Windows Analysis Report
QualysCloudAgent (Windows).exe

Overview

General Information

Sample name: QualysCloudAgent (Windows).exe
Analysis ID: 1562263
MD5: b7472d4e38a5d4f3a272568142e2e875
SHA1: a8a6f8b37e84c100aae35ee92fbe9a6911b507ef
SHA256: 844593ab69ce5f479bf937471a385b1a966dcc7b3bfca44ffa9ccfe6420b259e
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Creates files inside the system directory
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: QualysCloudAgent (Windows).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe File created: C:\ProgramData\Qualys\QualysAgent\InstallerLogs\CloudAgentInstaller.log Jump to behavior
Source: QualysCloudAgent (Windows).exe Static PE information: certificate valid
Source: QualysCloudAgent (Windows).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\x64\Release\QASetupHost.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\Release\QASetupHost.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\Release\CloudAgentInstaller.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\agent\_work\9\s\build\ship\x86\wixca.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\Win32\Release\QACustomAction.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\x64\Release\QACustomAction.pdb source: QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://ocsp.digicert.com0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://ocsp.digicert.com0A
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://ocsp.digicert.com0C
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://ocsp.digicert.com0I
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://ocsp.digicert.com0X
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://sv.symcb.com/sv.crl0W
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://sv.symcd.com0&
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://www.digicert.com/CPS0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://www.qualys.com/company/contacts/ARPHELPTELEPHONE(650)
Source: QualysCloudAgent (Windows).exe String found in binary or memory: http://www.qualys.com0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: https://d.symcb.com/cps0%
Source: QualysCloudAgent (Windows).exe String found in binary or memory: https://d.symcb.com/rpa0
Source: QualysCloudAgent (Windows).exe String found in binary or memory: https://www.digicert.com/CPS0
Creates files inside the system directory
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe File created: C:\Windows\Logs\QualysAgent Jump to behavior
Sample file is different than original file name gathered from version info
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQACustomAction.dllH vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewixca.dll8 vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQASetupHost.exeH vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe, 00000000.00000001.1682245534.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQACustomAction.dllH vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe, 00000000.00000001.1682245534.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewixca.dll8 vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe Binary or memory string: OriginalFilenameQACustomAction.dllH vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe Binary or memory string: OriginalFilenamewixca.dll8 vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe Binary or memory string: OriginalFilenameQASetupHost.exeH vs QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe Binary or memory string: OriginalFilenameCloudAgentInstaller.exeH vs QualysCloudAgent (Windows).exe
Uses 32bit PE files
Source: QualysCloudAgent (Windows).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean1.winEXE@2/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{3D594D93-D7F0-4C44-93AC-931752E27136}
Source: QualysCloudAgent (Windows).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000000.1680701072.0000000000A2B000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000001.1682245534.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000002.1685146275.0000000000A2B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT EXISTS (SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = '%s' LIMIT 1);END TRANSACTIONBEGIN TRANSACTIONINTEGERINTEGERGroupNameProcessIDManifestIDPrivilegeName@
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000001.1682245534.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT EXISTS (SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = '%s' LIMIT 1);
