-AA1t0rWh
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/american-airlines-tests-boarding-technology-that-audibly-shame
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvcmsiL
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFl
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/maps/wildfire/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlv
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nytimes.com/2021/04/20/magazine/filet-o-fish-asian-americans.html
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4BBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
Source: classification engineClassification label: mal64.evad.winEXE@1/0@0/0
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: perfos.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeSection loaded: profapi.dllJump to behavior
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic file information: File size 31139840 > 1048576
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1d56400
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1235468750.00000182A28DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor]$ *!
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl[
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionl
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor,w
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1245246424.00000182A4265000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1244231281.00000182A4265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor4\
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Servicem
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Serviceu%X+
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1234802463.00000182A42AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1234599930.00000182A4222000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1231986806.00000182A4222000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1232352690.00000182A4222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Se
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1235468750.00000182A28DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1233143599.00000182A28DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accu
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1235244787.00000182A4225000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1234395256.00000182A4225000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860I
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorll?X
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processorkw
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorui
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A482F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorr
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1231643380.00000182A41E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1245246424.00000182A421B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1243411053.00000182A420B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1244231281.00000182A421B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotnt oAA
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1274755346.00000182A47AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionty>
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeProcess information queried: ProcessInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeNtQueryInformationProcess: Indirect: 0x7FF6A60F2ED5Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeNtQueryInformationProcess: Indirect: 0x7FF6A60F2E3CJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeNtQueryInformationProcess: Indirect: 0x7FF6A60F1ACCJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeNtQueryInformationProcess: Indirect: 0x7FF6A60F1958Jump to behavior
Source: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1262762360.00000182A46B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1262762360.00000182A46EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping321
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Disable or Modify Tools		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Abuse Elevation Control Mechanism		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe18%ReversingLabsWin64.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    https://powerpoint.office.comerSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://www.msn.com/en-us/news/politics/jd-vance-negotiating-with-russia-is-a-necessary-part-of-endiSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNddSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://outlook.comf?SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_SunnSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-darkSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://gameplayapi.intel.com/api/games/getagsgamesettings2/0KSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://gameplayapi.intel.com/api/games/getagsgamesettings2/dJLmSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://www.msn.com/en-us/health/other/daylight-saving-time-ends-next-weekend-this-is-how-to-prepareSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://stacker.com/art-culture/20-life-changing-locations-inspired-movies-books-and-artSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.msn.com/en-us/weather/maps/wildfire/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://api.msn.com:443/v1/news/Feed/Windows?SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.msn.com/en-us/feedSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-darkSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/OSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.msn.com/en-us/weather/hourlyforecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.msn.com/en-us/movies/news/top-10-movies-where-the-cast-had-most-fun-during-production/viSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.msn.com/en-us/news/politics/harris-calls-on-the-united-states-to-turn-the-page-on-hatredSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.pngSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.msn.com/en-us/news/us/what-all-those-sexy-halloween-costumes-are-doing-to-kids/ar-AA1t0YSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://deff.nelreports.net/api/report?cat=msnSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4A87000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://gameplayapi.intel.com/api/games/getagsgamesettings2/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.msn.com/en-us/news/politics/jake-tapper-and-jd-vance-have-fiery-exchange-over-trump-s-enSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.msn.com/en-us/news/technology/50-slang-terms-only-people-over-25-years-old-will-understaSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://stacker.comSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.msn.com/en-us/news/us/washington-post-reports-elon-musk-briefly-worked-illegally-in-us-iSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://gameplayapi.intel.com/api/games/getagsgames2/ySecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/nJBmSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svgSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://gameplayapi.intel.com/api/games/downloadthumbnail/:KSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://gameplayapi.intel.com/api/games/getagsgamesettings2/i1SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://tst-gameplayapi.intel.com/api/games/getagsgames2/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4orSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://www.msn.com/en-us/sports/other/college-football-rankings-week-10-top-10-teams/ar-AA1t0rWhSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://www.msn.com/en-us/money/companies/how-s-that-my-fault-home-warranty-company-refused-to-pay-uSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.msn.com/en-us/sports/mlb/yamamoto-shuts-down-yankees-freeman-homers-again-as-dodgers-winSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://gameplayapi.intel.com/api/games/getagsgames2/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/PSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://edition.cnn.com/2019/01/15/politics/donald-trump-fast-food-clemson-tigers/index.htmlSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://word.office.comSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/byySecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/WeatherInsight/WSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/foodanddrink/recipes/14-of-john-wayne-s-favorite-foods/ar-BB1m7ZykSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitNewSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.merriam-webster.com/wordplay/new-words-in-the-dictionarySecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://gameplayapi.intel.com/api/games/getagsgamesettings2/ESecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitNewSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://tst-gameplayapi.intel.com/api/games/getagsgames2/ySecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://gameplayapi.intel.com/api/games/getagsgames2/BSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://stacker.com/food-drink/15-formerly-popular-foods-america-are-rarely-eaten-todaySecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Alert/Alert_FD_B.svgSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://www.msn.com/en-us/travel/news/american-airlines-tests-boarding-technology-that-audibly-shameSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://ocsp.digicert.coSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1257652683.00000182A46A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1292702703.00000182A47D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://api.msn.com/v1/news/Feed/Windows?activityId=98A3FD9E78FC44C7A06C3A0E80307840&timeOut=5000&ocSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://www.msn.com/en-us/news/us/search-underway-for-man-accused-of-killing-his-pregnant-wife-whileSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Alert/Alert_FD_B.pngSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=32798c55-53d0-4330-98c1-75a3SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://excel.office.comESecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4F2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://www.msn.com/en-us/news/world/satellite-images-show-damage-from-israeli-attack-at-2-iranian-mSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://www.msn.com/en-us/weather/forecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvcmsiLSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://today.yougov.com/ratings/consumer/popularity/dining-brands/allSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.pngSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/temprise1.svgSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://stacker.com/storiesSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://gameplayapi.intel.com/api/games/downloadthumbnail/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.intel.com/support/gfx_feedbackSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A46D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://www.nytimes.com/2021/04/20/magazine/filet-o-fish-asian-americans.htmlSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fwww.petco.com%2Fcontent%2Fpetco%2FPeSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkSecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://www.msn.com/en-us/foodanddrink/other/why-so-many-southerners-go-by-their-middle-names/ar-AA1SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1269162237.00000182A4D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4691000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe, 00000000.00000003.1273296153.00000182A4689000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          No contacted IP infos

