IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_ba8a8a594ca8fa23cd1d4e3bee6863e38899ac_1ee2fc52_23d44693-564a-4aac-9380-f748fbd747a5\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1]
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1]
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\23RE4w32fN\Bunifu_UI_v1.5.3.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA17.tmp.dmp
Mini DuMP crash report, 14 streams, Sat Nov 30 06:29:34 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB41.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB61.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\download[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\add[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\download[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\fuckingdllENCR[1].dll
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\key[1].htm
ASCII text, with no line terminators
dropped
C:\Users\user\Desktop\Cleaner.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Sat Nov 30 05:29:33 2024, mtime=Sat Nov 30 05:29:33 2024, atime=Sat Nov 30 05:29:33 2024, length=1502720, window=hide
modified
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 644

URLs

Name
IP
Malicious
http://185.156.72.65/soft/download
185.156.72.65
http://upx.sf.net
unknown
http://185.156.72.65/dll/key
185.156.72.65
http://185.156.72.65/files/download
185.156.72.65
http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
unknown
https://iplogger.org/1Pz8p7
unknown
https://g-cleanit.hk
unknown
http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
185.156.72.65
http://185.156.72.65/dll/download
185.156.72.65

IPs

IP
Domain
Country
Malicious
185.156.72.65
unknown
Russian Federation
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
ProgramId
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
FileId
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
LowerCaseLongPath
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
LongPathHash
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
Name
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
OriginalFileName
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
Publisher
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
Version
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
BinFileVersion
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
BinaryType
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
ProductName
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
ProductVersion
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
LinkDate
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
BinProductVersion
malicious
\REGISTRY\A\{bbd77309-5da0-d09f-93e6-9d17547ba310}\Root\InventoryApplicationFile\file.exe|634507f567776d77
AppxPackageFullName