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000000.1680701072.0000000000A2B000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000001.1682245534.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000002.1685146275.0000000000A2B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: QualysCloudAgent (Windows).exe, 00000000.00000002.1685306425.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp, QualysCloudAgent (Windows).exe, 00000000.00000001.1682245534.0000000000A8A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT EXISTS (SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = '%s' LIMIT 1);END TRANSACTION83INTEGERSizeINTEGERProcessIDGroupNamePrivilegeNameManifestID(
Source: QualysCloudAgent (Windows).exe String found in binary or memory: MBad privilege name to AdjustWin32 Error: %u - Failed to open process-token for privilege changeWin32 Error: %u - Unable to lookup for "%s" privilegeWin32 Error: %u - Unable to adjust the privilege "%s"Privilege update result: %uBad privilege name to EnablePrivilege name insertion failed.map/set<T> too longinvalid string positionstring too longWin32 Error: %u - Failed to open SCMWin32 Error: %u - Failed to open service "%s"Win32 Error: %u - Failed to query service statusService [%s] is running.Service is stopped - issuing start commandWin32 Error: %u - Failed to start service %sService is paused - issuing continue commandWin32 Error: %u - Failed to Continue serviceService is running.Service is not running - pausing 1 second...Win32 Error: %u - Failed to gain ownership of file object "%s"Win32 Error: %u - Failed to set default group of file object "%s"Win32 Error: %u - Failed to set DACL of file object "%s"SeTakeOwnershipPrivilegeFailed to adjust privilegeSeRestorePrivilegeWin32 Error: %u - Failed to create DACLWin32 Error: %u - Failed to reset security on: "%s"enabledisableAdjusting privileges to %s for %s.Win32 Error: %u - Unable to adjust privilege "%s"QualysAgentWin32 Error: %u - Pre-Setup: Failed to open a handle to the SCMPre-Setup: Driver file name is invalid.%windir%\System32\drivers\Pre-Setup: Failed to build driver file path.Pre-Setup: Failed to expand driver file path.Win32 Error: %u - Pre-Setup: Failed to delete driver file %sPre-Setup: Driver name is invalid.Win32 Error: %u - Pre-Setup: Failed to get a handle to the driver "%s"Win32 Error: %u - Pre-Setup: Failed to query the status of the driver "%s": %sPre-Setup: Driver is in a transitionary state (%u) - waiting for %u millisecondsPre-Setup: Timed out waiting for the driver to reach a stable state.Pre-Setup: Handle for %s service does not existWin32 Error: %u - Pre-Setup: Failed to obtain handle to %s driverPre-Setup: The driver %s has already stopped.Win32 Error: %u - Pre-Setup: Failed to stop %s driverPre-Setup: The driver %s has been stopped.uninstall Pre-Setup: Driver installer path is invalid.Pre-Setup: Not enough memory while trying to create driver uninstallation commandWin32 Error: %u - Pre-Setup: Driver un-installation [%s] has failed. Installer output [%s]Win32 Error: %u - Pre-Setup: Driver un-installation [%s] has failed. Installer output [%s]. Installer exit code: %dPre-Setup: Driver uninstallation [%s] has completed. Driver installer output [%s]Pre-Setup: Failed to construct driver package pathWin32 Error: %u - Pre-Setup: Failed to get the parent directory path"" /Insufficient memory while trying to create driver installation/uninstallation commandWin32 Error: %u - Pre-Setup: Failed to remove driver service for %sPre-Setup: Driver service for %s does not existWin32 Error: %u - Pre-Setup: Failed to stop the %s driverWin32 Error: %u - Pre-Setup: Failed to delete %s driver serviceWin32 Error: %u - Pre-Setup: Failed to query the existence of the driver "%s"Win32 Error: %u -
Source: QualysCloudAgent (Windows).exe String found in binary or memory: Bad privilege name to AdjustWin32 Error: %u - Failed to open process-token for privilege changeWin32 Error: %u - Unable to lookup for "%s" privilegeWin32 Error: %u - Unable to adjust the privilege "%s"Privilege update result: %uBad privilege name to EnablePrivilege name insertion failed.map/set<T> too longinvalid string positionstring too longWin32 Error: %u - Failed to open SCMWin32 Error: %u - Failed to open service "%s"Win32 Error: %u - Failed to query service statusService [%s] is running.Service is stopped - issuing start commandWin32 Error: %u - Failed to start service %sService is paused - issuing continue commandWin32 Error: %u - Failed to Continue serviceService is running.Service is not running - pausing 1 second...Win32 Error: %u - Failed to gain ownership of file object "%s"Win32 Error: %u - Failed to set default group of file object "%s"Win32 Error: %u - Failed to set DACL of file object "%s"SeTakeOwnershipPrivilegeFailed to adjust privilegeSeRestorePrivilegeWin32 Error: %u - Failed to create DACLWin32 Error: %u - Failed to reset security on: "%s"enabledisableAdjusting privileges to %s for %s.Win32 Error: %u - Unable to adjust privilege "%s"QualysAgentWin32 Error: %u - Pre-Setup: Failed to open a handle to the SCMPre-Setup: Driver file name is invalid.