Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 756298
MD5: f39dbbcdcaac9c8d2039b855c752c214
SHA1: ab36da0a55feab685587c52bce5268fca7ef0e23
SHA256: 12675d0f7c4a8d729eda453ad01697b0790f2921258e9befc54cf9327156aa10
Tags: exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Writes to foreign memory regions
Checks if browser processes are running
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to compare user and computer (likely to detect sandboxes)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 33% Perma Link
Antivirus detection for URL or domain
Source: http://c2csosi228d.com/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\jdggfai Joe Sandbox ML: detected
Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://s2scomm20.com/", "http://c2csosi228d.com/", "http://xdd42sdfsdf.com/"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE1765 lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 10_2_00CE1765
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 10_2_00CE118D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 12_2_009D245E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D2404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 12_2_009D2404
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 12_2_009D263E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A126D CryptBinaryToStringA,CryptBinaryToStringA, 14_2_003A126D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D25A4 CryptBinaryToStringA,CryptBinaryToStringA, 16_2_007D25A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 16_2_007D2799
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_00571314 lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 20_2_00571314
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\cas-rih_casur\velinimuc luzotumez14.pdb source: file.exe, jdggfai.1.dr
Source: Binary string: bC:\cas-rih_casur\velinimuc luzotumez14.pdb0f source: file.exe, jdggfai.1.dr
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE14D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 10_2_00CE14D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE13FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose, 10_2_00CE13FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE15BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 10_2_00CE15BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose, 14_2_003A1939
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1936 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,FindNextFileW,FindClose, 14_2_003A1936
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A217C FindFirstFileW,FindNextFileW,FindClose, 14_2_003A217C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 14_2_003A1FFD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW, 14_2_003A1B5B

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: r3oidsofsios.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://s2scomm20.com/
Source: Malware configuration extractor URLs: http://c2csosi228d.com/
Source: Malware configuration extractor URLs: http://xdd42sdfsdf.com/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.246.221.151 185.246.221.151
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kqgkblakc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryjwkat.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewfonmrybp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hraesy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqnwxa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqyiaue.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cygghp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dtxwodx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wypuksbjb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qgjuekrsef.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rlovsbdvn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ugjjaam.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://poflgkd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vshacsl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kabjenh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyukg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnfwjbsuvp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nvftibg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://okade.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iungf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhqtkqlvvb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://whvkq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rspyhp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jvjyarecuw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hrxqxa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwoxt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bqruytosp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lclth.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vreqndf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:31 GMTServer: Apache/2.4.41 (Ubuntu)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 37 34 66 65 0d 0a 2f 00 00 00 8f 3b 41 39 46 2c cf 62 b4 69 4c 7a ea be ee 06 5f 4c ee 8e a8 e1 af 06 13 a0 cc 71 e9 ea 11 2f 96 e3 88 cb 32 b7 9a 95 e1 3c f7 13 c7 f8 58 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb 9f 14 c0 72 fd 91 84 ff e6 9b 97 bb 1d 2c 7e fc 66 96 1e 85 41 67 5c 41 d7 d5 63 7c 55 a6 73 68 f1 7b 06 63
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:34 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:35 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:35 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:37 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:37 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:37 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:38 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:39 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:39 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:40 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 23:12:40 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=|:|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=|:|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.yahoo.com (Yahoo)
Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://go.mail.ru/search
Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://nova.rambler.ru/search
Source: explorer.exe, 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.408629568.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.508519891.0000000001039000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.509151416.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.414672467.0000000000F50000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.508405258.0000000001268000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.509492375.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.508629995.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.425875513.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://r3oidsofsios.com/
Source: explorer.exe, 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.408629568.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.508519891.0000000001039000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.509151416.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.414672467.0000000000F50000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.508405258.0000000001268000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.509492375.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.508629995.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.425875513.0000000000AE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://r3oidsofsios.com/Mozilla/5.0
Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://search.aol.com/aol/search
Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://search.yahoo.com/search
Source: explorer.exe, explorer.exe, 0000000F.00000002.507850080.00000000031D1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.google.com/search
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kqgkblakc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: r3oidsofsios.com
Source: unknown DNS traffic detected: queries for: r3oidsofsios.com
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_031D1F2A recv, 15_2_031D1F2A

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4584, type: MEMORYSTR
Source: Yara match File source: 9.2.jdggfai.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.jdggfai.6f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.jdggfai.6d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D162B GetKeyboardState,ToUnicode, 16_2_007D162B

E-Banking Fraud
barindex
Checks if browser processes are running
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, firefox.exe 10_2_00CE38EA
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, iexplore.exe 10_2_00CE38EA
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, microsoftedgecp.exe 10_2_00CE38EA
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, chrome.exe 10_2_00CE38EA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_0057226C CreateDesktopW,SetThreadDesktop,RtlZeroMemory,RtlZeroMemory,CreateProcessW,ResumeThread, 20_2_0057226C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.407040058.0000000000748000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.346601770.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.346812958.000000000060A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.406779661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000000.417608043.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000009.00000002.407040058.0000000000748000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000000.411589845.00000000009E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000F.00000000.420288650.00000000031E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.346601770.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.346812958.000000000060A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000000.423035885.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000014.00000000.428749130.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.406779661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000000.417608043.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000000.405631874.0000000000CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_00572171 StrStrIW,StrStrIW,RtlZeroMemory,ShellExecuteExW,StrStrIW,RtlAdjustPrivilege,ExitWindowsEx, 20_2_00572171
Detected potential crypto function
Source: C:\Windows\explorer.exe Code function: 11_2_00D173EF 11_2_00D173EF
Source: C:\Windows\explorer.exe Code function: 11_2_00D12450 11_2_00D12450
Source: C:\Windows\explorer.exe Code function: 11_2_00D12D60 11_2_00D12D60
Source: C:\Windows\explorer.exe Code function: 13_2_00F42860 13_2_00F42860
Source: C:\Windows\explorer.exe Code function: 13_2_00F42054 13_2_00F42054
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A803C 14_2_003A803C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A3D28 14_2_003A3D28
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003AE95C 14_2_003AE95C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003AF9F4 14_2_003AF9F4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003AC392 14_2_003AC392
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_031D142C 15_2_031D142C
Source: C:\Windows\explorer.exe Code function: 17_2_00AD2A04 17_2_00AD2A04
Source: C:\Windows\explorer.exe Code function: 17_2_00AD20F4 17_2_00AD20F4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_00572ADD 20_2_00572ADD
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 003A8E70 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401602 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401602
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401605 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401605
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401609 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401609
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401613
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401617 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401617
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004033CC GetModuleHandleA,GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileMappingW,GetKeyboardLayoutList,GetTokenInformation,ShellExecuteExW,NtOpenProcess,NtCreateSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQueryInformationProcess,NtOpenKey,NtEnumerateKey,strstr,wcsstr,tolower,towlower, 0_2_004033CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004015EA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004015EE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402693 NtOpenKey,NtEnumerateKey,NtEnumerateKey, 0_2_00402693
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE3DB7 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection, 10_2_00CE3DB7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE20A3 NtCreateSection,NtMapViewOfSection, 10_2_00CE20A3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE213A lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 10_2_00CE213A
Source: C:\Windows\explorer.exe Code function: 11_2_00D1527C RtlAllocateHeap,NtUnmapViewOfSection, 11_2_00D1527C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, 12_2_009D1016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D1819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 12_2_009D1819
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D1A80 NtCreateSection,NtMapViewOfSection, 12_2_009D1A80
Source: C:\Windows\explorer.exe Code function: 13_2_00F4355C RtlAllocateHeap,NtUnmapViewOfSection, 13_2_00F4355C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1EBE RtlMoveMemory,NtUnmapViewOfSection, 14_2_003A1EBE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_031D1016 WSAStartup,RtlMoveMemory,NtUnmapViewOfSection, 15_2_031D1016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, 16_2_007D1016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 16_2_007D18BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D1B26 NtCreateSection,NtMapViewOfSection, 16_2_007D1B26
Source: C:\Windows\explorer.exe Code function: 17_2_00AD370C RtlAllocateHeap,NtUnmapViewOfSection, 17_2_00AD370C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_005726A9 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection, 20_2_005726A9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_00571C58 NtCreateSection,NtMapViewOfSection, 20_2_00571C58
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_00571CEF OpenProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 20_2_00571CEF
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: jdggfai.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Virustotal: Detection: 33%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\jdggfai C:\Users\user\AppData\Roaming\jdggfai
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jdggfai Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@20/3@29/1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE3BEA wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, 10_2_00CE3BEA
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\cas-rih_casur\velinimuc luzotumez14.pdb source: file.exe, jdggfai.1.dr
Source: Binary string: bC:\cas-rih_casur\velinimuc luzotumez14.pdb0f source: file.exe, jdggfai.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\jdggfai Unpacked PE file: 9.2.jdggfai.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE4F87 push esp; iretd 10_2_00CE4F88
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE9265 push BD6C6D74h; retf 10_2_00CE9275
Source: C:\Windows\explorer.exe Code function: 11_2_00D114D4 push esi; ret 11_2_00D114D6
Source: C:\Windows\explorer.exe Code function: 11_2_00D17197 push esp; iretd 11_2_00D17198
Source: C:\Windows\explorer.exe Code function: 11_2_00D161A0 push eax; retf 11_2_00D161A1
Source: C:\Windows\explorer.exe Code function: 11_2_00D11405 push esi; ret 11_2_00D11407
Source: C:\Windows\explorer.exe Code function: 11_2_00D1C877 push edi; ret 11_2_00D1C878
Source: C:\Windows\SysWOW64\explorer.exe Code function: 12_2_009D3417 push esp; iretd 12_2_009D3418
Source: C:\Windows\explorer.exe Code function: 13_2_00F414D4 push esi; ret 13_2_00F414D6
Source: C:\Windows\explorer.exe Code function: 13_2_00F445A7 push esp; iretd 13_2_00F445A8
Source: C:\Windows\explorer.exe Code function: 13_2_00F41405 push esi; ret 13_2_00F41407
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A8EB5 push ecx; ret 14_2_003A8EC8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003C598F push ebp; retf 14_2_003C59A7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_031D3527 push esp; iretd 15_2_031D3528
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_007D3627 push esp; iretd 16_2_007D3628
Source: C:\Windows\explorer.exe Code function: 17_2_00AD1405 push esi; ret 17_2_00AD1407
Source: C:\Windows\explorer.exe Code function: 17_2_00AD14D4 push esi; ret 17_2_00AD14D6
Source: C:\Windows\explorer.exe Code function: 17_2_00ADAC8D push esp; iretd 17_2_00ADAC95
Source: C:\Windows\explorer.exe Code function: 17_2_00ADAAD2 push ebp; iretd 17_2_00ADAAD3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_005743C7 push esp; iretd 20_2_005743C8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_00578DD2 push ebp; ret 20_2_00578E1E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 20_2_005793AB push FFFFFFFFh; retf 20_2_005793AD
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE1FA1 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock, 10_2_00CE1FA1
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jdggfai Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jdggfai Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\jdggfai:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE38EA GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 10_2_00CE38EA
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 10_2_00CE38EA
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5336 Thread sleep count: 650 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4564 Thread sleep count: 311 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4564 Thread sleep time: -31100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4536 Thread sleep count: 330 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4536 Thread sleep time: -33000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4388 Thread sleep count: 505 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4540 Thread sleep count: 225 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1868 Thread sleep count: 233 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1368 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1368 Thread sleep time: -38000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3896 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3896 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1840 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1840 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3196 Thread sleep count: 327 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3196 Thread sleep time: -196200000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3196 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2308 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2308 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4164 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4164 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4728 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4728 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 860 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 860 Thread sleep time: -33000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE16C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle, 10_2_00CE16C7
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 650 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 505 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\explorer.exe API coverage: 7.7 %
Source: C:\Windows\SysWOW64\explorer.exe API coverage: 9.4 %
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE14D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 10_2_00CE14D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE13FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose, 10_2_00CE13FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE15BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 10_2_00CE15BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose, 14_2_003A1939
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1936 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,FindNextFileW,FindClose, 14_2_003A1936
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A217C FindFirstFileW,FindNextFileW,FindClose, 14_2_003A217C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 14_2_003A1FFD
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW, 14_2_003A1B5B
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\explorer.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000001.00000000.323049259.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.294853901.000000000057A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.323241922.0000000007B66000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000001.00000003.301318590.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.262570544.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.301318590.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000001.00000000.344656957.0000000005F12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A9064 _memset,IsDebuggerPresent, 14_2_003A9064
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE16C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle, 10_2_00CE16C7
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003AE09A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 14_2_003AE09A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE1FA1 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock, 10_2_00CE1FA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE1000 GetProcessHeap,RtlAllocateHeap, 10_2_00CE1000
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00CE1FA1 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock, 10_2_00CE1FA1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A8D3B SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_003A8D3B