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                          Analysis ID:1543319
                                                                                                                                                          Start date and time:2024-10-27 17:11:01 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 6m 45s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                          Run name:Suspected VM Detection
                                                                                                                                                          Number of analysed new started processes analysed:11
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal64.evad.winEXE@1/0@0/0
                                                                                                                                                          EGA Information:Failed
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                          • VT rate limit hit for: SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          No simulations

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          No context

                                                                                                                                                          Domains

                                                                                                                                                          No context

                                                                                                                                                          ASNs

                                                                                                                                                          No context

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          No context

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          No created / dropped files found

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Entropy (8bit):7.998832150472728
                                                                                                                                                          TrID:
                                                                                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                          File name:SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe
                                                                                                                                                          File size:31'139'840 bytes
                                                                                                                                                          MD5:df3ca79177e6ae81bf45f894b6683c14
                                                                                                                                                          SHA1:520475c8efda7d4c14165436156417a1bbfd92aa
                                                                                                                                                          SHA256:4f48297c67bb0803164f3e3f10135ad23ca6db7650c74f81227df8cf47efc659
                                                                                                                                                          SHA512:2e04d4b0d534f01067a075548b14a1118200cdf71d4fa7cbd1a91b2a80f6a2bc4c5fe7f1c558494ba454b096b3af128288940b635e6aea1e500851ad00c4cc2e
                                                                                                                                                          SSDEEP:786432:xIa0gdHQKaWE3Kp/Fk/k41D7cAItlD271/Lzkpb7hd2QJ:xB6Wr/FEkkfcRtMx/3kp1d2
                                                                                                                                                          TLSH:0C673393F090C57DD524D2B1DBA22222EA2278178FB474E353D81E242D4AFD8967FF94
                                                                                                                                                          File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....0.f.........."............................@..........................................`........................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                                                                          Static PE Info

