Windows Analysis Report
Verus.exe

Overview

General Information

Sample name: Verus.exe
Analysis ID: 1533001
MD5: 9639830d1a300d2e4c409c5809374039
SHA1: 69a8860b3e95de30f7abb485d11908c4deceff68
SHA256: 6d7a6e7c674e93b337ed751614e214ab6430a4c4ae5a9811c3ed3fdac5e0ae59
Tags: exeuser-4k95m
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: Verus.exe.7416.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["enginenek.buzz", "ehticsprocw.sbs", "allocatinow.sbs", "vennurviot.sbs", "mathcucom.sbs", "resinedyw.sbs", "enlargkiw.sbs", "condifendteu.sbs", "drawwyobstacw.sbs"], "Build id": "yau6Na--1816906785"}
Multi AV Scanner detection for domain / URL
Source: condifendteu.sbs Virustotal: Detection: 17% Perma Link
Source: vennurviot.sbs Virustotal: Detection: 17% Perma Link
Source: drawwyobstacw.sbs Virustotal: Detection: 17% Perma Link
Source: ehticsprocw.sbs Virustotal: Detection: 15% Perma Link
Source: mathcucom.sbs Virustotal: Detection: 20% Perma Link
Source: resinedyw.sbs Virustotal: Detection: 17% Perma Link
Source: enlargkiw.sbs Virustotal: Detection: 17% Perma Link
Source: allocatinow.sbs Virustotal: Detection: 19% Perma Link
Source: sergei-esenin.com Virustotal: Detection: 17% Perma Link
Source: allocatinow.sbs Virustotal: Detection: 19% Perma Link
Source: enlargkiw.sbs Virustotal: Detection: 17% Perma Link
Source: drawwyobstacw.sbs Virustotal: Detection: 17% Perma Link
Source: mathcucom.sbs Virustotal: Detection: 20% Perma Link
Source: https://enginenek.buzz/api Virustotal: Detection: 8% Perma Link
Source: https://vennurviot.sbs/api Virustotal: Detection: 17% Perma Link
Source: ehticsprocw.sbs Virustotal: Detection: 15% Perma Link
Source: https://drawwyobstacw.sbs/api Virustotal: Detection: 17% Perma Link
Source: condifendteu.sbs Virustotal: Detection: 17% Perma Link
Source: https://mathcucom.sbs/ Virustotal: Detection: 20% Perma Link
Source: https://allocatinow.sbs/api Virustotal: Detection: 19% Perma Link
Source: https://resinedyw.sbs/ Virustotal: Detection: 17% Perma Link
Source: https://resinedyw.sbs/api Virustotal: Detection: 17% Perma Link
Source: https://ehticsprocw.sbs/. Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: Verus.exe Virustotal: Detection: 8% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: enginenek.buzz
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp String decryptor: yau6Na--1816906785
Uses 32bit PE files
Source: Verus.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00420B80 SendMessageW,SendMessageW,SendMessageW,GetModuleFileNameW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcpyW,SendMessageW,lstrcmpW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 0_2_00420B80
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004BD1D0 FindFirstFileW,lstrcmpW,lstrcmpW, 0_2_004BD1D0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0045D260 lstrcpyW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose, 0_2_0045D260
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h] 0_2_00B7F0A0
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_00B7D070
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h 0_2_00B7D070
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h 0_2_00B70050
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h 0_2_00B92160
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then jmp ecx 0_2_00B702E3
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 0_2_00B922C0
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00B57260
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00B72350
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then movzx edi, byte ptr [ecx] 0_2_00B614B3
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h] 0_2_00B5F430
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h] 0_2_00B5F430
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then jmp eax 0_2_00B62418
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh] 0_2_00B7D460
Source: C:\Users\user\Desktop\Verus.exe Code function: 4x nop then mov eax, ebx 0_2_00B61566

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:61189 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49739 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:57419 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49745 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49741 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:63793 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:55426 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:54020 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:59480 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49743 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49746 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:63303 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:59559 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49748 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49750 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49745 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49749 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: enginenek.buzz
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enginenek.buzz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=GuC2Zbqa.VDQ6OeaRKUXKu9e65jd8FQJg5PAo5ZMINA-1728891688-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: enginenek.buzz
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enginenek.buzz
Source: Verus.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Verus.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Verus.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Verus.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Verus.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micK)
Source: Verus.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Verus.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Verus.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Verus.exe String found in binary or memory: http://ocsp.digicert.com0
Source: Verus.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Verus.exe String found in binary or memory: http://ocsp.entrust.net02
Source: Verus.exe String found in binary or memory: http://ocsp.entrust.net03
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Verus.exe String found in binary or memory: http://www.FeyTools.com
Source: Verus.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Verus.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/a
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/api
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/s
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akam
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamsta
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.coD
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4Ok
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3v/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_resp
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://condifendteu.sbs/api
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/api
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/api/
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/api7j
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/.
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/api
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/
Source: Verus.exe, 00000000.00000003.1919482655.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/
Source: Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/api
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api/Tew
Source: Verus.exe, 00000000.00000002.2123122400.0000000000796000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apita
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: Verus.exe, 00000000.00000003.1978794248.0000000000798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: Verus.exe, 00000000.00000003.1978794248.0000000000798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/J
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/M
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/T
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/_
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/api
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/apis
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/q
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000805000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Verus.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49750 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004468C0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,DragQueryFileW,DragQueryFileW,DragQueryFileW,CloseClipboard, 0_2_004468C0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004468C0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,DragQueryFileW,DragQueryFileW,DragQueryFileW,CloseClipboard, 0_2_004468C0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00BA9AF1 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00BA9AF1
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0042E530: _memset,CreateEventW,ResetEvent,WaitForSingleObject,CloseHandle,_memset,DeviceIoControl,GetLastError, 0_2_0042E530
Detected potential crypto function
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004A6509 0_2_004A6509
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004A62ED 0_2_004A62ED
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004A8373 0_2_004A8373
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004A632F 0_2_004A632F
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0042E530 0_2_0042E530
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0042A650 0_2_0042A650
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004406C0 0_2_004406C0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004788E0 0_2_004788E0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0045CB70 0_2_0045CB70
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00476C50 0_2_00476C50
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00418DA0 0_2_00418DA0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0048EE30 0_2_0048EE30
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0048F030 0_2_0048F030
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00453190 0_2_00453190
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0048F430 0_2_0048F430
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0041D4D0 0_2_0041D4D0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0041D5C0 0_2_0041D5C0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0041D6A9 0_2_0041D6A9
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0041D7A0 0_2_0041D7A0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00493978 0_2_00493978
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004B9E30 0_2_004B9E30
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004A5F58 0_2_004A5F58
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B506F3 0_2_00B506F3
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00BA9AF1 0_2_00BA9AF1
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B75080 0_2_00B75080
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B67007 0_2_00B67007
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B50001 0_2_00B50001
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B7D070 0_2_00B7D070
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B5F040 0_2_00B5F040
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B6C106 0_2_00B6C106
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B6E106 0_2_00B6E106
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B552E0 0_2_00B552E0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B963E0 0_2_00B963E0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B72350 0_2_00B72350
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B684F2 0_2_00B684F2
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B8D4E0 0_2_00B8D4E0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B5F430 0_2_00B5F430
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B59440 0_2_00B59440
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B5B566 0_2_00B5B566
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Verus.exe Code function: String function: 00415400 appears 44 times
Source: C:\Users\user\Desktop\Verus.exe Code function: String function: 00444320 appears 92 times
Source: C:\Users\user\Desktop\Verus.exe Code function: String function: 00479110 appears 52 times
Source: C:\Users\user\Desktop\Verus.exe Code function: String function: 00491E54 appears 94 times
Source: C:\Users\user\Desktop\Verus.exe Code function: String function: 00476150 appears 49 times
One or more processes crash
Source: C:\Users\user\Desktop\Verus.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1812
PE / OLE file has an invalid certificate
Source: Verus.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Verus.exe Binary or memory string: OriginalFilename vs Verus.exe
Source: Verus.exe, 00000000.00000003.1877634347.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFeyWriter.exe4 vs Verus.exe
Source: Verus.exe, 00000000.00000000.1720934904.00000000005BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFeyWriter.exe4 vs Verus.exe
Source: Verus.exe Binary or memory string: OriginalFilenameFeyWriter.exe4 vs Verus.exe
Uses 32bit PE files
Source: Verus.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/5@11/9
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00424350 ShowWindow,GetDiskFreeSpaceExW,DestroyWindow, 0_2_00424350
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B50E03 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle, 0_2_00B50E03
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0043F0B0 CoCreateInstance, 0_2_0043F0B0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00456840 FindResourceW,SizeofResource,LoadResource,LockResource,__aligned_recalloc,GlobalUnlock, 0_2_00456840
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7416
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\62670c39-8b41-4c3f-abb1-43f1907094d8 Jump to behavior
Source: Verus.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Verus.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Verus.exe Virustotal: Detection: 8%
Source: Verus.exe String found in binary or memory: ::/how_to_use/working_with_projects/add_boot_image.html
Source: Verus.exe String found in binary or memory: )@isoUntitledDisc Images (*.iso)*.isoFeyWriter::/how_to_use/working_with_projects/add_boot_image.htmladdbootimage%d %d0x%xP
Source: C:\Users\user\Desktop\Verus.exe File read: C:\Users\user\Desktop\Verus.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Verus.exe "C:\Users\user\Desktop\Verus.exe"
Source: C:\Users\user\Desktop\Verus.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1812
Source: C:\Users\user\Desktop\Verus.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Verus.exe Static file information: File size 2394152 > 1048576
Source: Verus.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x155a00
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0042E6D0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042E6D0
PE file contains an invalid checksum
Source: Verus.exe Static PE information: real checksum: 0x1c2201a should be: 0x257377
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004962A1 push ecx; ret 0_2_004962B4
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0042B548 push esp; iretd 0_2_0042B549
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00449769 pushfd ; retf 0002h 0_2_00449771
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0044D0E0 IsWindowVisible,IsZoomed,IsIconic,IsZoomed,GetWindowRect,IsZoomed, 0_2_0044D0E0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00475810 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00475810
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Verus.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Verus.exe API coverage: 0.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Verus.exe TID: 7596 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Verus.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00420B80 SendMessageW,SendMessageW,SendMessageW,GetModuleFileNameW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcpyW,SendMessageW,lstrcmpW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 0_2_00420B80
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004BD1D0 FindFirstFileW,lstrcmpW,lstrcmpW, 0_2_004BD1D0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0045D260 lstrcpyW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose, 0_2_0045D260
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000002.2123122400.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Verus.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Verus.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004911AA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004911AA
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0042E6D0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042E6D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B506F3 mov edx, dword ptr fs:[00000030h] 0_2_00B506F3
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B50CB3 mov eax, dword ptr fs:[00000030h] 0_2_00B50CB3
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B51063 mov eax, dword ptr fs:[00000030h] 0_2_00B51063
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B51303 mov eax, dword ptr fs:[00000030h] 0_2_00B51303
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00B51302 mov eax, dword ptr fs:[00000030h] 0_2_00B51302
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_00490B59 GetProcessHeap,HeapFree, 0_2_00490B59
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004911AA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004911AA
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004958B6 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004958B6

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: Verus.exe String found in binary or memory: drawwyobstacw.sbs
Source: Verus.exe String found in binary or memory: ehticsprocw.sbs
Source: Verus.exe String found in binary or memory: condifendteu.sbs
Source: Verus.exe String found in binary or memory: resinedyw.sbs
Source: Verus.exe String found in binary or memory: vennurviot.sbs
Source: Verus.exe String found in binary or memory: allocatinow.sbs
Source: Verus.exe String found in binary or memory: enlargkiw.sbs
Source: Verus.exe String found in binary or memory: enginenek.buzz
Source: Verus.exe String found in binary or memory: mathcucom.sbs
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Verus.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0045C7B0 SHGetFileInfoW,lstrcpyW,GetLocalTime,SystemTimeToFileTime,FileTimeToDosDateTime,SendMessageW, 0_2_0045C7B0
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_004BC690 GetTimeZoneInformation, 0_2_004BC690
Source: C:\Users\user\Desktop\Verus.exe Code function: 0_2_0044F760 _memset,SystemParametersInfoW,_memset,GetObjectW,lstrcmpW,CreateFontIndirectW,DeleteObject,DeleteObject,DeleteObject,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowDC,SelectObject,DrawTextW,DrawTextW,SetRectEmpty,DrawTextW,SelectObject,_memset,GetVersionExW,SystemParametersInfoW,SystemParametersInfoW,ReleaseDC, 0_2_0044F760
Source: C:\Users\user\Desktop\Verus.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533001 Sample: Verus.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 15 vennurviot.sbs 2->15 17 steamcommunity.com 2->17 19 9 other IPs or domains 2->19 27 Multi AV Scanner detection for domain / URL 2->27 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 8 other signatures 2->33 7 Verus.exe 2->7         started        signatures3 process4 dnsIp5 21 sergei-esenin.com 104.21.53.8, 443, 49749, 49750 CLOUDFLARENETUS United States 7->21 23 vennurviot.sbs 172.67.140.193, 443, 49743 CLOUDFLARENETUS United States 7->23 25 7 other IPs or domains 7->25 10 WerFault.exe 21 16 7->10         started        process6 file7 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->13 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
188.114.97.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
172.67.173.224
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
188.114.96.3
 mathcucom.sbs European Union
13335 CLOUDFLARENETUS true
172.67.152.13
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
172.67.141.136
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.205.156
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
172.67.140.193
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 172.67.141.136 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 172.67.140.193 true
drawwyobstacw.sbs 188.114.97.3 true
mathcucom.sbs 188.114.96.3 true
enginenek.buzz 188.114.97.3 true
sergei-esenin.com 104.21.53.8 true
ehticsprocw.sbs 172.67.173.224 true
resinedyw.sbs 172.67.205.156 true
enlargkiw.sbs 172.67.152.13 true
allocatinow.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true unknown
allocatinow.sbs true unknown
drawwyobstacw.sbs true unknown
mathcucom.sbs true unknown
https://enginenek.buzz/api true unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vennurviot.sbs/api true unknown
ehticsprocw.sbs true unknown
condifendteu.sbs true unknown
https://drawwyobstacw.sbs/api true unknown
enginenek.buzz true unknown
https://resinedyw.sbs/api true unknown
https://mathcucom.sbs/api true
    		unknown
    resinedyw.sbs true
      		unknown
      vennurviot.sbs true
        		unknown