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: jdggfai.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: r3oidsofsios.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E2F380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E2F380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E2F380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E2F380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E2F380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E2F380 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 1372 base: E2F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 4452 base: 7FF75EDE8150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1836 base: E2F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 4584 base: 7FF75EDE8150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 3852 base: E2F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 2088 base: E2F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 4800 base: E2F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1776 base: 7FF75EDE8150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 2464 base: E2F380 value: 90 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 2661A08 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jdggfai Thread created: unknown EIP: 46B1A08 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\explorer.exe Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe 16_2_007D10A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe 16_2_007D1016
Source: explorer.exe, 00000001.00000000.337344155.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.257164062.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.295196336.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000001.00000000.323317074.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.301218048.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.344513618.00000000056F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.293996667.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.337344155.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.256788442.00000000004C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.337344155.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.257164062.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.295196336.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003AE7AC cpuid 14_2_003AE7AC
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_003A8878 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 14_2_003A8878
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_031D2297 RtlGetVersion,wsprintfA, 15_2_031D2297

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4584, type: MEMORYSTR
Source: Yara match File source: 9.2.jdggfai.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.jdggfai.6f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.jdggfai.6d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000D.00000002.507736401.0000000000F41000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.507826700.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4584, type: MEMORYSTR
Source: Yara match File source: 9.2.jdggfai.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.jdggfai.6f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.jdggfai.6d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.347095759.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.406829127.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.388354905.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346666685.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.407192385.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.245341240.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.338708718.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756298 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 7 file.exe 2->7         started        10 jdggfai 2->10         started        process3 signatures4 46 Detected unpacking (changes PE section rights) 7->46 48 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->48 50 Maps a DLL or memory area into another process 7->50 12 explorer.exe 3 7->12 injected 52 Machine Learning detection for dropped file 10->52 54 Checks if the current machine is a virtual machine (disk enumeration) 10->54 56 Creates a thread in another existing process (thread injection) 10->56 process5 dnsIp6 30 r3oidsofsios.com 185.246.221.151, 49715, 49716, 49717 LVLT-10753US Germany 12->30 26 C:\Users\user\AppData\Roaming\jdggfai, PE32 12->26 dropped 28 C:\Users\user\...\jdggfai:Zone.Identifier, ASCII 12->28 dropped 58 System process connects to network (likely due to code injection or exploit) 12->58 60 Benign windows process drops PE files 12->60 62 Injects code into the Windows Explorer (explorer.exe) 12->62 64 3 other signatures 12->64 17 explorer.exe 12->17         started        20 explorer.exe 12->20         started        22 explorer.exe 12->22         started        24 6 other processes 12->24 file7 signatures8 process9 signatures10 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Checks if browser processes are running 17->34 36 Contains functionality to compare user and computer (likely to detect sandboxes) 17->36
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.246.221.151
 r3oidsofsios.com Germany
10753 LVLT-10753US true

Contacted Domains

Name IP Active
r3oidsofsios.com 185.246.221.151 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://s2scomm20.com/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://c2csosi228d.com/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://xdd42sdfsdf.com/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://r3oidsofsios.com/ false
  • Avira URL Cloud: safe
 unknown