                                                                                                                                                          General

                                                                                                                                                          Entrypoint:0x1400488b0
                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                          Digitally signed:false
                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                          Time Stamp:0x66CA3008 [Sat Aug 24 19:10:00 2024 UTC]
                                                                                                                                                          TLS Callbacks:0x4002e060, 0x1
                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                          OS Version Major:6
                                                                                                                                                          OS Version Minor:0
                                                                                                                                                          File Version Major:6
                                                                                                                                                          File Version Minor:0
                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                          Import Hash:3d6564717819e42a19ff0f516eca2242

                                                                                                                                                          Entrypoint Preview

                                                                                                                                                          Instruction
                                                                                                                                                          dec eax
                                                                                                                                                          sub esp, 28h
                                                                                                                                                          call 00007F76492CCC90h
                                                                                                                                                          dec eax
                                                                                                                                                          add esp, 28h
                                                                                                                                                          jmp 00007F76492CC8B7h
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          dec eax
                                                                                                                                                          sub esp, 28h
                                                                                                                                                          call 00007F76492CCA54h
                                                                                                                                                          dec eax
                                                                                                                                                          neg eax
                                                                                                                                                          sbb eax, eax
                                                                                                                                                          neg eax
                                                                                                                                                          dec eax
                                                                                                                                                          dec eax
                                                                                                                                                          add esp, 28h
                                                                                                                                                          ret
                                                                                                                                                          int3
                                                                                                                                                          inc eax
                                                                                                                                                          push ebx
                                                                                                                                                          dec eax
                                                                                                                                                          sub esp, 20h
                                                                                                                                                          dec eax
                                                                                                                                                          cmp dword ptr [01D69166h], FFFFFFFFh
                                                                                                                                                          dec eax
                                                                                                                                                          mov ebx, ecx
                                                                                                                                                          jne 00007F76492CCA49h
                                                                                                                                                          call 00007F76492CDEC5h
                                                                                                                                                          jmp 00007F76492CCA51h
                                                                                                                                                          dec eax
                                                                                                                                                          mov edx, ebx
                                                                                                                                                          dec eax
                                                                                                                                                          lea ecx, dword ptr [01D69150h]
                                                                                                                                                          call 00007F76492CDE30h
                                                                                                                                                          xor edx, edx
                                                                                                                                                          test eax, eax
                                                                                                                                                          dec eax
                                                                                                                                                          cmove edx, ebx
                                                                                                                                                          dec eax
                                                                                                                                                          mov eax, edx
                                                                                                                                                          dec eax
                                                                                                                                                          add esp, 20h
                                                                                                                                                          pop ebx
                                                                                                                                                          ret
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          dec eax
                                                                                                                                                          sub esp, 18h
                                                                                                                                                          dec esp
                                                                                                                                                          mov eax, ecx
                                                                                                                                                          mov eax, 00005A4Dh
                                                                                                                                                          cmp word ptr [FFFB76D5h], ax
                                                                                                                                                          jne 00007F76492CCABAh
                                                                                                                                                          dec eax
                                                                                                                                                          arpl word ptr [FFFB7708h], cx
                                                                                                                                                          dec eax
                                                                                                                                                          lea edx, dword ptr [FFFB76C5h]
                                                                                                                                                          dec eax
                                                                                                                                                          add ecx, edx
                                                                                                                                                          cmp dword ptr [ecx], 00004550h
                                                                                                                                                          jne 00007F76492CCAA1h
                                                                                                                                                          mov eax, 0000020Bh
                                                                                                                                                          cmp word ptr [ecx+18h], ax
                                                                                                                                                          jne 00007F76492CCA96h
                                                                                                                                                          dec esp
                                                                                                                                                          sub eax, edx
                                                                                                                                                          movzx edx, word ptr [ecx+14h]
                                                                                                                                                          dec eax
                                                                                                                                                          add edx, 18h
                                                                                                                                                          dec eax
                                                                                                                                                          add edx, ecx
                                                                                                                                                          movzx eax, word ptr [ecx+06h]
                                                                                                                                                          dec eax
                                                                                                                                                          lea ecx, dword ptr [eax+eax*4]
                                                                                                                                                          dec esp
                                                                                                                                                          lea ecx, dword ptr [edx+ecx*8]
                                                                                                                                                          dec eax
                                                                                                                                                          mov dword ptr [esp], edx
                                                                                                                                                          dec ecx
                                                                                                                                                          cmp edx, ecx
                                                                                                                                                          je 00007F76492CCA5Ah
                                                                                                                                                          mov ecx, dword ptr [edx+0Ch]

                                                                                                                                                          Data Directories

                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1dad2680x104.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1db30000x1b84.pdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1db80000x70c.reloc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x1dad1400x1c.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x1daa9b00x28.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1da5b700x140.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1dad8e00x570.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                          Sections

                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                          .text0x10000x58a660x58c00125e3f2bcd3f263a8791c67ed633bd01False0.5132262323943662data6.458143500240216IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rdata0x5a0000x1d5637c0x1d564006ccf4f906f66470f7dbe84f7453277eaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .data0x1db10000x1bd00xa00f89f83e50853d702d81a1d2f1fada699False0.146484375data1.898901291986417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .pdata0x1db30000x1b840x1c00cc2e2b37b4bd18aee5e9dcb60d19f27fFalse0.5110212053571429data5.793195597431052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .gfids0x1db50000x800x20094baceba662d5eaa84ce6a28e96d73c0False0.21484375data1.473598035294352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .tls0x1db60000xa10x2002b3aead56f8cd1ad5cf40bdff60fc742False0.037109375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          _RDATA0x1db70000x1f40x2009e234c34f0ebe9d234138703bdff563dFalse0.51171875data4.195692367914678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .reloc0x1db80000x70c0x800d4ef5d8f937c9d152d141fccf655af44False0.5517578125data5.176197097017553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                          Imports

                                                                                                                                                          DLLImport
                                                                                                                                                          KERNEL32.dllAddVectoredExceptionHandler, CheckRemoteDebuggerPresent, CloseHandle, CompareStringOrdinal, CompareStringW, CreateDirectoryW, CreateFileW, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExA, FindFirstFileW, FindNextFileA, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFullPathNameW, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimePreciseAsFileTime, GetSystemTimes, GetTempPathW, GetTickCount64, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32GetPerformanceInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LocalFree, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFileEx, ReadProcessMemory, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEnvironmentVariableA, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadExecutionState, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UpdateProcThreadAttribute, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
                                                                                                                                                          bcryptprimitives.dllProcessPrng
                                                                                                                                                          api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                                                                                                                          ntdll.dllNtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlGetVersion, RtlNtStatusToDosError
                                                                                                                                                          ADVAPI32.dllCopySid, GetLengthSid, GetTokenInformation, IsValidSid, OpenProcessToken, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, SystemFunction036
                                                                                                                                                          bcrypt.dllBCryptGenRandom
                                                                                                                                                          powrprof.dllCallNtPowerInformation
                                                                                                                                                          ole32.dllCoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket
                                                                                                                                                          shell32.dllCommandLineToArgvW, ShellExecuteExW
                                                                                                                                                          oleaut32.dllGetErrorInfo, SafeArrayAccessData, SafeArrayDestroy, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysStringLen, VariantClear
                                                                                                                                                          psapi.dllGetModuleFileNameExW
                                                                                                                                                          pdh.dllPdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter

                                                                                                                                                          Network Behavior

                                                                                                                                                          No network behavior found

                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:12:13:22
                                                                                                                                                          Start date:27/10/2024
                                                                                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.QD.Trojan.GenericKDQ.624E6F2697.13291.32063.exe"
                                                                                                                                                          Imagebase:0x7ff6a60b0000
                                                                                                                                                          File size:31'139'840 bytes
                                                                                                                                                          MD5 hash:DF3CA79177E6AE81BF45F894B6683C14
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          Disassembly

                                                                                                                                                          No disassembly