%windir%\System32\drivers\Pre-Setup: Failed to build driver file path.Pre-Setup: Failed to expand driver file path.Win32 Error: %u - Pre-Setup: Failed to delete driver file %sPre-Setup: Driver name is invalid.Win32 Error: %u - Pre-Setup: Failed to get a handle to the driver "%s"Win32 Error: %u - Pre-Setup: Failed to query the status of the driver "%s": %sPre-Setup: Driver is in a transitionary state (%u) - waiting for %u millisecondsPre-Setup: Timed out waiting for the driver to reach a stable state.Pre-Setup: Handle for %s service does not existWin32 Error: %u - Pre-Setup: Failed to obtain handle to %s driverPre-Setup: The driver %s has already stopped.Win32 Error: %u - Pre-Setup: Failed to stop %s driverPre-Setup: The driver %s has been stopped.uninstall Pre-Setup: Driver installer path is invalid.Pre-Setup: Not enough memory while trying to create driver uninstallation commandWin32 Error: %u - Pre-Setup: Driver un-installation [%s] has failed. Installer output [%s]Win32 Error: %u - Pre-Setup: Driver un-installation [%s] has failed. Installer output [%s]. Installer exit code: %dPre-Setup: Driver uninstallation [%s] has completed. Driver installer output [%s]Pre-Setup: Failed to construct driver package pathWin32 Error: %u - Pre-Setup: Failed to get the parent directory path"" /Insufficient memory while trying to create driver installation/uninstallation commandWin32 Error: %u - Pre-Setup: Failed to remove driver service for %sPre-Setup: Driver service for %s does not existWin32 Error: %u - Pre-Setup: Failed to stop the %s driverWin32 Error: %u - Pre-Setup: Failed to delete %s driver serviceWin32 Error: %u - Pre-Setup: Failed to query the existence of the driver "%s"Win32 Error: %u - I
Source: unknown Process created: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe "C:\Users\user\Desktop\QualysCloudAgent (Windows).exe"
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: QualysCloudAgent (Windows).exe Static PE information: certificate valid
Source: QualysCloudAgent (Windows).exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QualysCloudAgent (Windows).exe Static file information: File size 19191616 > 1048576
Source: QualysCloudAgent (Windows).exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13a000
Source: QualysCloudAgent (Windows).exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10c4000
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: QualysCloudAgent (Windows).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: QualysCloudAgent (Windows).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\x64\Release\QASetupHost.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\Release\QASetupHost.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\Release\CloudAgentInstaller.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\agent\_work\9\s\build\ship\x86\wixca.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\Win32\Release\QACustomAction.pdb source: QualysCloudAgent (Windows).exe
Source: Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.1\CloudAgentInstaller\x64\Release\QACustomAction.pdb source: QualysCloudAgent (Windows).exe
Source: QualysCloudAgent (Windows).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QualysCloudAgent (Windows).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QualysCloudAgent (Windows).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QualysCloudAgent (Windows).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QualysCloudAgent (Windows).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe File created: C:\ProgramData\Qualys\QualysAgent\InstallerLogs\CloudAgentInstaller.log Jump to behavior
Source: C:\Users\user\Desktop\QualysCloudAgent (Windows).exe Code function: 0_2_009E6B12 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_009E6B12
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1562263 Sample: QualysCloudAgent (Windows).exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 1 5 QualysCloudAgent (Windows).exe 10 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos